Using Managed Service Accounts for App Activities

I know and understand the introduction of windows service accounts, and how various applications run as Windows Service Account or a virtual account. I also know that one can connect to things such a File Share etc using a Managed Service Account.
Has anyone ever tried to do anything like FTP or anything with a Managed Service Account?
If so do can you provide locations on where this information is documented.
Currently we have applications & scripts that rely on things like FTP, for doing their various jobs, these apps & scripts use, domain creds like FTPUser to connect to the FTP service. Having these domain level (user accounts) for these types of a tasks
is a maintenance nightmare and a security risk. I would like to replace FTPUser with something like TRANS_APP_FTP_USER$ (Managed Service Account) so that the transfer app, will use a MSA instead of a domain account to connect to the FTP server.
So far all the docs I've seen have explained how to get the TransApp to run using an MSA... but I want the TransApp to connect to something like an FTP server.
Some documentation (links) discussing this would be helpful.

Hi,
>>these apps & scripts use, domain creds like FTPUser to connect to the FTP service. Having these domain level (user accounts) for these types of a tasks
is a maintenance nightmare and a security risk.
As stated in the Wikipedia article:
FTP users may authenticate themselves using a clear-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it. For secure transmission that protects
the username and password, and encrypts the content, FTP is often secured with SSL/TLS (FTPS).
File Transfer Protocol
http://en.wikipedia.org/wiki/File_Transfer_Protocol
Besides, for FTP related questions, in order to get better help, it’s recommended that we ask for suggestions in the following IIS forum.
IIS
http://forums.iis.net/
Best regards,
Frank Shen

Similar Messages

  • SQL Server services accounts using Managed Service Accounts

    Hi guys,
    Need your feedback on something, is it wiser to use Managed Service Accounts or normal domain accounts to run SQL Server services? MSA's only work in a single computer, so for every environment I would need to create a new set of sql services accounts.
    If I create a single account wouldn't it be simpler? For instance domain\sqlservices and set it on every service and every environment (dev, qa and production)

    Hi
    It is a good question but the answer is not black or white. The answer is depend like most configuration questions.
    I recommend you to use
    Google to find blogs about the issue.
    You can start from this links, which are great starting point for you question:
    Best Practices For Using SQL Server Service Accounts
    Book Online
      Ronen Ariely
     [Personal Site]    [Blog]    [Facebook]

  • Use SIA service account for SQL Server reporting connections (BIP4.1)

    Is it possible to use the SIA service account as a proxy for a SQL Server connection using OLE DB? This way, anytime a report was refreshed, the SIA service account would be used when authenticating to the reporting database? This is a common pattern in software development to minimize database maintenance (when there is sufficient security being enforced at the application layer - BOBJ provides this).
    This would make SQL Server database security management very easy for the DBAs (just add the BOBJ service account to the database and assign dbreader).
    I would think this would be an option, but a Relational Connection only provides the following 3 Authentication modes when using the IDT to create and publish a Relational Connection (OLEDB/MSSQL):
    Use BusinessObjects credential mapping
    This takes the username and password from the "Database Credentials" section of the BusinessObjects User object for the user in the current session. It passes the info as hard-coded SQL authentication.
    Use single sign-on when refreshing reports at view time
    This is ONLY for end-to-end single-sign-on (as the error message in the next paragraph specifies) and uses the Windows AD credentials for the user in the current session. It is this method of authentication that I'd like to use, i.e. Windows Integrated Security, but I'd like to have the SIA account act as the account that makes the connection, not end-to-end.
    Use specified username and password
    This is for hard-coding usernames and passwords (only SQL authentication in OLE DB).
    I've tried leaving the "Cache security context" option OFF in Windows AD Authentication settings, hoping it would default to using the service account for authentication to the database... to no avail. It fails during tests in the IDT with the message:
    "Single Sign-On failed in the CMS. Please contact your system administrator for details. : The authentication provider (secWinAD) associated with this logon session does not have inter-process Single Sign-On enabled. Contact your system administrator for details. (FWB 00019)"
    Alternatively, a SQL user could be hard-coded into the connection (same simple maintenance on the DBA side), but we'd really like to rely on Windows Integrated Security if possible!
    Is there a way?
    Any help is greatly appreciated!
    David

