Service account

Default service account for PDS is NETWORK SERVICE. In this configuration service uses SPN HOST/computername

It is however supported to run the service under domain account. To do so service SPN must be changed and registered with domain account. Change must be performed on both service side (all running instances) and client side.

Important All instances of PDS must use the same service account - either NETWORK SERVICE or domain account. Mixing of service accounts is not supported.

To change service identity on server side, change it in AdmPwd.PDS.exe.config from dns to servicePrincipalName and set its value to SVC/AdmPwd as shown below:

<service behaviorConfiguration="AdmPwdService.ServiceBehavior" name="AdmPwd.PDS.AdmPwdSvc">
  <endpoint address="" binding="netTcpBinding" name="NetTcpEndpoint" contract="AdmPwd.PDS.IAdmPwdSvc">
    <identity>
      <servicePrincipalName value = "SVC/AdmPwd" />
    </identity>
  </endpoint>
  <endpoint address="mex" binding="mexTcpBinding" bindingConfiguration="" name="MexTcpEndpoint" contract="IMetadataExchange" />
  <host>
    <baseAddresses>
      <add baseAddress="net.tcp://localhost:61184/AdmPwdService" />
    </baseAddresses>
  </host>
</service>

Important: content of the config file is case sensitive. Please make sure you use the case as shown in sample above when making changes

Change of service account on server side must be supported by configuration of management tools side as well. In default configuration, management tools expect that service uses SPN HOST/<computername>. In configuration with domain account, management tools need to use service specific SPN SVC/AdmPwd when calling PDS.

This change of configuration of management tools can be done via registry using GPO as specified in Management tools configuration

Checklist for changing from NETWORK SERVICE account to domain account:

  1. Create account for service (service account) in domain
  2. Register SPN SVC/AdmPwd on service account
  3. Grant service account Read permission on PDS install folder (%ProgramFiles64%\AdmPwd\PDS) and Modify permission to CryptoKeyStorage folder (%ProgramFiles64%\AdmPwd\PDS\CryptoKeyStorage by default)
  4. Grant service account PDS permissions on AD via respective PowerShell cmdlets:
    • Set-AdmPwdPdsPermission,
    • Set-AdmPwdPdsDeletedObjectsPermission
    • Set-AdmPwdPdsManagedAccountsPermission
  5. Grant service account permission to read/write SRV record in DNS; or turn off SRV record registration and maintain record manually
  6. Configure Group Policy “PDS service runs using domain account” to Enabled and apply it to machines that are running management tools. This includes all machines that are running at least one of following:
    • PowerShell module
    • Fat client UI
    • Web UI
  7. Set domain account as logon identity of PDS Win32 service and restart the service