Service Accounts for Web Applications and Service Applications

Dan Holme

by Dan Holme on 2/14/2014

Share this:

Article Details

Date Revised:

Sponsored by

Web and Service Application Pool Accounts: SP_WebApps and SP_ServiceApps

Each Web application runs in an application pool. The application pool identity is a domain user account that is functionally equivalent to a service account, with permissions to access the content database for the Web application on the SQL Server. Service applications and services, such as Search or the Office Web Applications, also use domain user identities for application pool and service accounts.

When you assign an account to a Web application, service, or service application, SharePoint automatically grants the account the permissions it needs. For example, when you assign an account as the default crawl account, which is used to index SharePoint content for search, SharePoint automatically grants the account permission to read all content in all new web applications.

You can use one or more accounts for Web applications, service applications, and services based on your requirements for manageability and security. By using unique accounts for each application and service, you can create a least-privileged environment in which each application or service account has only the permissions required for that component. Additionally, you can more easily audit and troubleshoot because logs will clearly identify the account—and therefore the service—in question.

By using a single account for all applications and services, you eliminate the need to manage multiple accounts. However, the account will have the cumulative permissions required for all applications and services, which means that any one application or service process will run with more permissions than it needs. And it will become more difficult to audit and troubleshoot certain scenarios, because logs will identify a single account and you cannot directly associate that account with a specific service or application.

In many products, it is difficult to manage service accounts because of password synchronization. When a service account’s password is changed in Active Directory, you must manually update the logon information for the service on each system on which the service is installed.

SharePoint provides managed accounts, a feature that reduces the management overhead for service accounts. A managed account is a domain user account that is registered with SharePoint and assigned to one or more Web applications, service applications, or services. When you change the password of a managed account, SharePoint automatically updates the logon information of the associated components. Additionally, SharePoint can automatically manage password changes so that changes are made just prior to the expiration of the password based on domain password policy.

As a result, managing service accounts for SharePoint is significantly easier than many other services or products. By reducing the management burden of service accounts, SharePoint makes it possible for you to use one account per service or application.

[Read more about managed service accounts***]

At a bare minimum, it is recommended to use one account, e.g. SP_ServiceApps, for service applications, and another account, e.g. SP_WebApps, as the application pool identity for user-facing Web applications.

In a production environment, you should define accounts based on your requirements for security and manageability, with the understanding that defining unique accounts for each service and application pool is often a best practice.

[Read more about multiple web application and service application accounts***]

Topic: Deploying SharePoint

Sign in with

Or register