SharePoint managed accounts are COOL! The ability to have SharePoint manage your service account credentials auto-magically reduces repetitive tasks such as mandatory password changes on a large server farm. System Admins just love managed accounts….
until they fail.
Failure Points
SharePoint keeps an encrypted copy of the credentials in the configuration store. This works great *if* the credentials stay in sync with the credentials stored in Active Directory. There are two common reasons why this credentials would get out-of-sync:
- The password change fails but SharePoint thinks it was successful
- The password is manually changed within AD but not within SharePoint
Regardless of the reason, the result is the same: SharePoint has invalid credentials
Common Symptoms
- SharePoint sites become unavailable displaying the ever popular
“An unexpected error has occurred” - The server logs fill up with various authentication failed errors
- The Central Administration –> Managed Accounts page errors out with
“Object reference not set to an instance of an object” error
(This is our personal favorite symptom)
[Queue the soft sounds of sobbing in the System Administrator’s office]
Steps to resolve
1st: Reset the managed accounts to a known password
You must get the service accounts being managed by SharePoint into a known state. Change the passwords for each impacted service account to a known password.
2nd: Get access to the Central Administration –> Managed Accounts page
The Managed Accounts page will be in an error state. This is because SharePoint is still attempting to manage the service accounts but fails because of invalid credentials. To fix, we need to shutoff automatic password changes for all managed accounts.
Enter your local, friendly PowerShell console!
- Launch SharePoint’s PowerShell
- Enter the following command
Get-SPManagedAccount | where {$_.AutomaticChange -eq $true} |% {$_.AutomaticChange=$false; $_.Update();}
This command will force all managed accounts to NOT attempt an automatic password change. Once completed, the Managed Accounts page will once again be available.
3rd: Reset impacted Managed Account passwords
- Launch Central Administration
- Navigate: Security –> Configure Managed Accounts
- Click the Edit icon for the impacted service account
- Click Change Password Now and select the Use Existing Password option
- Enter the new “known” password you created in the 1st step “Reset the managed accounts to a known password”
4th: Reset IIS
Reset IIS using the IISRESET or (our personal favorite) rebooting the server.
Final Thoughts
- You will need to reset each managed account’s automatic password change to meet your own corporate policies.
- Make a backup!
Yep – we got bitten by this twice in production, luckliy was ready for it as it had happend numerous times in test and had set the automatic password change to occur on the weekend.. Got managment to accept fixed passwords for the service accounts and set them to not expire. No more Sharepoint password management issues.
Very useful links, thanks a lot