Follow this process to create and use a Managed Service Account for IIS, Bankpoint app and SQL services.
Note: These instructions assume you are running a minimum domain level of Server 2008 R2.
Covered in this article:
Domain Controller Configuration
Create a service account 'MSA-bankpoint' within the custom OU "Managed Service Accounts" .
- Log onto the domain controller and open a powershell session.
- Ensure that you have the powershell Active Directory modules installed:
Install-WindowsFeature -Name RSAT-AD-PowerShell
- Modify the command below to use BankPoint as the service name, for example MSA-bankpoint. Also update service principal name and server entries in the below command with your network information.
New-ADServiceAccount -Name MSA-bankpoint `
-DNSHostName ` MSA-bankpoint.domain.com `
-Path "CN=Managed Service Accounts,DC=DOMAIN,DC=com" `
-KerberosEncryptionType AES128, AES256 ` -ManagedPasswordIntervalInDays 30 `
-ServicePrincipalNames http/MSA-bankpoint.domain.com/domain.com, `
http/MSA-bankpoint/domain.com, http/MSA-bankpoint/domain `
This would create a MSA for bankpoint that allows password reset every 30 days and grants permission for server app server to the password updates.
If the account is to be used on multiple servers then use the following PS command, modifying the MSA-bankpoint and the Hosts accordingly.
Set-ADServiceAccount -Name MSA-bankpoint -PrincipalsAllowedToRetrieveManagedPassword Host1,Host2,Host3
SQL Server Configuration
The MSA account will need dbowner permissions for any BankPoint databases that it will be connecting to.
SQL server management studio can be used to connect to the database server and grant permissions for the MSA to the correct database (recommend that you do this for both production and test databases)
- Add the MSA as a service account and grant DB owner permissions to the respective database.
App Server Configuration
On the app server that will use the MSA you will need to perform the following steps
From Powershell run this command modifying the account name accordingly:
- Change the Bankpoint test and prod Service and Watchdog services to use the MSA account by opening services manager and changing the logon to the MSA service. Make sure to apply with no password. The service must be stopped and restarted.
- Change the app pool service in IIS if desired by opening up the IIS manager, application pools and then advanced settings of the Bankpoint App pool. Under Process Model, Identity input the MSA using the format: DOMAIN\MSA-bankpoint$ the $ allows you to save with no password.