Location: Articles

Articles

Articles

Current Articles | Categories | Search | Syndication

Considerations when using a domain-based service account with AD LDS

By Tony Murray on Monday, April 13, 2009 9:39 PM

When creating an AD LDS instance you are prompted to specify an account to use as the service account. At this point you can specify either the Network Service account or another account. Unless you have a particular need, you should choose the built-in Network Service account. If you opt for a domain-based service account you have to jump through a whole lot of hoops to get things working. Also, you typically end up giving your domain-based service account more permissions than are strictly necessary (as described later in this article). The Network Service account on the other hand provides an easy set up option and is a good choice from a security perspective given that the account has limited access to the local computer.

 
 
 
So why bother to use a domain-based service account at all? Well, if you have a number of services on your server all running under the context of the Network Service account there is potential for security compromise. In this scenario you may want to consider isolating the services from each other using dedicated service accounts.
 
What follows is a discussion of the steps required to configure AD LDS to use a domain-based service account.

 1.      Create a user account in AD.

 
The account doesn't require any specific group memberships. As a service account, you may want to give some thought to the "Password Never Expires" setting, as well as password complexity.
 
2.      Permission to create serviceConnectionPoint objects.
 
The account you have created requires the ability to create Service Connection Point objects in AD. These objects are typically created automatically as child objects of the AD LDS computer object when the service is started. 
 
The simplest method is to set the permission using DSACLS. You could alternatively use the security editor from within dsa.msc or adsiedit.msc, but you would first need to edit the %systemroot%\system32\dssec.dat file to expose the serviceConnectionPoint object. Here's the syntax using DSACLS:
 
C:\>dsacls <DN_of_ADLDS_server> /G <Domain\User>:CC;"serviceConnectionPoint"
 
e.g.
 
C:\>dsacls "CN=ADLDS1,OU=Servers,DC=Widget,DC=com" /G MyDom\ADLDS_SVC:CC;"serviceConnectionPoint"
 
The setting should appear similar to that shown in the screenshot below.
 
 
 
 
3.      Permission to create servicePrincipalName objects.
 
Your service account also needs permissions to create Service Principal Name (SPN). The SPNs are generated automatically as attributes of the service account itself in AD when the service is first started. Note that this is different from the behaviour when running the service under the Network Service account. When using Network Service, the SPNs are created as attributes of the AD LDS server's computer object.
 
To set the permissions, assign the SELF account Read/Write servicePrincipalName. The permissions are applied onto This object only on the service account object. Here's an example using DSACLS.
 
C:\>dsacls <DN_of_Service_Account> /G SELF:RPWP;"servicePrincipalName"
 
e.g.
 
C:\>dsacls "CN=ADLDS_SVC,OU=Service Account,DC=Widget,DC=com" /G SELF:RPWP;"servicePrincipalName"
 
The screenshot below shows how the permissions should appear.
 
  
4.      Grant "Log on as a service" user rights
 
The service account requires Log on as service user rights on the server running the AD LDS instance. You don't normally have to assign this right in advance because you will be prompted when creating the instance using the setup wizard.
 
If you have to set this right manually, use the Group Policy Editor to edit the local policy, or alternatively use the GPMC to edit an appropriate domain policy. The location of the setting is:
 
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.
 
The screenshot below shows the setting.
 
 
 
 
5.      Membership of the local Administrators group.
 
At the time of writing, the AD LDS product documentation indicates that the service account is not required to be a member of the local Administrators group on server running the AD LDS instance. However, my experience is that without this, the following error is generated in the event log corresponding to the instance each time the service is re-started.
 
Log Name:      ADAM (instance1)
Source:        ADAM [instance1] General
Date:          6/04/2009 11:22:08 a.m.
Event ID:      1168
Task Category: Internal Processing
Level:         Error
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      ADLDS1.widget.com
Description:
Internal error: An Active Directory Lightweight Directory Services error has occurred.
 
