Many of the IT environments have so called security driven approach. Every time I hear that something has to be implemented it is because security said so. Don’t get me wrong - by all means I like to be secure and compliant. In my opinion there should be balance between Security and Costs.
I have found very nice chart which shows that.
In Today post I will show you how to configure vCenter Server to work with MSA.
Managed Service Account and Group Managed Service Account - what is that?
Managed Service Account was introduced by Microsoft with release of Windows Server 2008 R2.The best description is from Microsoft Technet Article.
The managed service account is designed to provide crucial applications such as IIS with the isolation of their own domain accounts, while eliminating the need for an administrator to manually administer the service principal name (SPN) and credentials for these accounts. It is a managed domain accounts that provides automatic password management and simplified SPN management. Virtual accounts are “managed local accounts” that can use a computer’s credentials to access network resources.
Group Managed Service Accounts was released with Windows Server 2012.
The group Managed Service Account provides the same functionality within the domain but also extends that functionality over multiple servers.
Unfortunately MSA was not ideal solution to most user problems due to limitations. With release of gMSA many more use cases might be found to use them. See table below with supported applications with MSA and gMSA supported applications.
|Managed Service Accounts||Group Managed Service Accounts|
|Microsoft SQL Server||Not Supported||Supported|
|Task Scheduler||Not Supported||Supported|
Which MSA should I use then some of you might ask. That depends how will you plan your environment. If you want to use same MSA account on several computers than you should use gMSA. If you will use MSA account on one server than you should use MSA.
Managed Service Account and Group Managed Service Account- prerequisites
Managed Service Accounts require the Active Directory schema to be updated to the Server 2008 R2 version.
Group Managed Service Accounts require the Active Directory schema to be updated to the Server 2012 version.
In my test lab I will show you how to run vCenter Server services and Microsoft SQL Server using Managed Service Accounts.
Managed Service Account creation
- Open PowerShell and import module Active Directory.
PowerShell Import-Module ActiveDirectory
- To create a standalone managed service account which is linked to a specific computer, we will use the -RestrictToSingleComputer parameter in New-AdServiceAccount command.
PowerShell New-ADServiceAccount -Name vmwareafd -RestrictToSingleComputer
- In the next step we will associate newly created MSA account to computer.
PowerShell Add-ADComputerServiceAccount -Identity vcenter -ServiceAccount vmwareafd
- On the target computer where we will install MSA open PowerShell, install Active Directory module (if it is not installed previously).
PowerShell Import-Module ServerManager Add-WindowsFeature Rsat-AD-PowerShell
- Import Active Directory module (see first step) and install MSA account.
PowerShell Install-ADServiceAccount vmafd
- Last step is to change log on account. Remember to clear password and Confirm password fields.
- Newly added account to service will be granted Log On As A Service right.
VMware vCenter Server Services
Below you can find all vCenter Server services. In third column you can see MSA account names.
|Service Display Name||Service Name||MSA account name|
|VMware afd Service||VMWareAfdService||vmvafd|
|VMware Certificate Service||VMWareCertificateService||vmcertservice|
|VMware Component Manager||VMwareComponentManager||vmcomponentmgr|
|VMware Content Library Service||vdcs||vmcontentlibr|
|VMware Directory Service||VMwareDirectoryService||vmdirservice|
|VMware ESX Agent Manager||EsxAgentManager||vmesxmanager|
|VMware HTTP Reverse Proxy||rhttpproxy||vmrhttproxy|
|VMware Identity Management Service||VMwareIdentityMgmtService||vmidentservice|
|VMware Inventory Service||invsvc||vminvservice|
|VMware License Service||vmware-license||vmlicservice|
|VMware Message Bus Config Service||mbcs||vmmbcs|
|VMware Performance Charts||vmware-perfcharts||vmperfchar|
|VMware Security Token Service||VMwareSTS||vmsts|
|VMware Service Control Agent||VMwareServiceControlAgent||vmsvcctrlag|
|VMware Syslog Collector||vmSyslogCollector||vmsyslogcoll|
|VMware System and Hardware Health Manager||vmwarevws||vmhwmanager|
|VMware USB Arbitration Service||VMUSBArbService||vmusbarbit|
|VMware vAPI Endpoint||vapiEndpoint||vmvapiend|
|VMware vCenter Configuration Service||vmware-cis-config||vmcisconfig|
|VMware vCenter workflow manager||vmware-vpx-workflow||vmvpxworkflow|
|VMware VirtualCenter Server||vpxd||vmvpxd|
|VMware vService Manager||VServiceManager||vmvservicemng|
|VMware vSphere Auto Deploy Waiter||vmware-autodeploy-waiter||vmadwaiter|
|VMware vSphere ESXi Dump Collector||vmware-network-coredump||vmdumpcoll|
|VMware vSphere ESXi Dump Collector WebService||VMWareNetworkCoredumpWebserver||vmdumpcollweb|
|VMware vSphere Profile-Driven Storage Service||vimPBSM||vmpdss|
|VMware vSphere Web Client||vspherewebclientsvc||vmwebclient|
The next step is to import all MSA accounts to target computer. I simply added accounts using Computer Management.
Once we have all accounts added to local Administrators groups we will stop all vCenter Services and replace user accounts associated to each service.
I had to add WOJCIEH\vminvservice$, WOJCIEH\vmvpxd$ account as security login to vCenter Server and MSDB databases. This is needed to start vCenter Server service. If you will not do it you will see errors like this.
After all changes and some tweaking we have fully functional vCenter Server running with MSA accounts.
However with vCenter Server 6.0 new concept of virtual accounts was introduced. Following VMware KB explains this concept: Use of virtual accounts for services on a Windows vCenter Server 6.0 (2124709).From VMware KB we see that following services are used as virtual accounts.
|VMware Component Manager||NT SERVICE\VMwareComponentManager|
|VMware Content Library Service||NT SERVICE\vdcs|
|VMware ESX Agent Manager||NT SERVICE\EsxAgentManager|
|VMware Message Bus Config Service||NT SERVICE\mbcs|
|VMware Performance Charts||NT SERVICE\vmware-perfcharts|
|VMware Postgres||NT SERVICE\vPostgres|
|VMware vAPI Endpoint||NT SERVICE\vapiEndpoint|
|VMware vCenter workflow manager||NT SERVICE\vmware-vpx-workflow|
|vmware vService Manager||NT SERVICE\VServiceManager|
|VMware vSphere Audo Deploy Waiter||NT SERVICE\vmware-autodeploy-waiter|
|VMware vSphere Web Client||NT SERVICE\vspherewebclientsvc|
As VMware guru you have to consider all cons and pros of each solution and decide to go with MSA accounts or not.
It took me a while to check prepare this post but I am happy that I could prove that MSA accounts are working as well with vCenter Server. What is unknown if VMware Support will help you if you are using MSA accounts. If you wish I can check as well if Group Managed Accounts are working with vCenter Server 6.0.