Configure Passwordstate to use a Managed Service Account (MSA) to connect to the database

As of Build 7301, it is possible to configure Passwordstate to use a Managed Service Account to communicate with the database server, instead of a SQL Login Account.

A Managed Service Account in Active Directory is a special type of account which self manages the automatic rotation of its own password every 30 days. Configuring Passwordstate to use an MSA account can be more secure, as you don’t need to specify the password for this account in the database connections string in the web.config file.

To create an MSA account, and configure Passwordstate to use it, please follow these instructions:

Create a Managed Service Account (MSA)

• On your domain controller, open PowerShell console as an Admin, and execute the following commands
  
  • New-ADServiceAccount -Name <MSAAccountName> -RestrictToSingleComputer -AccountPassword (ConvertTo-SecureString -AsPlainText “<password>” -Force) -Path “cn=<MyCN>,dc=<MyDC>,dc=<MyDC>” (replace the variables in <> as appropriate)
    
  • Add-ADComputerServiceAccount -Identity “<MyWebServerName>” -ServiceAccount “<MSAAccountName> ” (The Web Server Name is where the MSA Account will be used)
    
• On your Passwordstate Web Server, open PowerShell console as Admin, and execute the following commands:
  
  • Add-WindowsFeature RSAT-AD-PowerShell (this role may already be installed)
    
  • Import-Module ActiveDirectory
    
  • Install-ADServiceAccount -Identity <MSAAccountName>
    

MSA Account and SQL Server

You now need to add a new Windows login within your SQL Server, and you can use the screenshots below as a guide – in our example, the MSA account is called passmsa, and whenever referencing an MSA account you must append the $ symbol to the end.

1. Create the MSA Login Account
   

1. Grant the MSA Account db_owner rights to the Passwordstate database
   

Configure Passwordstate IIS Application Pools

You need to open Internet Information Services Manager, and modify the “Identity” for both the Passwordstate and PasswordstateApps Application Pools so it uses the MSA Account. When specifying the MSA Account to use, you leave the password fields blank, as per the screenshot below.

Modify the Passwordstate web.config file

• Open the web.config file in the root of the Passwordstate folder (open as Admin with notepad or equivalent)
  
• Change the line:
  

<add name=”PasswordstateConnectionString” connectionString=”Data Source=<ServerName>;Initial Catalog=passwordstate;User ID=passwordstate_user;Password=<MyPassword>” providerName=”System.Data.SqlClient” />

to read like:

<add name=”PasswordstateConnectionString” connectionString=”Data Source=<ServerName>;Initial Catalog=passwordstate;Integrated Security=SSPI;” providerName=”System.Data.SqlClient” />

• Save the file and exit notepad
  

Configure Passwordstate Windows Service

We now need to change the ‘Log On As’ property for the Passwordstate Windows Service to use the MSA Account.

When doing so, you may need to select the ‘Service Accounts’ Object Type in order to find the account in Active Directory, as per the screenshot below:

And also leave the password for the account blank, just like the Application Pools.

Now restart the Passwordstate Windows Service.

File System NTFS Permissions Considerations

The Passwordstate Windows Service can write to disk any new Custom Images or Logos that you may have uploaded into Passwordstate. It is possible that the MSA Account you’re using does not have modify rights to the Passwordstate folder, in which case we can do one of two things:

1. If you have configured the Backup and In-Place Upgrade account in Passwordstate on the screen Administration -> Backups and Upgrades, then this account will be used for writing images to disk, and you do not need to do anything further
   
2. If you are not using the Backup and In-Place Upgrade feature, you will need to manually add Modify NTFS permissions to the Passwordstate folder and all nested files/folders for the MSA Account.
   

If neither of the two options above is possible, images cannot be written to the disk, and appropriate event log entries on your web server will be added to reflect this.