Adaxes

Adaxes service account -> Managed Service Account?

0 votes

Hello,

with Server 2008R2 Microsoft introduced the managed service accounts. This is a very valuable feature since it reduces the risks in pass-the-hash attacks.

Can the adaxes service user be configured as a managed service account?

Thank you for your help!
HarryNew

by (270 points)

1 Answer

0 votes
by (289k points)
selected by
Best answer

Hello Harry,

No, there is no such possibility.

0

Hello,

thank you for your answer.

This is a major drawback . Are there any plans for implementing the managed service accounts? Using long-term passwords and hashes in a Microsoft environment is not very secure and, considering the permissions the adaxes service account has in Active Directory, poses a serious security threat. Cycling the password regularly would lower this risk considerably.

Regards
HarryNew

by (270 points)
moved by
0

Hello Harry,

Are there any plans for implementing the managed service accounts?

Currently, there is no technical possibility to implement the feature. In such cases, Microsoft recommends using 20+ characters long passwords.

considering the permissions the adaxes service account has in Active Directory, poses a serious security threat

The Adaxes service account (specified during Adaxes installation) needs only the permissions to publish and unpublish Adaxes service in Active Directory (create/delete a Service Connection Point). No other permissions are required. For details on how to grant the permissions, see https://www.adaxes.com/resources/releas ... ishservice.

by (289k points)
moved by
0

Hello,

thank you for your answer.

Unfortunately I don't completely understand what you are saying. Maybe there are two service accounts that we need to look at. We originally installed Adaxes together with a business partner. I remember that there was a discussion about the fact that the adaxes service account should be a domain administrator. This violates our security guidelines. Therefore we chose to just give the adaxes service account the minimum permissions needed to perform it's operations in AD. But if you are saying that the service account does not need specific permissions in AD then how does adaxes go about performing the configured tasks in AD?

Regards
HarryNew

by (270 points)
moved by
0

Hello Harry,

As it was stated in our previous post, the Adaxes service account needs only the permissions to publish and unpublish Adaxes service in Active Directory. All operations in a managed domain are performed using the credentials of the account that was specified during the domain registration in Adaxes. For information on how to change the account, see https://www.adaxes.com/help/?HowDoI.Man ... nInfo.html.

by (289k points)
moved by
0

Hello,

thank you for the information and the links.

Can we use a "managed service account" for the "Service Account for Managed Domain"? Since this is the account that has the permissions in active directory it would be the one that we would like to protect.

Regards
HarryNew

by (270 points)
moved by
0

Hello,

No, there is no such possibility, same as for the Adaxes service account.

by (289k points)
moved by
0

Hello,

thank you for your answers and insights.

We are currently still running Adaxes 2017.2 since we had some problems with 2018.1. Do the above statements about the two different service accounts and their roles and permissions also apply to 2017.2?

Regards
HarryNew

by (270 points)
moved by
0

Hello Harry,

Yes, the statements are valid for Adaxes 2017.2, Adaxes 2018.1 and the latest Adaxes 2018.2.

by (289k points)
moved by

Related questions

0 votes
1 answer
isolated DomainA,DomainB. Common Adaxes service server for both managing DomainA,DomainB as managed domain

hello, We are doing poc for Adaxes software. Our need: Adaxes as front end to manage multiple isolated domains with no trust e.g. Domain A, Domain B. We deployed ... domain B always gives error "User or password is not correct". Is this toplogy supported

asked Jul 11 by VBahubali (40 points)
0 votes
1 answer
Is it possible to create/manage Managed Service Accounts through Adaxes?

We are looking to use Adaxes to create and manage Managed Service Accounts in the "Managed Service Accounts" OU. Is this possible through Adaxes? Thank you.

asked Nov 14, 2019 by lgibbens (320 points)
0 votes
1 answer
Least Privileged Permissions Adaxes service account

Dear Reader, Currently we have Adaxes installed to manage mostly the on-premises user base. However some activities are extended to Office 365. Here we notice that Adaxes installed ... and when we do so how will this affect Adaxes? Thanks in advance, Maarten

asked Jan 8 by Maarten5150 (20 points)
0 votes
1 answer
How can we minimize permissions of Domain Service Account and still retain Adaxes functionality?

Hello, We have recently begun setting up Adaxes and are trying to exercise least privilege on both of the accounts we have created to manage the service. ... account is also given the appropriate Security Role within the Adaxes administrative console.

asked Sep 12, 2023 by just.kon (20 points)
0 votes
1 answer
Adaxes Service Account

Hello We are trying to Demo Adaxes version 2019.01. We created a read only service account but apparently the "account doesn't have enough privileges to register a service ... . Do we need to grant Domain admin to this service account? Why? Thanks Dave

asked Jun 25, 2019 by davidotz8 (120 points)
3,547 questions
3,238 answers
8,232 comments
547,809 users