Additional Data
Error value (decimal):
-1073741790
Error value (hex):
c0000022
Internal ID:
3000715
 
The fact that the service account requires membership of the local Administrators group makes the choice to use Network Service even more compelling. The Network Service account has a lower level of privilege on the local machine than that of members of the Administrators group. This implies the potential for compromise is lower when using Network Service.
 
Conclusion
 
As you can see, using domain-based service accounts for your AD LDS instances requires a fair amount of extra work during setup. I recommend that you use Network Service unless your circumstances require you to use a domain account.
 

 

Comments

By Jef K @ Thursday, May 07, 2009 4:31 AM

If you are going to load balance ADLDS instances, be sure to use a Domain Service account, and setup SPNs properly to have kerberos work correctly for a SASL GSS-API Bind.

Repeat the SCP instructions per Server in the replica Sets though.

By Domain services @ Tuesday, February 02, 2010 7:52 AM

Thank you for making life easy for many, really appreciate it. You have been more than helpful.
Chris

By ismet dumlupinar @ Saturday, April 24, 2010 8:53 PM

We are also using Network Service account to interact with intranet portal through IIS. Students are having trouble to understand the structure of AD LDS.

By dotnetnuke&godaddy @ Saturday, April 24, 2010 8:55 PM

Using NS account for multiple services would effect the overall performance too.

By adjustable beds mattress @ Saturday, May 29, 2010 4:28 AM

This is a nice blog. Good clean UI and nice informative blogs. I will be coming back in a bit, thanks for the great post. I admire what you have done here. I love the part where you say you are doing this to give back but I would assume by all the comments that is working for you as well. Do you have any more info on this?

By injury lawyer @ Monday, June 28, 2010 2:02 AM


I have been searching for a site like this in the field I am interested in. I am a great fan. I also like all things about do it yourself suggestions that help you to save.

By lupeduggar @ Tuesday, July 06, 2010 9:05 AM

I love this post

By Kompresör @ Thursday, July 08, 2010 10:22 AM

great article from you my friend

By Cicek sepeti @ Thursday, July 08, 2010 10:25 AM

great article from you

By michetela @ Friday, July 16, 2010 11:00 AM

Keep blogging.

By chat software @ Wednesday, July 21, 2010 7:48 AM

Well, the info your share here is great and informative to me as I am very new to the subject. But I love reading and getting some more knowledge on it. Thanks

By azziewed @ Wednesday, July 21, 2010 7:48 AM

Thanks for sharing this useful information.

By Freelance programmer @ Wednesday, July 21, 2010 9:50 AM

The information that you have shared is very nice. It made easy for me to work.

By property management company @ Wednesday, July 21, 2010 10:06 AM

Students are having trouble of understanding the structure of AD LDS.

By oven cleaning @ Friday, July 23, 2010 12:22 PM

The post is over all a good article.

By carpet cleaning @ Saturday, July 24, 2010 1:23 PM

i have been searching for a site like this in the field,i am interested in.

By Cialis @ Sunday, July 25, 2010 12:39 PM

In this scenario you may want to consider isolating the services from each other using dedicated service accounts.

By nichael komse @ Monday, July 26, 2010 10:22 AM

very good

By Business Travel Blog @ Monday, July 26, 2010 2:10 PM

The simplest method is to set the permission using DSACLS. You could alternatively use the security editor from within dsa.msc or adsiedit.msc

By afwsd @ Wednesday, July 28, 2010 12:32 PM

adfuas s0ad98f=as8 as= masdfasidf=-i ssadfasdfas-df-as masdfsadfiasdf asdasdf-ias-dfi sadf asdfasdfsadf

By business class seats @ Friday, July 30, 2010 1:43 AM

Thanks for post. It’s really informative stuff. I really like to read.Hope to learn a lot and have a nice experience here! my best regards guys!

By business cards @ Saturday, July 31, 2010 8:31 PM

i would say that this post is really inrtesting

By wholesale appliances @ Sunday, August 01, 2010 5:03 PM

I really like to read.Hope to learn a lot and have a nice experience here! my best regards guys!

