What is a Managed Service Account?
A Managed Service Account (MSA) is a specialized account in Active Directory that provides a secure way to run services, applications, access databases, and schedule tasks. The key concept behind MSA is that Active Directory takes full control of managing the account's password, ensuring its security.
Managed Service Accounts (MSAs) provide a high level of security by automatically generating a complex password for authentication. These passwords have a length of 240 characters and are changed automatically every 30 days. Unlike other accounts, MSAs exclusively use Kerberos for authentication, eliminating the risk of NTLM security issues. Additionally, interactive logon is not allowed for MSAs, ensuring that the password remains unknown and not stored on the local system.
The advantage of using MSAs is that you don't need to create individual service users in Active Directory (AD) and manage their passwords for starting services, IIS application pools, or unattended jobs. This simplifies the process and reduces the administrative overhead.
However, it's important to note that MSAs have a limitation. They can only be used on a single server and cannot be utilized in cluster and NLB services. To overcome this limitation, Windows Server 2012 introduced Group Managed Service Accounts (gMSA). With gMSA accounts, you can simultaneously use the same account on multiple hosts, providing greater flexibility and efficiency in managing service accounts.
We highly recommend taking the time to set up MSAs in your Active Directory environment and utilizing these accounts to access SurePassID databases. This not only enhances security but also prevents potential issues associated with account expiry and password challenges.
Another option to safeguard user account credentials is by utilizing Microsoft Azure Key Vault, which is supported by SurePassID. You can consider this option based on your company's infrastructure topology.
All versions of SurePassID support MSAs.
Setting up for the use of MSAs in Active Directory
Before adding an MSA to any SurePassID products, you will need to set up a Managed Service Account in AD. For more information from Microsoft about configuring this in your environment click here.
If you would like to set up an MSA using PowerShell, we have found a 3rd party article that details the information here.
If you need additional information about enabling and configuring an MSA to SQL Server, you can reference this article here.
Setting up gMSA to SQL and SurePassID Database
1) Before making product specific changes, you will need to add a security login for your SurePassID DB in your SQL system that uses the new MSA that you created for this purpose. Add the new account as a Windows account using SQL Management Studio and give this account DB Owner permissions:
2) Once properly tested, you can remove the original SQL "SPUser" account created by the SPAS installer as it will no longer be used once you have switched to an MSA for SQL.
Using an MSA with SurePassID Authentication Server
1) To add an MSA to the SurePassID Authentication Server, open web.config and modify the below values:
(default path for 23.1 versions is C:\Program Files (x86)\SurePassID Corp\SurePassID Authentication Server 23.1\MfaServer)
- Connection.Username value=[blank]
- Connection.Password value=[blank]
- Connection.AuthenticationMethod value=1
2) Locate the additional section identified as <connectionStrings>in the web.config file and modify the following values:
- integrated security=TRUE
- UID=[blank]
- PWD=[blank]
3) Open the IIS Application Pool for the SurePassID Authentication MFA Server and select Advanced Settings
4) Update the Identity section and select Custom account
5) Enter the name of your gMSA account and update your settings
6) Note that when you specify a managed service account, including the "$" on the end of the account name, a password is not required nor are you able to specify one.
Using an MSA with SurePassID SAML2
1) To switch to using an MSA for the SurePassID SAML2 site, open the SPAS web.config appsecrets section in the SAML IdP and modify the following values:
(default path for 23.1 versions is C:\Program Files (x86)\SurePassID Corp\SurePassID Authentication Server 23.1\Saml2Idp)
- Connection.Username value=[blank]
- Connection.Password value=[blank]
- Connection.AuthenticationMethod value=1
4) Open the IIS Application Pool for the SurePassID Authentication MFA Server and select Advanced Settings
5) Update the Identity section and select Custom account
6) Enter the name of your gMSA account and update your settings
Using an MSA with SurePassID FIDO2 Server
1) To add an MSA to the SurePassID FIDO2 Server, open appsettings.local.json in the FIDO folder modify the below values:
(default path for 23.1 versions is C:\Program Files (x86)\SurePassID Corp\SurePassID Authentication Server 23.1\Fido2Server is where it normally resides)
2) Locate the additional section identified as <connectionStrings>in the appsettings.local.json file and modify the following values:
- Integrated Security=TRUE
- UID=[blank]
- PWD=[blank]
Change the identity for the FIDO application pool in the IIS Management console in the same fashion as was done for the MFA and SAML2 sites above.