Group Managed Service Accounts Overview
Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016
This topic for the IT professional introduces the group Managed Service Account by describing practical applications, changes in Microsoft's implementation, and hardware and software requirements.
A standalone Managed Service Account (sMSA) is a managed domain account that provides automatic password management, simplified service principal name (SPN) management and the ability to delegate the management to other administrators. This type of managed service account (MSA) was introduced in Windows Server 2008 R2 and Windows 7.
The group Managed Service Account (gMSA) provides the same functionality within the domain but also extends that functionality over multiple servers. When connecting to a service hosted on a server farm, such as Network Load Balanced solution, the authentication protocols supporting mutual authentication require that all instances of the services use the same principal. When a gMSA is used as service principals, the Windows operating system manages the password for the account instead of relying on the administrator to manage the password.
The Microsoft Key Distribution Service (kdssvc.dll) provides the mechanism to securely obtain the latest key or a specific key with a key identifier for an Active Directory account. The Key Distribution Service shares a secret which is used to create keys for the account. These keys are periodically changed. For a gMSA the domain controller computes the password on the key provided by the Key Distribution Services, in addition to other attributes of the gMSA. Member hosts can obtain the current and preceding password values by contacting a domain controller.
gMSAs provide a single identity solution for services running on a server farm, or on systems behind Network Load Balancer. By providing a gMSA solution, services can be configured for the new gMSA principal and the password management is handled by Windows.
Using a gMSA, services or service administrators do not need to manage password synchronization between service instances. The gMSA supports hosts that are kept offline for an extended time period, and management of member hosts for all instances of a service. This means you can deploy a server farm that supports a single identity to which existing client computers can authenticate without knowing the instance of the service to which they are connecting.
Failover clusters do not support gMSAs. However, services that run on top of the Cluster service can use a gMSA or a sMSA if they are a Windows service, an App pool, a scheduled task, or natively support gMSA or sMSA.
A 64-bit architecture is required to run the Windows PowerShell commands which are used to administer gMSAs.
A managed service account is dependent upon Kerberos supported encryption types.When a client computer authenticates to a server using Kerberos the DC creates a Kerberos service ticket protected with encryption both the DC and server supports. The DC uses the account's msDS-SupportedEncryptionTypes attribute to determine what encryption the server supports and, if there is no attribute, it assumes the client computer does not support stronger encryption types. If the host is configured to not support RC4, then authentication will always fail. For this reason, AES should always be explicitly configured for MSAs.
Beginning with Windows Server 2008 R2, DES is disabled by default. For more information about supported encryption types, see Changes in Kerberos Authentication.
gMSAs are not applicable to Windows operating systems prior to Windows Server 2012.
Server Manager information
There are no configuration steps necessary to implement MSA and gMSA using Server Manager or the Install-WindowsFeature cmdlet.
The following table provides links to additional resources related to Managed Service Accounts and group Managed Service Accounts.
|Product evaluation||What's New for Managed Service Accounts|
|Planning||Not yet available|
|Deployment||Not yet available|
|Operations||Managed Service Accounts in Active Directory|
|Troubleshooting||Not yet available|
|Evaluation||Getting Started with Group Managed Service Accounts|
|Tools and settings||Managed Service Accounts in Active Directory Domain Services|
|Community resources||Managed Service Accounts: Understanding, Implementing, Best Practices, and Troubleshooting|
|Related technologies||Active Directory Domain Services Overview|