    Hey David,
    Did you ever solve this? We get the same SSO error when indexing information spaces in Explorer.
    Thanks,
    Brandon

  • Group managed service accounts for SQL Server

    Hey guys,
    Unfortunately I missed that (g/s)MSAs aren't supported yet for SQL Servers but I'm using them without any worries since ages.
    As i digged a bit deeper I could find different informations due to the related TechNet entrys. So it seems Microsofts Informations about (s)MSAs and gMSAs aren't consistent.
    I'm not a SQL Server guy and use SQL only for System Center testing stuff so i would like to get a real world exps of SQL Server guys.
    Should I continue using gMSAs or are there any worries I should know?
    some sources I found so far:
    Not supported:
    "Hi Adam,
    Thank you for your feedback. Windows Server 2012 Group Managed Service Account is not currently supported as SQL 2012 released earlier than Windows Server 2012. We will consider to support gMSA in future SQL Server release.
    Regards,
    Min He, Program Manager, SQL Server"
    11.2012 -
    https://connect.microsoft.com/SQLServer/feedback/details/767211/gmsa-for-sql-server-failover-Clusters
    gMSA are not yet available, are not yet supported for SQL Server.  gMSA exist and are available and supported in Windows Server 2012 and higher.  SQL does not support them , but
    from an OS perspective, they exist and are supported.    
    http://blogs.msdn.com/b/sqlosteam/archive/2014/02/19/msa-accounts-used-with-sql.aspx
    Within the FAQ Task Scheduler isn't supported as well ...
    http://technet.microsoft.com/en-us/library/ff641729%28WS.10%29.aspx
    ... but also PFEs using them for Tasks... this is confusin... 0o
    http://blogs.msdn.com/b/arvindsh/archive/2014/02/03/managed-service-accounts-msa-and-sql-2012-practical-tips.aspx
    supported?:
    Configure Windows Service Accounts and Permissions
    ... New Account Types Available with Windows 7 and Windows Server 2008 R2
    http://technet.microsoft.com/en-us/library/ms143504(v=sql.110).aspx#Default_Accts
    The MSA must be created in the Active Directory by the domain administrator before SQL Server setup can use it for SQL Server services.
    others sources won't mentioning s/gMSAs...
    I couldn't find clear informations about using gMSA for SQL Server 2014. 
    only the same page which also Looks like the page for 2008 R2 and SQL 2012.
    Configure Windows Service Accounts and Permissions
                SQL Server 2014        
    http://msdn.microsoft.com/en-us/library/ms143504.aspx
    annoying topic so far... ;) 

    Hi Enrico
    aside from what Dan says about the risk for support, on which I agree, the following thread may clear it up a bit:
    http://social.msdn.microsoft.com/Forums/sqlserver/en-US/acb2048c-ffce-4d44-b882-6aafc7eb689d/managed-service-accounts-to-run-sql-server-service?forum=sqlsecurity
    Andreas Wolter (Blog |
    Twitter)
    MCM - Microsoft Certified Master SQL Server 2008
    MCSM - Microsoft Certified Solutions Master Data Platform, SQL Server 2012
    www.andreas-wolter.com |
    www.SarpedonQualityLab.com

  • Should I use Managed Service Accounts or individual, Domain User accounts?

