MSA accounts used with SQL


Here’s a note from Anne Labbe, a premier field engineer in Charlotte who’s been looking into managed service accounts..

After painstaking research and tracking this down to the product team this is what I found:

1. Managed Service Accounts (MSA) are different from Group Managed Service Accounts (gMSA).  The reason I’m calling this out is because a number of the references floated around are for gMSA and not MSA.  

2. gMSA are not yet available, are not yet supported for SQL Server.  gMSA exist and are available and supported in Windows Server 2012 and higher.  SQL does not support them , but from an OS perspective, they exist and are supported.    

3. MSA are supported from Windows 2008 on for specific applications and for specific purposes.

4. MSA are supported from SQL 2012 on for use running SQL service accounts (all SQL Services) where they are confined to a SINGLE machine.  This means that this account can NOT be used across multiple machines.

The confusion came (for me at least) because the installation code was changed to check for the use of MSA. Since the code was not in the setup for SQL 2008, I was able to install an instance using a MSA. The product team has reiterated that although I could do this it is NOT supported and has NOT BEEN TESTED.

– Anne

Comments (6)

  1. ranta says:

    "Service Accounts Step-by-Step Guide" <technet.microsoft.com/…/dd548356.aspx> mentions two types of accounts: managed service accounts and virtual accounts.  Managed service accounts are created with PowerShell cmdlets in Active Directory.  Virtual accounts are not explicitly created; you just type "NT SERVICEServiceName" as the account name.

    How do these two types of accounts correspond to the Managed Service Accounts (MSA) and Group Managed Service Accounts (gMSA) to which you refer?

  2. Anne Labbe says:

    Managed Service accounts are domain accounts managed by the domain controller.  They are for a single service.  Virtual accounts are managed local accounts.  Virtual accounts are 'auto managed' by the local computer and use the local computer account when accessing network resources.  Because managed service accounts are limited to a single service, it is my impression that they are (slightly) more secure that running the same service as a virtual account.

    Anyone, please correct me if I have this wrong.

    gMSA are not yet supported for use with SQL Server.

  3. Trix says:

    ranta – take two seconds to google "Group Managed Service accounts". You'll see it is the equivalent of an MSA which can run over multiple systems.

  4. Enrico S. says:

    I can't believe what I'm reading here… 00

    To clarify that…

    I'm using gMSA since they were intriduced for Server 2012 especially and only for SQL 2012.

    And it works very well…

    blogs.technet.com/…/windows-server-2012-group-managed-service-accounts.aspx – in the meantime the SQL entry is corrected but since yet I never heard or read someone mentioning that SQL Server isn't supported.

    So what about SQL 2014? And more interesting… why is SQL 2012 not supported? Are there any issues I should know?

    E.S.

  5. Anne Labbe says:

    Below is the link to an article that compares virtual accounts and managed service accounts:

    social.technet.microsoft.com/…/391.managed-service-accounts-msas-versus-virtual-accounts-in-windows-server-2008-r2.aspx

    It is for SQL 2008 R2 but should apply to SQL 2012 as well.  The short answer is that MSA (manage service accounts)  are domain centered and handle some of the active directory settings for you (SPN).  Virtual accounts are local.  gMSA are managed service accounts for groups of servers such as a SQL cluster or a SharePoint farm.