By placement argent @ Monday, August 02, 2010 10:08 AM

This was a useful post and I think it is rather easy to see from the other comments as well that this post is well written and useful. I bookmarked this blog a while ago because of the useful content and I am never being disappointed. Keep up the good work

By simulation assurance auto @ Thursday, August 05, 2010 4:52 AM

Oh. You know, i am really interested in computer and Internet but I do not know much about programs about computer. After reading your article, i have more experiences to work with it. I hope i can get your post in next time. Keep on!

By Sport Sandals @ Thursday, August 05, 2010 5:50 AM

but if you are using a domain-based user account you need to assign this.

By satellite pc tv @ Friday, August 06, 2010 5:16 AM

I am very interested in this sphere and reading this post I have known many new things, which I have not known before. Thanks for publishing this great article here.

By John @ Friday, August 06, 2010 6:17 AM

Thank you for the article. I wasn't aware to some of those consideration.

By Ugg Boots Sale Fan @ Friday, August 06, 2010 7:39 AM

The article is written very well. I am not so familiar with the instance but when a good friend of mine ask me about it, I told him about your post. so thanks.

By itunes card @ Saturday, August 07, 2010 11:17 AM

I came to your article from another article and am really interested in this learning about this. , I feel strongly about information and love learning more on this. If possible, as you gain expertise, It is extremely helpful for me.
would you mind updating your blog with more information?

By Wrought Iron Patio Furniture @ Tuesday, August 10, 2010 12:23 PM

written very well and interesting article...

By Free dating sites @ Tuesday, August 10, 2010 5:18 PM

Good post! I am also going to write a blog post about this... thanks

By angular cheilitis home treatment @ Wednesday, August 11, 2010 12:54 AM

I have suffered from angular hceilitis so I know what its like, but dedicated services might not be a bad idea at all, something to look into

By angular cheilitis home treatment @ Wednesday, August 11, 2010 12:55 AM

I have suffered from angular cheilitis so I know what its like, but dedicated services might not be a bad idea at all, something to look into

By Ugg Boots Fan @ Wednesday, August 11, 2010 6:49 AM

I saw your link from other website and I find your post very well written. I have been struggling understanding this topic and you presented it very well.

By mortgage calculator with taxes @ Thursday, August 12, 2010 5:45 AM

Well I read the article I and found it really funny and informative. There are very few articles of this type one must read it once. Cheers

By HGH @ Saturday, August 14, 2010 9:23 AM

thanks for telling us about Network Service account ..really its working is best..<a href="http://www.hghforsale.org">HGH for Sale</a>

By HGH @ Saturday, August 14, 2010 9:24 AM

thanks for telling us about Network Service account ..really its working is best..

By search engine position @ Saturday, August 14, 2010 8:46 PM

i am really interested in computer and Internet but I do not know much about programs about computer. After reading your article, i have more experiences to work with it. I hope i can get your post in next time. Keep on!

By Insurance @ Sunday, August 15, 2010 8:05 PM

These objects are typically created automatically as child objects of the AD LDS computer object when the service is started.

By Yeast Infection @ Monday, August 16, 2010 8:43 AM

i just booked 3 domains and want to design 3 new sites so domain based business is good and i think it is best business.

By ghd straighteners uk @ Monday, August 16, 2010 12:56 PM

Absolutely. That's interesting.I will keep visiting this blog very often.May i leave behind the link?
<a rel="dofollow" href="http://www.uggbootssale.uk.com">Ugg Boots sale</a>

By Bearings @ Tuesday, August 17, 2010 4:02 AM

Yes, I think The simplest method is to set the permission using DSACLS. You could alternatively use the security editor from within dsa.msc or adsiedit.msc

By Peterr @ Tuesday, August 17, 2010 5:04 AM

I must say that overall I am really impressed with this blog. It is easy to see that you are passionate about your writing.
If only I had your writing ability I look forward to more updates and will be returning.

