SharePoint is a fairly complex product. It's powered by many services, managed services using application pools, and the like. All of these run under identities, usually Windows Identities. And since security is extremely important, many organizations have standards around managing the identities of these service accounts.

SharePoint provides numerous facilities to manage the passwords of service accounts. But at the very core, in order to use any account for any service, the account must be registered with SharePoint first.

Registering Service Accounts

To register a new service account within SharePoint:

  1. Open Central Administration as a farm administrator and click the Security link.
  2. Under the General Security section, click the “Configure managed accounts” link.
  3. In the Managed Accounts page, click the “Register Managed Account” link.
  4. In the Register Managed Account page (see Figure 1), enter the service account credentials
Figure 1: Registering a managed account
Figure 1: Registering a managed account
  1. This is an optional but recommended step. In the Automatic Password Change section, select the “Enable automatic password change” check box to allow SharePoint 2013 to manage the password for the selected account. Also, enter a numeric value that indicates the number of days before password expiration to initiate the automatic password change process. You can also set up an email notification at a fixed number of days before the automatic password change is initiated on the same page.
  2. To configure the notification email address and specify global password change policies that apply to all managed services, go to Central Administration Security\Configure password change settings. This opens the Password Management Settings page, which is shown in Figure 2.
Figure       2      : Automatic Password Management Settings
Figure 2 : Automatic Password Management Settings

Automated password change is usually trouble-free. But sometimes, service applications and even the automatic password change process fails because there is a password mismatch between Active Directory Domain Services (AD DS) and SharePoint 2013. The password change process can result in access denial at logon, an account lockout, or AD DS read errors.

You can correct the password mismatch using PowerShell by using the following command:

Set-SPManagedAccount [-Identity]
    <SPManagedAccountPipeBind> -ExistingPassword
    <SecureString> -UseExistingPassword $true

Service Account Password Management

There are some common management tasks you need to do with the passwords and passphrases in any SharePoint environment.

Changing the Farm Passphrase

As an account password changes, SharePoint stores it in the configuration database. This password is encrypted using the passphrase specified when SharePoint was first set up. It's also possible to change this passphrase. You can change the passphrase using the following PowerShell command:

Set-SPPassPhrase -PassPhrase <SecureString>
  -ConfirmPassPhrase <SecureString>
  -LocalServerOnly $true

Changing Account Passwords Manually

Sometimes, you may want to change the password manually. This might happen when the account is compromised. Or, you might have set up automatic password change but the existing password is about to expire. You can change the password manually by using the following command:

Set-SPManagedAccount [-Identity]
    <SPManagedAccountPipeBind> -AutoGeneratePassword $true

Note that you're using an automatically generated value, versus the earlier example where you specified a password. By using auto-generated values, you are creating a more secure farm because no one knows the password.

Changing the Farm Account

Finally, sometimes you want to change the farm account itself. Unfortunately, there is no PowerShell command for this. But you can still use stsadm to perform this operation:

stsadm.exe -o updatefarmcredentials
-userlogin DOMAIN\username -password password

Summary

We inherit SharePoint environments all the time. Frequently, the consultant that left didn't note down the farm passphrase or forgot to communicate it to you. Or, due to a security breach, all service account passwords must be changed. There are far too many instances where you need fine-grained control on password management features in SharePoint 2013. This article walked you through the basic commands and features in SharePoint that allow password management in SharePoint.