15

In SQL Server 2012, service accounts are created as virtual accounts (VAs), as described here, as opposed to managed service accounts (MSAs).

The important differences I can see for these, based on the descriptions:

  • MSAs are domain accounts, VAs are local accounts
  • MSAs use automagic password management handled by AD, VAs have no passwords
  • in a Kerberos context, MSAs register SPNs automatically, VAs do not

Are there any other differences? If Kerberos is not in use, why would a DBA ever prefer an MSA?

UPDATE: Another user has noted a possible contradiction in the MS docs concerning VAs:

The virtual account is auto-managed, and the virtual account can access the network in a domain environment.

versus

Virtual accounts cannot be authenticated to a remote location. All virtual accounts use the permission of machine account. Provision the machine account in the format <domain_name>\<computer_name>$.

What is the "machine account"? How/when/why does it get "provisioned"? What is the difference between "accessing the network in a domain environment" and "authenticating to a remote location [in a domain environment]"?

Tom V
  • 15,752
  • 7
  • 66
  • 87
jordanpg
  • 355
  • 5
  • 14

1 Answers1

4

Here's the way I see it.

When you use a VA, you impersonate the machine account.

The problem is, that it is easy to make a VA or use an existing one (ex. NT Authority\NETWORKSERVICE). If you grant the machine account access to an instance, an application that is running as a VA will be able to connect to that instance and perform actions.

With a managed account, you will have to provide the credentials for that account to whatever application wants to use them, allowing you more granularity with permissions.

Nabil Becker
  • 441
  • 2
  • 6