Managed accounts in SharePoint 2010

The installation best practices in SharePoint 2010 regarding service accounts have not changed since SharePoint 2007. This is regarding the installation though. With SharePoint 2010, Managed accounts were introduced. In SharePoint Server 2007, all services (such as Excel services) were handled by the SSP (Shared Services Provider). The SSP has been removed in SharePoint 2010 and all services now run as Managed Service Accounts.

Each managed service account can have its own password or Managed Service Account in order to add extra security for a pedantic administrator, these passwords can be set to change automatically. A random password will be generated by Sharepoint in selected intervals.

But the introduction of this new feature isn’t all good. The complication comes from the fact that SharePoint 2010 doesn’t implement this capability consistently. So an account that is configured as a Managed Service Account and set to have its password changed automatically could also be used in certain places that don’t understand the managed account concept. When the managed account password is changed the feature that uses that account and only knows the username and password (so it does not use the managed account details) will effectively be broken. As an example, if you configure the Enterprise Search Service to use a managed account whose password is scheduled to be changed every 30 days and you use that same account for the content crawl account then when that password is changed the content crawl will cease to function as it will be unable to authenticate the account. It’s important to note, however, that this issue only comes to light when you configure the managed account to have its password changed automatically.

So what things can be managed accounts and what cannot? The following lists what I’ve come across so far:

Managed Service Accounts:

  • All Service Application Pool Accounts
    • Access Service Application
    • BCS Service Application
    • Excel Services Service Application
    • Metadata Service Application
    • PerformancePoint Service Application
    • Enterprise Search Service Application
    • Secure Store Service Application
    • Subscription Settings Service Application
    • User Profile Service Application
    • Visio Services Service Application
    • Web Analytics Service Application
    • Word Automation Service Application
    • Word Viewing Service Application
    • PowerPoint Viewing Service Application
    • Security Token Service Application

All Content Web Application Pools

  • Service Instances
    • Claims to Windows Token Service
    • Document Conversion Launcher Service
    • Document Conversion Load Balancer Service
    • Microsoft SharePoint Foundation Sandboxed Code Service
    • SharePoint Foundation Help Search
    • SharePoint Server Search (Enterprise Search)
    • Web Analytics Data Processing Service

Service Accounts (should not be managed):

  • Search Crawl Accounts
    • For Foundation Search and Server (Enterprise) Search
  • Unattended User Accounts
    • Excel Services Service Application
    • Visio Services Service Application
    • PerformancePoint Service Application
    • (in general, any Secure Store application credentials)
  • Object Cache Portal Accounts
    • Super User Account
    • Super Reader Account
  • User Profile
    • Synchronization Service Account (listed incorrectly on the FarmCredentialManagement.aspx page)
    • Synchronization Connection Account
  • Server Search Custom Crawl Rule Accounts
    • Any crawl rule that specifies an account other than the default crawl account

I hope this sheds some light on the managed Service account feature in SharePoint 2010.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s