Introduction:

Automation is one of the most important things to push at your employer these days, especially if you work in IT. It frees up resources that are always limited and removes boring repetitive tasks. Of course, some security aspects must also be taken into account here, and automation only makes sense if it is done properly.
In a Windows environment, MSAs (Managed Service Accounts) should therefore always be used for this purpose, as insecure password handling can then be completely ruled out.

In this tutorial you truly start from scratch. This means that you do not have an MSA in use in your company yet. You will learn which prerequisites have to be fulfilled and how to prepare your environment for the use of an MSA. Afterwards, you will learn how to create and manage an MSA using different approaches.

Prerequisites

  • Active Directory Forest Functional Level - Windows Server 2008 R2 (needed for automatic passwords and SPN management)
  • Host services using MSAs on Windows Server 2008 R2 and Windows 7 computers (MSAs cannot be installed on down-level operating systems)
  • PowerShell, AD PowerShell (part of the RSAT), and the .Net 3.5x framework enabled on any computers using or configuring MSAs

Setup

  1. Preparation of the environment (KDS Root Key)
  2. You create the MSA in AD.
  3. You associate the MSA with a computer in AD.
  4. You install the MSA on the computer that was associated.
  5. You configure the service(s) to use the MSA.

  1. KDS Root Key:

The first step is to create a KDS root key. The root key has to be created once per forest and is used by the Key Distribution Service on the domain controllers.

Below you will find the PowerShell commands that need to be executed against one of the domain controllers.

# How to create a KDS Root Key (with 12h delay -> in order to complete the domain controller replication).
Add-KdsRootKey -EffectiveImmediately

# How to create a KDS Root Key immediately (e.g. in (test) environments consisting of only one DC)
Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10))

Required security settings

Since Managed Service Accounts (MSAs) only work with Kerberos Encryption AES128 and higher, the supported encryption types must be configured.

All activated and supported encryption types have to be configured via the following GPO settings:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Network Security: Configure encryption types allowed for Kerberos.

All values must be set to "Disabled" except for the following:

  • AES128_HMAC_SHA1
  • AES256_HMAC_SHA1
  • Future encryption types

2. Creating an MSA

#Start a PowerShell and import the AD module
Import-Module ActiveDirectory
# Create an MSA
New-ADServiceAccount -Name <some new unique MSA account name> -Enabled $true

Sources:

Managed Service Accounts: Understanding, Implementing, Best Practices, and Troubleshooting
First published on TechNet on Sep 10, 2009 Group Managed Service Accounts superseded MSAs, which in Windows 7 and Windows Server 2008 R2 (both no longer supported). Please use this updated link for more current information: https://docs.microsoft.com/en-us/windows-server/security/group-managed-se...
Cjwdev | Managed Service Accounts GUI
A free user friendly GUI tool for creating, editing, and installing Managed Service Accounts
Group Managed Service Accounts