Using Managed Service Account for Octopus Deploy

jcaradocdavies · 20 October 2015 15:18

Hi,
We use managed service accounts exclusively, and we are unable to install Octopus Deploy under and MSA. Do we really have to create a user account to install this product?
I have found articles relating to use of Managed Service Accounts for tentacles - surely there should be SOMETHING about MSA installation being supported (or NOT) in your knowledge base.
Please assist.
Regards,
James.

Michael_Richardson · 21 October 2015 06:55

Hi James,

To be honest, I don’t have much knowledge of Managed Service Accounts. At what point is it not working?

When installing the Octopus Deploy server, we give the option to use a custom domain account. Can you enter your MSA there?

Regards,
Michael

jcaradocdavies · 21 October 2015 11:48

Hi Michael,

Thanks for getting back to me.

The installation wizard forces one to ‘Select a user’, and it does not permit objects of type ‘Service Account’.

In order to work around this, I installed the software using my domain account.

Once the installation was complete, and the database, etc. had been created, I changed the Logon credentials of the Octopus service to the Managed Service Account. I also manually granted DBO role membership on the SQL database.

So now, we have the MSA working (so far so good!) We do not like to use user accounts (so-called Service accounts) since they are a security risk – people can log in, access resources, etc. The MSA is usable only by service processes. And the MSA’s automatically generate new passwords on a schedule, so there’s no maintenance.

Regards,

James Caradoc-Davies
Architect
Tel: +27 21 554 5170
Cell: +27 (0)83 680 8329
www.justretirement.co.zahttp://www.justretirement.co.za/

[Just Retirement Logo]

This email and any attachments are confidential and intended only for the named recipient. If you are not the intended recipient please do not disclose the contents to anyone, but notify the sender immediately by return email and delete this email (and any attachments) from your system. Any unauthorised dissemination, distribution, copying or use of this information is strictly prohibited.

This email and its attachments have been virus checked, but Just Retirement cannot accept any liability for any virus which is not detected or any damage which you may sustain as a result of software viruses. We advise that you do your own virus checks before opening any attachment.

Any email or telephone communication with Just Retirement (whether business or personal) may be monitored and recorded for business purposes.

No statement should be interpreted as investment advice.

Michael_Richardson · 22 October 2015 00:34

James,

Oh, that’s interesting. We use an active-directory-object-picker library, and you’re right, we restrict the selection to Users.

The options are:

    Users,
    Groups,
    Computers,
    Contacts,
    BuiltInGroups,
    WellKnownPrincipals,

I wonder which MSA’s live under?

I’m glad you got working, and I’m sorry you had to jump through a few hoops.

Regards,
Michael

jcaradocdavies · 22 October 2015 07:03

Hi Michel,

I am not sure which enumeration member applies to Managed Service Accounts – I have included a screenshot to show what it looks like using the Built-in Windows Dialogs, where I have added ‘Service Accounts’…

[cid:image002.png@01D10CA8.84E05B30]

We are using Octopus under the MSA and all is working well.