patternsqlMinor
Why would you use a managed service account rather than a virtual account in SQL Server 2012?
Viewed 0 times
managedwhy2012yousqlthanaccountratherwouldservice
Problem
In SQL Server 2012, service accounts are created as virtual accounts (VAs), as described here, as opposed to managed service accounts (MSAs).
The important differences I can see for these, based on the descriptions:
Are there any other differences? If Kerberos is not in use, why would a DBA ever prefer an MSA?
UPDATE: Another user has noted a possible contradiction in the MS docs concerning VAs:
The virtual account is auto-managed, and the virtual account can access the network
in a domain environment.
versus
Virtual accounts cannot be authenticated to a remote location. All virtual accounts
use the permission of machine account. Provision the machine account in the format
What is the "machine account"? How/when/why does it get "provisioned"? What is the difference between "accessing the network in a domain environment" and "authenticating to a remote location [in a domain environment]"?
The important differences I can see for these, based on the descriptions:
- MSAs are domain accounts, VAs are local accounts
- MSAs use automagic password management handled by AD, VAs have no passwords
- in a Kerberos context, MSAs register SPNs automatically, VAs do not
Are there any other differences? If Kerberos is not in use, why would a DBA ever prefer an MSA?
UPDATE: Another user has noted a possible contradiction in the MS docs concerning VAs:
The virtual account is auto-managed, and the virtual account can access the network
in a domain environment.
versus
Virtual accounts cannot be authenticated to a remote location. All virtual accounts
use the permission of machine account. Provision the machine account in the format
\$.What is the "machine account"? How/when/why does it get "provisioned"? What is the difference between "accessing the network in a domain environment" and "authenticating to a remote location [in a domain environment]"?
Solution
Here's the way I see it.
When you use a VA, you impersonate the machine account.
The problem is, that it is easy to make a VA or use an existing one (ex. NT Authority\NETWORKSERVICE). If you grant the machine account access to an instance, an application that is running as a VA will be able to connect to that instance and perform actions.
With a managed account, you will have to provide the credentials for that account to whatever application wants to use them, allowing you more granularity with permissions.
When you use a VA, you impersonate the machine account.
The problem is, that it is easy to make a VA or use an existing one (ex. NT Authority\NETWORKSERVICE). If you grant the machine account access to an instance, an application that is running as a VA will be able to connect to that instance and perform actions.
With a managed account, you will have to provide the credentials for that account to whatever application wants to use them, allowing you more granularity with permissions.
Context
StackExchange Database Administrators Q#61630, answer score: 4
Revisions (0)
No revisions yet.