By payroll software @ Tuesday, August 17, 2010 9:28 AM

I love this blog which provide me awesome knowledge according to my requirement .Thanks for sharing it with us.

By cheap grease tickets @ Tuesday, August 17, 2010 10:04 AM

Well, if you have a number of services on your server all running under the context of the Network Service account there is potential for security compromise. In this scenario you may want to consider isolating the services from each other using dedicated service accounts.

By Carpet Cleaning Services @ Wednesday, August 18, 2010 6:36 AM

Excellent post. Thanks

By Alicia Smith @ Wednesday, August 18, 2010 10:35 AM

Thanks for telling us about AD LDS...I think this will be helpful for LAN(local area network)...<a href="http://www.resumeforjobs.com">Resume Samples</a>

By Resumes @ Wednesday, August 18, 2010 10:37 AM

Thanks for telling us about AD LDS...I think this will be helpful for LAN(local area network).

By travel @ Wednesday, August 18, 2010 4:10 PM

Th4t be an epic da shizzi4 post, th4nkie 4it & in da futures we'll be seeing more of it

By cruises @ Wednesday, August 18, 2010 4:11 PM

We7ll I8be dat9 ogr6e speekie da speekie, gratz & than4x

By flight center @ Wednesday, August 18, 2010 4:12 PM

heb7e sh8at be th34nkie 4it on da posting left & righ8ty

By online casino @ Wednesday, August 18, 2010 6:57 PM

Thank you very very much for the tutorial and the screenshots.

By addominali @ Wednesday, August 18, 2010 11:29 PM

addominali dieta ed allenamento subito!

By Life Cover @ Thursday, August 19, 2010 11:32 AM

I am really impressed with this blog. It is easy to see that you are passionate about your writing.

By Print Pocket Folders @ Friday, August 20, 2010 10:54 AM

No doubt, the conservative commentariat will join Sarah Palin's call for Rahm Emanuel's ouster. Sadly, that may be difficult to do. Daily Caller founder and Fox New contributor Tucker Carlson, for example, called Canada "a retarded cousin" of the United States. thanks for sharing.

By Short eid poems @ Friday, August 20, 2010 11:56 AM

Its great resource. i was finding that type inf and now i get it.thanks for this...

By buywowaccounts @ Friday, August 20, 2010 4:09 PM

This is a smart blog. I mean it. You have so much knowledge about this issue, and so much passion. You also know how to make people rally behind it, obviously from the responses. Youve got a design here thats not too flashy, but makes a statement as big as what youre saying. Great job, indeed.

By Insurance @ Friday, August 20, 2010 8:48 PM

. Nothing ever changed: “the legal insecurity that prevails, the arbitrary detentions, inhuman treatment and torture . . . continue as if they were perfectly normal.”

By Best Car Leasing Offers @ Saturday, August 21, 2010 7:39 AM

By learning these technologies, you open up so much more possibilities than if you narrow yourself to a select few set of components.

By video games @ Saturday, August 21, 2010 7:14 PM

This is my first time I visit here. I found many interesting things in your blog especially the discussion. Of the tons of comments on your articles, I'm not the only one with all the enjoyment here! keep up the good work

By online Fax @ Monday, August 23, 2010 7:37 AM

very informative post. Nice work work done, keep it up. Its admirable work done.

By phentermine without prescription @ Monday, August 23, 2010 12:27 PM

i am really interested in computer and Internet but I do not know much about programs about computer. After reading your article,

By Coach Outlet Store Online @ Monday, August 23, 2010 12:34 PM

What is the pros and cons of AD LDS.....not understandable...

By cell phone spyware @ Monday, August 23, 2010 4:37 PM

AD LDS serves as an identity provider for business scenarios that desire an extranet directory to store customer user accounts

By Moroccan furniture @ Tuesday, August 24, 2010 3:18 AM

I wanted to thank you for this great read!! I definitely enjoying every little bit of it I have you bookmarked to check out new stuff you post.