    I'm setting up a new SP 2013, and I'm trying to be very granular as it relates to "Least Privilege".
    I'm trying to figure out which accounts could be created as Managed Service Accounts (MSA's) and which ones truly need to be created as Domain User accounts in order to run either specific SQL and/or SharePoint services.
    At face value, I *think* any service could be successfully run using an MSA and yet any installation of either SQL Server 2012 and/or SharePoint 2013 should be done using a Domain User account created for that specific purpose (i.e., SP_FARM, SP_ADMIN, SQL_ADMIN,
    etc.). In fact, I *think* the installation would HAVE to be done with an actual Domain User account, because (unless I'm wrong), MSA's do not have a shell and therefore CAN'T log on...which is by design?
    Here's a Microsoft TechNet article that lists many of the accounts I'm referring to:
    https://social.technet.microsoft.com/wiki/contents/articles/14500.sharepoint-2013-service-accounts.aspx
    Note that it says MOST of the accounts are Domain accounts, but I don't *think* all of these need to BE
    Domain accounts - I think MOST of them could be created as MSA's and assigned to run the specific service without any problems whatsoever?
    So again, my question is: which accounts could be created as Managed Service Accounts (MSA's) and which ones truly need to be created as Domain User accounts in order to run either specific SQL and/or SharePoint service or to even perform a
    successful installation of the software?
    Ed

    No, script 1 does not create Active Directory Managed Service Accounts (see here:
    http://blogs.technet.com/b/askds/archive/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting.aspx) These are not applicable to SharePoint and are not mentioned in any of those scripts, look at the PowerShell
    commandlets, they are very different.
    Script 1 creates active directory users. These are, as far as AD cares, just standard user objects. There is nothing at all special about them in AD.
    At some point you would install SharePoint using those accounts, during that process they get resisted in SharePoint as SharePoint Managed Accounts.
    Script 2 updates the settings on those managed accounts in bulk.

  • Managed Service Accounts for Cluster

    Hi,
    Is it possible to use a MSAs for a 2012 FCI on windows 2008 R2?  Since a MSA can only be associated with one computer, you would have to use multiple MSA accounts, but I've not heard about using service accounts with different names to run a clustered
    SQL service.
    Thanks,
    Sam

    Hi sam_squarewave,
    We can configure the SQL 2012 standalone instance to utilize the new Managed Service Accounts feature in Windows 2008 R2. Usually
    setup the MSA in Active Directory,
    install the MSA on the target server and change the SQL Service account. The managed service account is designed to provide crucial applications such as Exchange Server and IIS with the isolation of their own domain accounts, it should not support
    with SQL 2012 Failover Clustered Instances(FCI). For more information about Managed Service Accounts (MSA) and SQL 2012, you can review the following article.
    http://blogs.msdn.com/b/arvindsh/archive/2014/02/03/managed-service-accounts-msa-and-sql-2012-practical-tips.aspx?PageIndex=5
    In addition, when you configure Windows Failover Clustering for SQL Server (Availability Group or FCI), if you want to other accounts,
     the accounts and permissions required to create and maintain your HADR solution. For guidance configuring the required account permissions for WSFC clusters and clustered services, see Failover Cluster Step-by-Step Guide: Configuring Accounts
    in Active Directory (http://technet.microsoft.com/en-us/library/cc731002(WS.10).aspx).
    There is detail about configure Windows Failover Clustering for SQL Server (Availability Group or FCI) with Limited Security, you can review it.
    http://blogs.msdn.com/b/sqlalwayson/archive/2012/06/05/configure-windows-failover-clustering-for-sql-server-availability-group-or-fci-with-limited-security.aspx
    Regards,
    Sofiya Li
    If you have any feedback on our support, please click here.
    Sofiya Li
    TechNet Community Support

  • Managed Service Accounts to run SQL Server Service

    Has anyone played around with using managed service accounts for running the SQL Server Service? I am on a forest functional level of 2008R2 and was thinking about how cool it would be to use those for SQL Server. Unfortunately, I hear that it's not supported
    by Microsoft and yet I've read about people doing that but would like to know if anyone has first hand experience. Otherwise, if not recommended, I'll stick to the old fashioned way of creating typical user accounts. Thanks in advance!

