locked
Creating non-interactive via Computer accounts RRS feed

  • Question

  • Hi All,

    I have been looking at using kerberos auth for our Exchange 2010. This documenation reccommends the creation of Computer accounts for the SPNs  "Because a computer account doesn’t allow interactive logon" http://technet.microsoft.com/en-us/library/ff808312.aspx

    Can we leverage computer accounts for all service accounts which stops interactive logon? This seems a better solution than a system wide GPO and with our forest not at the correct level for 2008 r2 managed service accounts.

    Thanks

    Josh

    Monday, October 1, 2012 11:31 PM

Answers

  • Hi Josh

    In principle it sounds like a good idea to use computer accounts for all service accounts.  The only caveat I can think of is whether the application using the service account is going to be happy with a computer account.  You might want to do some testing for common uses within your environment (e.g. Windows Services, Schedule Tasks, etc.)

    2008 R2 MSAs can only be used on a single machine so they would be no good for the CAS Array (which requires the same account for all computers in the array). The Group Managed Service Accounts (gMSAs) feature introduced with Windows Server 2012 on the other hand would probably do the trick nicely.  Now we just need Microsoft to update the Exchange Supportability Matrix to understand where 2012 fits in (if at all). 


    Alexei

    • Marked as answer by Lawrence, Friday, October 12, 2012 9:21 AM
    Tuesday, October 2, 2012 2:24 AM
  • Hello,

    you may also ask the Exchange experts in http://social.technet.microsoft.com/Forums/en/category/exchangeserver/about known problems when doing this.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    • Marked as answer by Lawrence, Friday, October 12, 2012 9:22 AM
    Tuesday, October 2, 2012 6:52 AM

All replies

  • Hi Josh

    In principle it sounds like a good idea to use computer accounts for all service accounts.  The only caveat I can think of is whether the application using the service account is going to be happy with a computer account.  You might want to do some testing for common uses within your environment (e.g. Windows Services, Schedule Tasks, etc.)

    2008 R2 MSAs can only be used on a single machine so they would be no good for the CAS Array (which requires the same account for all computers in the array). The Group Managed Service Accounts (gMSAs) feature introduced with Windows Server 2012 on the other hand would probably do the trick nicely.  Now we just need Microsoft to update the Exchange Supportability Matrix to understand where 2012 fits in (if at all). 


    Alexei

    • Marked as answer by Lawrence, Friday, October 12, 2012 9:21 AM
    Tuesday, October 2, 2012 2:24 AM
  • Yep that's my thoughts exactly. I think we just need to use the "$" DOMAIN\serviceaccount$ to run services but we will have to complete some more testing...
    Tuesday, October 2, 2012 2:34 AM
  • Hello,

    you may also ask the Exchange experts in http://social.technet.microsoft.com/Forums/en/category/exchangeserver/about known problems when doing this.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    • Marked as answer by Lawrence, Friday, October 12, 2012 9:22 AM
    Tuesday, October 2, 2012 6:52 AM