That is why the SAP spool system requires an external process that transfers the output requests from the SAP spool server to the Microsoft Windows spooler. This process is provided by the SAPSprint service. SAPSprint comprises the program sapsprint. The sapwin. SAPSprint runs as Windows service. In general, you do not have to change the default configuration settings of SAPSprint as Windows service except for one: You should change the local system account to a domain account. For this, open the list of services in your Windows system, right-click on the SAPSprint service, and choose Properties.
On the Log On tab, check the option This account and enter a domain user account. Like the line printer daemon lpd, SAPSprint accepts print data and forwards it to the host spooler. SAPSprint is implemented as a multithreaded Windows service and adds the following features:. Unlike domain accounts in which administrators must manually reset passwords, the network passwords for these accounts are automatically reset. Managed service accounts apply to the Windows operating systems that are designated in the Applies To list at the beginning of this topic.
Group-managed service accounts are an extension of the standalone-managed service accounts, which were introduced in Windows Server R2. These accounts are managed domain accounts that provide automatic password management and simplified service principal name SPN management, including delegation of management to other administrators.
The group-managed service account provides the same functionality as a standalone managed service account within the domain, but it extends that functionality over multiple servers.
When connecting to a service that is hosted on a server farm, such as Network Load Balancing, the authentication protocols that support mutual authentication require all instances of the services to use the same principal.
When group-managed service accounts are used as service principals, the Windows Server operating system manages the password for the account instead of relying on the administrator to manage the password. The Microsoft Key Distribution Service kdssvc.
This service was introduced in Windows Server , and it does not run on previous versions of the Windows Server operating system. The Key Distribution Service shares a secret, which is used to create keys for the account.
These keys are periodically changed. For a group-managed service account, the domain controller computes the password on the key that is provided by the Key Distribution Services, in addition to other attributes of the group-managed service account. Group-managed service accounts provide a single identity solution for services running on a server farm, or on systems that use Network Load Balancing. By providing a group-managed service account solution, services can be configured for the group-managed service account principal, and the password management is handled by the operating system.
By using a group-managed service account, service administrators do not need to manage password synchronization between service instances. The group-managed service account supports hosts that are kept offline for an extended time period and the management of member hosts for all instances of a service.
This provision means that you can deploy a server farm that supports a single identity to which existing client computers can authenticate without knowing the instance of the service to which they are connecting. Failover clusters do not support group-managed service accounts. However, services that run on top of the Cluster service can use a group-managed service account or a standalone managed service account if they are a Windows service, an App pool, a scheduled task, or if they natively support group-managed service account or standalone managed service accounts.
Group-managed service accounts can only be configured and administered on computers running at least Windows Server , but they can be deployed as a single service identity solution in domains that still have domain controllers running operating systems earlier than Windows Server There are no domain or forest functional level requirements.
A bit architecture is required to run the Windows PowerShell commands that are used to administer group-managed service accounts. A managed service account is dependent on encryption types supported by Kerberos.
When a client computer authenticates to a server by using Kerberos protocol, the domain controller creates a Kerberos service ticket that is protected with encryption that the domain controller and the server support.
If computers that host the managed service account are configured to not support RC4, authentication will always fail. For more information about supported encryption types, see Changes in Kerberos Authentication.
Group-managed service accounts are not applicable in Windows operating systems prior to Windows Server Virtual accounts were introduced in Windows Server R2 and Windows 7, and are managed local accounts that provide the following features to simplify service administration:. No password management is required.
0コメント