    Hi Scott hi Sean
    I see that my first answer was badly phrased.
    Let me try to make it more clear:
    Managed Service Accounts(MSA):
    Works with Kerberos including Delegation, but:
    NOT working with cluster nodes
    NOT working for load balancing using Kerberos
    More information:
    http://blogs.technet.com/b/askds/archive/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting.aspx
    Group Managed Service Accounts (GMSA):
    Works with Kerberos including Delegation, but:
    NOT supported with Failover Clustered Instances
    Here is the connect item:
    http://connect.microsoft.com/SQLServer/feedback/details/767211/gmsa-for-sql-server-failover-clusters
    @all Please feel free to vote(!). I am waiting for this as well.
    This is the state of my information today. Feel free to correct me if you know of any changes.
    Andreas Wolter (Blog |
    Twitter)
    MCM - Microsoft Certified Master SQL Server 2008
    MCSM - Microsoft Certified Solutions Master Data Platform, SQL Server 2012
    www.andreas-wolter.com |
    www.SarpedonQualityLab.com

  • Are Managed Service Accounts Supported in BizTalk?

    Hello,
    Does BizTalk Server support the use of Managed Service Accounts for running host instances? Please see: http://technet.microsoft.com/en-us/library/dd560633(v=ws.10).aspx
    Thank You,
    PBR

    I would not say complete No. Its yes and no.
    Yes- You can use MSA on a single server quick (quick in terms of building an environment for test/dev) test BizTalk environment/dev. Is it a good practice to use MSA ? then its no.
    Strict No: For multi-computer environment or in cluster, obviously you can't use MSA. Its also one of the limitations of MSA that it can't span multiple computers.
    but there is no official word from BizTalk (at least I can't find one) to say not to use it in BizTalk. Its not advisable to use MSA in BizTalk, but you can in single-server dev./test environment technically.
    If this answers your question please mark it accordingly. If this post is helpful, please vote as helpful by clicking the upward arrow mark next to my reply.

  • Managed Service Accounts on SQL 2005?

    I am doing research on the proper way to configure service accounts in SQL as ours are absolutely setup incorrectly.  I was thinking about using Managed Service Accounts (MSA's) so we dont have to manage passwords going forward and I cant find anything
    to say if it is compatible with SQL 2005 or not.  
    It looks like it is with SQL 2008R2 as well as SQL 2012.  
    Anyone using MSA's with SQL 2005?  Can I one account per service for each of the services without an issue?

    Hello,
    MSA's are not compatible with SQL Server 2005 or 2008 but 2008R2 and 2012 will work.
    Sean Gallardy | Blog | Microsoft Certified Master
    Thanks Sean.  I appreciate the quick answer.  
    Have a great weekend.  

  • Use different DPS accounts for iPad and Android versions of same app?

    Hi there,
      When creating an Android version of an iPad DPS app should the account used to create the content (the 'Title ID' in the DPS App Builder) be the same for both versions, or different? In the content viewer I know that iPad content will show up even on Android, so I'm thinking that the answer is probably no, but I haven't managed to find it mentioned in the Adobe docs.
      Thanks,
    Toby

    It depends, but usually the answer is that you want to use a different account for iOS and Android. Not all features supported in the iOS viewer are supported in the Android viewer. For example, if you use panoramas or iOS-specific web views in your articles, you'll want to be able to use different content for the Android viewers. Search for "dps supported features" for a comparison chart.
    I use different Application accounts for my apps. I use the Share/Copy feature to transfer the folios from the iOS account to the Android (or Windows) account. Then I delete the few articles that don't work well in the viewer and replace them with articles generated from different source files. That works well and doesn't require too much extra effort.
    If you want to reduce the amount of letterboxing in Android viewers, you'll definitely want to use different accounts and use, for example, 1280x800 folios instead of 1024x768.

  • Why would you use a managed service account rather than a virtual account in SQL Server 2012?

    In SQL Server 2012, service accounts are created as
    virtual accounts (VAs), as described
    here, as opposed to
    managed service accounts (MSAs).
    The important differences I can see for these, based on the descriptions:
    MSAs are domain accounts, VAs are local accounts
    MSAs use automagic password management handled by AD, VAs have no passwords
    in a Kerberos context, MSAs register SPNs automatically, VAs do not
    Are there any other differences? If Kerberos is not in use, why would a DBA ever prefer an MSA?
    UPDATE:
    Another user has noted a
    possible contradiction in the MS docs concerning VAs:
    The virtual account is auto-managed, and the virtual account can access the network
    in a domain environment.
    versus
    Virtual accounts cannot be authenticated to a remote location. All virtual accounts
    use the permission of machine account. Provision the machine account in the format
    <domain_name>\<computer_name>$.
    What is the "machine account"? How/when/why does it get "provisioned"? What is the difference between "accessing the network in a domain environment" and "authenticating to a remote location [in a domain environment]"?