By cheap blue man tickets @ Tuesday, August 24, 2010 12:25 PM

thanks for sharing. i loved it to read this post

By blog registration @ Tuesday, August 24, 2010 1:59 PM

In the event that your family will be on the lookout to get another you actually should give some thought to investing in some sort of as a result of a strong as a result of shop. They tend to recommend that may you'll along with take into consideration wasting occasion straight into starting to be great. Our staff members advise that you actually coupled with think of buying time frame interested in getting to be fine. Assuming you will can be wanting for an important an individual could contemplate buying an important coming from a great on-line organize.

By Propecia @ Tuesday, August 24, 2010 3:58 PM

This post is exactly what I am interested.

By xbox live gold code @ Tuesday, August 24, 2010 9:26 PM

Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon.

By Backlinks Building @ Wednesday, August 25, 2010 4:41 AM

Where else could anyone get that kind of information in such a perfect way of writing? I have a presentation next week, and I am on the look for such information.Thank you for another great article.

By Long Island Swimming Pools  @ Wednesday, August 25, 2010 6:31 AM

Thanks for taking the time to write that. Good info to know.

By business expansion @ Wednesday, August 25, 2010 8:42 AM

This is a good post. This post give truly quality information.I’m definitely going to look into it.Really very useful tips are provided here.thank you so much.Keep up the good works

By nfl jersey @ Thursday, August 26, 2010 8:57 AM

<a href="http://www.tigersupermall.com">R4 ds</a>
<a href="http://www.supplyol.com">jade jewellery</a>
<a href="http://www.lovingbargain.com">evisu jeans</a>
<a href="http://www.chinastarshop.com">Nfl football jerseys</a>

By cheap wow accounts @ Thursday, August 26, 2010 9:26 AM

Its always good to learn tips like you share for blog posting. As I just started posting comments for blog and facing problem of lots of rejections. I think your suggestion would be helpful for me. I will let you know if its work for me too.

By Atlanta lawyer @ Saturday, August 28, 2010 2:29 AM

Where else could anyone get that kind of information in such a perfect way of writing? I have a presentation next week, and I am on the look for such information.Thank you for another great article.

By Stifler Adolf @ Saturday, August 28, 2010 6:29 AM

These articles are very interesting to read. So if u are interested in these types of topics always go for that.
<A href="http://www.idcredit.org/">3 credit reports</A>

By fax service @ Saturday, August 28, 2010 7:21 AM

To be truly I not understand about this blog so what i say about it.

By Cell Phone Surveillance @ Saturday, August 28, 2010 7:37 AM

I was looking for this answer for a while. Thanks

By Cell Phone Locator @ Saturday, August 28, 2010 7:38 AM

Thanks for all the interesting comments.!

By Spy Phone @ Saturday, August 28, 2010 7:39 AM

There are some interesting comments here.

By Android Tracking @ Saturday, August 28, 2010 7:40 AM

Just another comment. This one likes spy phone software

By Android GPS App @ Saturday, August 28, 2010 7:41 AM

ok... another spy phone android gps app comment.

By Android Spy Phone @ Saturday, August 28, 2010 7:42 AM

Android spy phone software is the best spy phone software

By Cell Phone Spying @ Saturday, August 28, 2010 7:42 AM

cell phone spying software is the best spy phone software.

By Cell Phone Spy Software @ Saturday, August 28, 2010 7:43 AM

spying is good.

By Mobile Phone Spyware @ Saturday, August 28, 2010 7:44 AM

spyware for mobile phones is a good thing.

By Mobile Phone Tracking @ Saturday, August 28, 2010 7:45 AM

mobile phone tracking comment. spy phone software tracking app.

By Phone Spyware @ Saturday, August 28, 2010 7:45 AM

phone spyware is cell phone spyware at its best.

By Cell Phone Spy @ Saturday, August 28, 2010 7:46 AM

cell phone spying is good .

By Cell Phone Tapping @ Saturday, August 28, 2010 7:47 AM

cell phone tapping software is spy phone software like mobile spy. Visit us today cell phone tapping.

