|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
ADAM - Domain Service Account V.S. Network Serviceaccount or rely on the Network Service? The scenario is that I will be installing ADAM as a corporate LDAP Publishing point for a large corporate organisation and it will be replicated between data centres. It will have a certificate installed and aplications accessing it. I have done exactly this for a different client 6 months ago and used a specific service account and everything is running OK. However, it was a real pain in the neck getting the permissions correct to be able to update the SPN's in the directory (we used Kerberos replication mode) and a few other permission and configuration related items. The Network Service seems to have all the rights it needs and replication in an AD environment is fully supported from what I see. Are there any issues with registering the SSL Certificate in the Network Service's Cert store? Does anyone have any other suggestions / pointers on this topic? thanks, Craig Gilmour Hi
in W2k or W2K3 domain/forest Network Service is a good choice; there's a table that covers the options in the ADAM help file under "Selecting an ADAM service account". For SSL connectivity the best place for the cert is in the ADAM instance certificate store, some notes are here: http://groups.google.co.uk/group/microsoft.public.windows.server.active_directory/msg/6a89876d200518cf?hl=en Lee Flight Lee,
Thanks for your response. I had read through the help files regarding the different options. However, these options didn't really state when the Network Service should be used over the Domain account or visa versa. Any thoughts as to when you absolutely have to have a domain account? My comment about the SSL Certs was just a thought as to why it could be an issue - I may be way wrong here. I remember registering the cert for the service account and thought this may have been more difficult if it it was the Network Service - sounds like I am wrong. thanks, Craig Gilmour Show quoteHide quote "Lee Flight" wrote: > Hi > > in W2k or W2K3 domain/forest Network Service is a good choice; > there's a table that covers the options in the ADAM help file under > "Selecting an ADAM service account". > > For SSL connectivity the best place for the cert is in the ADAM > instance certificate store, some notes are here: > > http://groups.google.co.uk/group/microsoft.public.windows.server.active_directory/msg/6a89876d200518cf?hl=en > > > > Lee Flight > > > Hi
the only case I know of that "demands" a domain account is if you are installing ADAM on a domain controller. I cannot think of any other domain/forest scenarios where Network Service does not cut it, that does not mean there are none :), maybe others will chip in here... On adding the cert it's just a case of adding of loading the Certificates MMC for the ADAM instance and then setting the permission for Network Service in the keys folder. One wrinkle that I am aware of is if running on Windows XP you cannot add permissions for the Network Service account to the keyfile through the file system security GUI, my notes say use: cacls keyfilename /E /G "NT AUTHORITY\NetworkService":R Lee Flight The only reason I can think of to use a different service account than
NETWORK SERVICE on a domain-joined box would be that there is an important need to delegate permissions to the service account differently or you need to set up SPNs in a specific way. For example, if you need multiple instances of an ADAM instance using the same DNS name behind NLB and you want them to all use the same SPN, you would want to use a specific service account so it can get the SPN for the DNS name. I'm reaching here. Maybe Dmitri or Eric has some ideas here. Joe K. Show quoteHide quote "Lee Flight" <l**@le.ac.uk-nospam> wrote in message news:%23hgeRtXLGHA.3260@TK2MSFTNGP11.phx.gbl... > Hi > > the only case I know of that "demands" a domain account is if you > are installing ADAM on a domain controller. I cannot think of > any other domain/forest scenarios where Network Service does not > cut it, that does not mean there are none :), maybe others will chip in > here... > > On adding the cert it's just a case of adding of loading the Certificates > MMC for the ADAM instance and then setting the permission for > Network Service in the keys folder. One wrinkle that I am aware of > is if running on Windows XP you cannot add permissions for the Network > Service account to the keyfile through the file system security GUI, my > notes say use: > > cacls keyfilename /E /G "NT AUTHORITY\NetworkService":R > > > Lee Flight > > Joe and Lee,
Thanks both of you for your responses. I think I will go with the Network Service, even though I've used the Domain Account in the past. It is simpler. I can always change things in the future if I need to. Regarding the NLB comment - you could be right. However, I am yet to come across a third party application than uses SPN's to find an ADAM box. Most just want a host name. The SPN seems primarily to be used for Replication. regards, Craig Gilmour Show quoteHide quote "Joe Kaplan (MVP - ADSI)" wrote: > The only reason I can think of to use a different service account than > NETWORK SERVICE on a domain-joined box would be that there is an important > need to delegate permissions to the service account differently or you need > to set up SPNs in a specific way. For example, if you need multiple > instances of an ADAM instance using the same DNS name behind NLB and you > want them to all use the same SPN, you would want to use a specific service > account so it can get the SPN for the DNS name. I'm reaching here. > > Maybe Dmitri or Eric has some ideas here. > > Joe K. > > "Lee Flight" <l**@le.ac.uk-nospam> wrote in message > news:%23hgeRtXLGHA.3260@TK2MSFTNGP11.phx.gbl... > > Hi > > > > the only case I know of that "demands" a domain account is if you > > are installing ADAM on a domain controller. I cannot think of > > any other domain/forest scenarios where Network Service does not > > cut it, that does not mean there are none :), maybe others will chip in > > here... > > > > On adding the cert it's just a case of adding of loading the Certificates > > MMC for the ADAM instance and then setting the permission for > > Network Service in the keys folder. One wrinkle that I am aware of > > is if running on Windows XP you cannot add permissions for the Network > > Service account to the keyfile through the file system security GUI, my > > notes say use: > > > > cacls keyfilename /E /G "NT AUTHORITY\NetworkService":R > > > > > > Lee Flight > > > > > > > I was thinking of creating SPNs more for Kerberos LDAP binds than for
