Jaa


FAQ: How do I run SQL Server service under a managed service account (MSA)?

Question

I want to run SQL Server service under a managed service account (MSA). How can I do it?

 Answer

The managed service account (MSA) is designed to provide applications such as SQL Server or Exchange with:

  • Automatic password management, which can better isolate these services from other services on the computer.
  • Simplified service principal name (SPN) management, which allows service administrators to set SPNs on these accounts. In addition, SPN management can be delegated to other administrators.

 However, it is not supported in current SQL Server versions(2005/2008/2008 R2). Although we can configure the SQL Server services to run under a MSA, this scenario is not supported because it is not fully tested.

 Additionally, it is recommended that you always use the SQL Server Configuration Manager (SCCM) when you change the service account properties for SQL Server. The SSCM sets additional permissions on the Windows registries  for the service account automatically. For password change, using SCCM does not require you restarting your SQL Server Services.

Comments

  • Anonymous
    July 28, 2012
    Too bad that other SQL Server documentation clearly states that you CAN run SQL Server 2008 R2 under MSAs (msdn.microsoft.com/.../ms143504.aspx, under the section New Account Types Available with Windows 7 and Windows Server 2008 R2). I wish you guys would have coherent documentation that was the same everywhere, as I created MSAs just for this purpose!! What a waste of 3 hours of reasearch and implementation and installation. Thanks for nothing M$.

  • Anonymous
    November 15, 2012
    I'm on SQL 2012.  I have an instance running under a "normal" domain account.  I have setup the MSAs.  How do I switch the services to use them.  I presumed I could do it right in the configuration management GUI, but it doesn't seem to be able to "find" the account.  I suspect it's because this is not really a user account.  But the "object type" popup doesn't have a MSA checkbox......  I have used MSAs when installing a new SQL 2012 instance, but can't seem to convert an existing instance to use MSAs...  I'm wondering if it needs to be scripted, like most/all other MSA tasks.

  • Anonymous
    November 15, 2012
    Ok, I think I figured it out.  Don't use the browse option, it wont find this special type of account.  Simply type the name into the Account Name field, leave the password blank, and hit apply.  Note however, that when you give it the account name, you have to include the $ at the end of the name.  Otherwise it won't work.  

  • Anonymous
    December 01, 2014
    We had some trouble setting up an MSA to run an SQL service (Application Server for Microsoft Dynamics NAV Classic) on Server 2008 R2. We created the MSA following this: used this for setting up the MSA: blogs.technet.com/.../managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting.aspx Solution for our problem was that we had to add the MSA (including $ sign!). in "SQL Server Management Studio" and give appropriate rights. We also had to add the MSA (also including $ sign!) to the application (Navision) and give the MSA the appropriate rights. Hope this helps anyone!