    Hi,
    “Virtual accounts cannot be authenticated to a remote location. All virtual accounts use the permission of machine account. Provision the machine account in the format <domain_name>\<computer_name>$.”
    “The virtual account is auto-managed, and the virtual account can access the network in a domain environment. If the default value is used for the service accounts during SQL Server setup on Windows Server 2008 R2 or Windows 7, a virtual account
    using the instance name as the service name is used, in the format NT SERVICE\<SERVICENAME>”
    Per the above description, they are two concepts and not conflict with each other.
    As you understand, virtual account access network resources by using the credentials of the computer account. Generally, computer account will not be granted permission unless giving the computer account permission on the shared folder manually.
    Thanks.
    Tracy Cai
    TechNet Community Support

  • Please help me!!! Right now i stay in Malaysia but i use USA itune account for buy an apps. Here ive screwed up because of my payment were decline. Any help guys!

    Please help me!!! Right now i stay in Malaysia but i use USA itune account for buy an apps. Here ive screwed up because of my payment were decline. Any help guys!

    If you've had it for less than a year, then it's still under warranty.  Take it to an Apple store or an authorized service facility.  See http://support.apple.com/kb/HT1434

  • Use one account for apps and other for itunes match

    Hello everybody
    My question today is quite simple. I use one account for apps and tv shows, but inwant to use a different itunes account for purchasing itunes match. How can I use them both on my devices? Will it be asking for my user-pass each time i play a song? What other thing should i consider?
    Thank you in advance

    I would strongly recommend you not do this.  You will regret it.
    I have played with this issue a lot.  You have to remain signed into match in order for it to show up on your phone. If you sign out to purchase an app or redownload one from your appstore id you use then match will be removed from your phone and when you go into your music app the icloud will not be there.  You then have to go sign back out of the store id you used for your app purchase and then sign back into match and everything will have to go though the download to your device process again.  This really is not what you want to do.
    Sign up to match with the apple id that you know you will use the most or has the most purchased items and use that for all purchases, i.e. books, apps, movies, and music.  You don't want to go though the other process.
    Plus apple will start not letting you sign into match because you signed out and back in, in to short a period of time.
    all store purchases on an iphone are linked to the store id.  if you sign out of your match id on the appstore and sign into another account to purchase an app then itunes match will sign out in the music app.  You can't have two store id's signed into your iphone at the same time.  They are all linked together.

  • Why does my app store use a different account for downloading and another for updating apps?

    My app store used my own account for downloading and my sister's for updating, and it keeps telling me to reset my account. I already did that the other few times it told me to do that!

    Have you restored your device from your sister's backup?

  • Do Group Managed Service Accounts require permissions to run service in question?

    I'm testing out GMSA (Group Managed Service Accounts) in Windows 2012 R2. My domain and forest functional level is 2008 R2 (which I understand is the minimal functional level for GMSA support). 
    Question I have is if I create a new GMSA for a particular service, does the GMSA require permissions to run service? For example, SQL rights, IIS rights, etc...
    Also, can they be used to run scheduled tasks? Thanks.

    a gMSA is like any other service account. when you it you need to prepare for whatever the app/service requires. the you eed to think HOW to implement. the HOW focusses on if you can use gMSA for the app/service or not, because it depends on the app and
    the underlying os
    regarding scheduled task support for gMSA  see
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/42273a38-05dc-4f62-b915-8f55480d59bd/how-do-i-use-a-group-managed-service-account-with-the-task-scheduler?forum=winserver8gen
    https://technet.microsoft.com/en-us/library/hh831782.aspx
    http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx
    Cheers,
    Jorge de Almeida Pinto
    Principal Consultant | MVP Directory Services | IAM Technologies
    COMMUNITY...:
    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

Maybe you are looking for