By Mobile Phone Spyware Free @ Saturday, August 28, 2010 7:47 AM

mobile phone spyware free is all about cell phone spyware

By Trace Cell Phone @ Saturday, August 28, 2010 7:48 AM

trace a cell phone cell phone tracer.

By Cell Phone Tap @ Saturday, August 28, 2010 7:49 AM

cell phone tapping.. again.

By Cell Phone Tapping @ Saturday, August 28, 2010 7:54 AM

cell phone tapping software is like spy phone software and tap a cell phone as well.

By phentermine 37.5 @ Saturday, August 28, 2010 9:10 AM

great article about to creating an AD LDS instance i like this article because it is very helpful for all persons.

By Colts jerseys @ Monday, August 30, 2010 8:19 AM

Looking forward to another great article. Good luck to the author! all the best!

By Customized jerseys @ Monday, August 30, 2010 8:21 AM

So informative things are provided here,I really happy to read this post,I was just imagine about it and you provided me the correct information I really bookmark it,for further reading,So thanks for sharing the information.

By nfl football jerseys @ Monday, August 30, 2010 8:22 AM

Thanks for the nice blog. It was very useful for me. Keep sharing such ideas in the future as well. This was actually what I was looking for, and I am glad to came here! Thanks for sharing the such information with us.

By chanel jewelry @ Monday, August 30, 2010 8:23 AM

I do check this site often as it is very good and informative and will look out for an answer!

By Nhl hockey jerseys @ Monday, August 30, 2010 8:23 AM

Your post is really good and informative. I'm surprised that your post has not gotten any good quality, genuine comments. You have done a great job by posting this article.Thanks !!!

By tiffany jewelry @ Monday, August 30, 2010 8:24 AM

Nice website. Very cool content. Thank you!!!

By rhinestone jewelry @ Monday, August 30, 2010 8:59 AM

<a href="http://www.lovingbargain.com">evisu jeans</a>
<a href="http://www.chinastarshop.com">Nfl football jerseys</a>

<a href="http://www.AAAnfljerseys.com">football jerseys</a>
<a href="http://www.atjerseys.com">yankees jersey</a>
<a href="http://www.jerseywholesales.com">nfl jersey</a>

By China tour @ Monday, August 30, 2010 9:01 AM

你说想哭就叹气,想叹气就写信!

By income tax rates 2010 @ Monday, August 30, 2010 10:44 AM

Basically from marketing companies point of view,their main task is to understand the customers problem and satisfy with their needs.

By Trading Education @ Monday, August 30, 2010 7:51 PM

The site was informative and contain useful content for the visitors. It got good posts as well. I will bookmark this site for future viewing. Thanks for sharing. Regards

By david villa @ Wednesday, September 01, 2010 10:25 AM

Great informative post I like to see the features about this post which inspired me a lot.
<a href="http://www.merchantaccountsreviews.com">merchant account</a>

By ocredit cards @ Wednesday, September 01, 2010 2:44 PM

Well..Where else could anyone get that kind of information in such a perfect way of writing? I have a presentation next week, and I am on the look for such information.Thank you for another great article.Thanks
<a href="http://www.slimmingaidsreviews.co.uk/best-hoodia-diet-pill-uk/">best hoodia diet pill</a>

By Brian Johnson @ Thursday, September 02, 2010 3:41 PM

Computer programs are getting more and more complex but once a problem occurs, everything goes back to the basic concept. The basic concept will always be the foundation no matter how advanced or upgraded a program is. <a href="http://www.criminaljusticedegreejobs.com/criminal-justice-courses.php">careers criminal justice courses</a>

By Brian Johnson @ Thursday, September 02, 2010 3:43 PM

Computer programs are getting more and more complex but once a problem occurs, everything goes back to the basic concept. The basic concept will always be the foundation no matter how advanced or upgraded a program is. http://www.criminaljusticedegreejobs.com/criminal-justice-courses.php

You must be logged in to post a comment. You can login here
Copyright 2009 ActiveDir.org
Terms Of Use