Service Accounts

"Service accounts in Active Directory are used to run applications, services, or scheduled tasks securely without using regular user accounts. There are two main types: gMSA (Group Managed Service Accounts) and dMSA (Dedicated Managed Service Accounts). gMSAs can be used across multiple servers and are ideal for load-balanced services, while dMSAs are meant for a single computer. Both types automatically manage passwords and permissions, reducing the risk of human error and improving security by limiting what the service can access and do."

Note that dMSA accounts are only present in Windows Server 2025.

Service Principal Names (SPNs)

In Active Directory, a Service Principal Name (SPN) is a unique identifier for a specific service instance (like HTTP/webserver or MSSQL/dbserver). It ties a service name and host to the service’s AD account, enabling Kerberos to find and authenticate the correct account and issue secure, encrypted tickets. Clients request tickets using the SPN, and only the account that owns that SPN can decrypt them. Because each SPN must be unique in the AD forest, they prevent impersonation and ensure secure, reliable service authentication. (serverfault.com)

How can I create one? Easy. We must have already a service account created. Go to gMSAs or dMSAs.

setspn -A HTTP/ca.boxcreator.htb 'gMSA_ADCS_prod$'

This will add the service principal name HTTP/ca.boxcreator.htb to the specified service account.

Written by ruycr4ft