AD LDS - to use Network Service or MSA

  • Last Post 29 August 2016
BrianB posted this 29 August 2016

All:   Is there any benefit or security enhancement to using an MSA for the AD LDS instance(s) over the Network Service or a dedicated resource account?   1.      Network service present the machines cred which change every ~month. Configurable. Minimal privileges on the system as opposed to .\localservice.

2.      MSA creds change regularly. Configurable. 3.      Resource account can change but requires manual intervention. Account can be disabled if needed.

  I have not delved into the world of MSA’s for the fact that you need a different one for each system which becomes a large chore in my environment. As opposed to GSMA’s, but even those require the application to be compatible with them. Some Microsoft services are not compatible yet – however, AD LDS is compatible with MSA’s.   So I am asking if there is any benefit to use a MSA as opposed to Network Service.       Brian Britt    

joe posted this 29 August 2016

I would tend to think Network Service would be fine for this unless you had some Kerberos auth issue that made it such that you needed to access some type of load balanced LDAP DNS name with a manually configured SPN. I've never needed to do that for LDS (or even seen that work) although perhaps some people have.
I guess I start with Network Service and look at a GMSA later if needed. I'd avoid the fixed user/service account if possible and try to make the GSMA work if some type of fixed ID is needed across instances.
Joe K.