service location. In some cases you might not want to fail over to NTLM. For example, you might have a delegation scenario from a middle tier web app to ADAM in the backend. However, that doesn't apply to everyone. Additionally, SPNs can be set on the machine account if needed. The domain account would really come in to play with NLB. Joe K. Show quoteHide quote "Craig Gilmour" <CraigGilm***@discussions.microsoft.com> wrote in message news:E7B4C3EB-4853-4DC9-B9C1-11225ED39037@microsoft.com... > Joe and Lee, > Thanks both of you for your responses. I think I will go with the > Network > Service, even though I've used the Domain Account in the past. It is > simpler. > I can always change things in the future if I need to. > > Regarding the NLB comment - you could be right. However, I am yet to come > across a third party application than uses SPN's to find an ADAM box. Most > just want a host name. The SPN seems primarily to be used for Replication. > > regards, > Craig Gilmour > > "Joe Kaplan (MVP - ADSI)" wrote: > >> The only reason I can think of to use a different service account than >> NETWORK SERVICE on a domain-joined box would be that there is an >> important >> need to delegate permissions to the service account differently or you >> need >> to set up SPNs in a specific way. For example, if you need multiple >> instances of an ADAM instance using the same DNS name behind NLB and you >> want them to all use the same SPN, you would want to use a specific >> service >> account so it can get the SPN for the DNS name. I'm reaching here. >> >> Maybe Dmitri or Eric has some ideas here. >> >> Joe K. >> >> "Lee Flight" <l**@le.ac.uk-nospam> wrote in message >> news:%23hgeRtXLGHA.3260@TK2MSFTNGP11.phx.gbl... >> > Hi >> > >> > the only case I know of that "demands" a domain account is if you >> > are installing ADAM on a domain controller. I cannot think of >> > any other domain/forest scenarios where Network Service does not >> > cut it, that does not mean there are none :), maybe others will chip in >> > here... >> > >> > On adding the cert it's just a case of adding of loading the >> > Certificates >> > MMC for the ADAM instance and then setting the permission for >> > Network Service in the keys folder. One wrinkle that I am aware of >> > is if running on Windows XP you cannot add permissions for the Network >> > Service account to the keyfile through the file system security GUI, my >> > notes say use: >> > >> > cacls keyfilename /E /G "NT AUTHORITY\NetworkService":R >> > >> > >> > Lee Flight >> > >> > >> >> >> The advantage of using NetworkService is that all permissions are good by
default (on local machine and in AD). The disadvantage is that you are sharing the service acct with many other services on the box that are running as NS. If one of them is hacked, then all of them are pretty much affected. -- Show quoteHide quoteDmitri Gavrilov SDE, DS Admin eXperience This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm "Joe Kaplan (MVP - ADSI)" <joseph.e.kap***@removethis.accenture.com> wrote in message news:%233qoQiZLGHA.344@TK2MSFTNGP11.phx.gbl... > The only reason I can think of to use a different service account than > NETWORK SERVICE on a domain-joined box would be that there is an important > need to delegate permissions to the service account differently or you > need to set up SPNs in a specific way. For example, if you need multiple > instances of an ADAM instance using the same DNS name behind NLB and you > want them to all use the same SPN, you would want to use a specific > service account so it can get the SPN for the DNS name. I'm reaching > here. > > Maybe Dmitri or Eric has some ideas here. > > Joe K. > > "Lee Flight" <l**@le.ac.uk-nospam> wrote in message > news:%23hgeRtXLGHA.3260@TK2MSFTNGP11.phx.gbl... >> Hi >> >> the only case I know of that "demands" a domain account is if you >> are installing ADAM on a domain controller. I cannot think of >> any other domain/forest scenarios where Network Service does not >> cut it, that does not mean there are none :), maybe others will chip in >> here... >> >> On adding the cert it's just a case of adding of loading the Certificates >> MMC for the ADAM instance and then setting the permission for >> Network Service in the keys folder. One wrinkle that I am aware of >> is if running on Windows XP you cannot add permissions for the Network >> Service account to the keyfile through the file system security GUI, my >> notes say use: >> >> cacls keyfilename /E /G "NT AUTHORITY\NetworkService":R >> >> >> Lee Flight >> >> > > 
Other interesting topics
User Login Time on windows 2000 profesional on Domain
AD Disaster Recovery mapped drives at logon ADAM multivalue limit Number of users per container (OU) in ADAM / AD Fresh Install of ADAM SP1 - Can't install without doing an upgrade Problems locating PDC on win2k3 server Cannot install W2003 admin pak on VS 2005 R2 instance Permissions to join machine to domain Push domain account into Local computer user group? |
|||||||||||||||||||||||
