Manage Service Account KVNO and Keytab

Ilia Ershov 126 Reputation points
2020-11-23T09:50:22.213+00:00

I have Windows Server 2016 domain with SQL Server installed on CentOS 7.
Base on the article https://learn.microsoft.com/en-us/sql/linux/sql-server-linux-active-directory-authentication?view=sql-server-ver15 I have successfull implemented domain integration using keytab and Managed Service Account. But I have a little misunderstanding the following:

  1. how often does managed service account password changes? Does it depends on Domain member: Maximum machine account password age group policy settings? I found the default rotation interval of 30 days.
  2. how does Linux host will deal with service account password change? As i know, changing password should increase KVNO, but in this case all keytab file will be expired
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,391 questions
SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,823 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,942 questions
0 comments
Accepted answer
  1. Thameur-BOURBITA 32,586 Reputation points
    2020-11-26T22:36:02.877+00:00

    Hi,

    if MSA password change will increase KVNO and my keytab will be expired, why article declares that it is supported scenario?

    Managed Service Account password change every 30 days during computer account password renewal when it's assigned to domain member windows server so the kvno will increase automatically.
    In case of Keytab , the keytab file should be used on computer non-windows server so the password can't be reset automatically because it's not assigned to windows member server, so the kvno value doesn't change if it's not used on another windows server.

    Please don't forget to mark this reply as answer if it help you to fix your issue

    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. CathyJi-MSFT 21,096 Reputation points Microsoft Vendor
    2020-11-24T07:41:44.31+00:00

    Hi @Ilia Ershov ,

    When we create AD user, suggest create a new AD user with a password that never expires.

    If the password for the AD account is changed or the password for the account that the SPNs are assigned to is changed, you must update the keytab with the new password and Key Version Number (KVNO).

    Best regards,
    Cathy

    If the response is helpful, please click "Accept Answer" and upvote it.

  2. Ilia Ershov 126 Reputation points
    2020-11-24T08:43:53.617+00:00

    Hi @CathyJi-MSFT
    I have no questions about common user account with password that never expires. I'm refferring to official tutorial which states that i can create keytab for Managed Service Account. And yes, this works. My question is: if MSA password change will increase KVNO and my keytab will be expired, why article declares that it is supported scenario?

    0 comments
  3. Evgenij Smirnov 541 Reputation points
    2020-11-26T20:14:18.51+00:00

    Hi,

    a gMSA's password gets changed by computers that gMSA is assigned to. If you only use your gMSA on the Linux boxes and do not assign it to any Windows computer that is a member of AD, the password will not get changed and your keytab will not expire. If you share this gMSA with domain-joined Windows computers, then yes, as soon as they roll the password, your keytab will not allow you to authenticate anymore.

    0 comments