Follow me on Twitter @AntonioMaio2

Friday, October 2, 2015

UPDATED: Changing the SharePoint 2013 Farm Administrator Password

I wrote this post earlier this year regarding how to change the SharePoint 2013 farm admin password, and today I found an interesting situation that required a couple of extra steps.  You can find these extra steps below in red.  Big thanks to Doug Hemminger (@DougHemminger) for his assistance in finding a solution.

When setting up a new SharePoint 2013 farm, as a best practice we typically create service accounts for very specific purposes. The idea here is that we deploy SharePoint 2013 using a least privileged model, where very specific service accounts are created for very specific purposes and those accounts are only granted the permissions required to fulfill that purpose. That way, if such a service account is compromised by a malicious user, that user does not gain access to the entire farm. One such account is the SharePoint 2013 farm account.

When creating these service accounts, for various reasons, we typically create a domain account in Active Directory and configure it such that the passwords do not expire. As well, we find that the passwords for these service accounts typically are not changed often. However, there are circumstances in which the password for the SharePoint 2013 farm account must be changed.
  • One example of such a circumstance is if we suspect that the farm account has been compromised by a malicious user.
  • Another example is when consultants, such as myself, are brought in to deploy new SharePoint 2013 environments. Once that deployment process is complete and the client is happy with the environment, rightfully so, the client typically wants to take complete control of the environment and restrict farm admin level access to only a small set of internal employees - essentially they want to prevent the consultants that deployed the environment from continuing to have farm administrative level access.

Changing the SharePoint 2013 farm account is a manual process.  Its not something that is done often, so people often aren't sure which steps are required to ensure that it has been changed in all required locations.  Always be sure to test this process in a TEST SharePoint 2013 environment and monitor that environment for a period of time before performing this process in a PRODUCTION environment.  Your SharePoint 2013 farm may be configured differently that other standard configurations and your process may require extra steps.


For a standard SharePoint 2013 farm, the following are the steps required for modifying the SharePoint 2013 farm account:


1. Navigate to SharePoint 2013 Central Administration interface, click Security in the left hand menu, and click ‘Configure Managed Accounts’.  Select the farm administrators account in the account list shown, click the Edit icon and change the password.

I recently found that if the Central Administration application is running on a server in your farm which is not hosting the distributed cache service, this step will fail.  Luckily it fails early in the process and you get a "Sorry Something Went Wrong" message with a correlation ID.  If you look into the ULS logs you'll find that there is an Unexpected Error with the Distributed cache saying the SPDistributedCacheServiceInstance is not valid.  To resolve this, you can do the following:

  • Launch a SharePoint Command Shell window as an administrator
  • Run the following PowerShell command to temporarily enable the Distributed Cache service on this server:  Add-SPDistributedCacheServiceInstance.  The command should take a few seconds to run and completely successfully without any feedback on the command prompt.  Once the process is complete below, you'll remove the Distributed Cache service from this server.
  • Repeat step 1.  This step should now complete successfully.  Leave the SharePoint management console running.
  • You may find that this step stops the User Profile Synchronization Service on the server on which it is running.  At this point, check whether this service is still running in the 'Manage Services on Server' page and if not, start it now on the same server on which it was previously running.


2. Manually change the User Profile Synchronization Service password.  As required by SharePoint, this service uses the farm administrator account, however SharePoint 2013 does not treat this account as a managed account so it must be changed manually.
  • The farm administrator account must be made a local administrator on the server hosting the user profile service during the password change. 
  • Once that step is complete, launch SharePoint Central Admin, navigate to System Settings and click ‘Manage Services on Server’.  This page is used to start and stop services on each machine in the farm.  Select the machine hosting the user profile service and find that service.  It should say started. 
  • Stop the service.
  • Start the service again – when starting the script you’ll be asked for the new password
  • Ensure that you monitor the user profile service and ensure that the service starts correctly.
  • Once started, you may remove the farm administrator account as a local administrator.  However, we often recommend leaving it as a local admin on the server for simplicity of making such changes in the future.


3. Check if any applications in the Secure Store service use the farm administrator account, and if they do change the password there.
  • Launch SharePoint Central Admin, click Application Management in the left hand menu, click Manage Service Applications, click the Secure Store Application and click Manage Target Applications.
  • Select a single Target Application from the list.
  • In the Credentials group on the ribbon, click Set. This opens the Set Credentials for Secure Store Target Application dialog box.  If any target application uses the farm administrators account, change the password here. 
  • Repeat this process for all secure store applications.
  • Note: Be cautious when entering the password. If a password is entered incorrectly, no message will be displayed about the error. Instead, you'll be able to continue with configuration. However, errors can occur later, when you attempt to access data through the BCS.  If the password for the external data source is updated, you have to return to this page to manually update the password credentials.

At this point, if you added the Distributed Cache service as part of step 1, now we should remove this service.  In the SharePoint management console we previously opened running the following command:  Remove-SPDistributedCacheServiceInstance.

4. Reboot all the servers in the SharePoint farm, except for SQL server.  SQL Server does not need to be restarted.


Please let me know if you have any questions or comments about this process.  There may be other services that have been configured with the farm administration account, so your process may vary somewhat, but typically the farm administrator account is reserved for specific purposes.  As a best practice, due to its high level of access, the farm administrator account should not be used widely other than for the purposes in which it was designed.

   -Antonio


1 comment:

  1. Attractive section of content. I just stumbled upon your site and in accession capital to assert that I get in fact enjoyed account your blog posts.
    http://staygreenacademy.com/sharepoint-2013-training/

    ReplyDelete