SharePoint allows you to config “managed accounts” used to run service applications to automatically change passwords. I normally turn this on as it is a good way to help ensure those accounts are secure.
Today I worked on an issue where the accounts were failing to login. In IIS I could see various App Pools using the managed accounts were stopped. I restarted them but they stopped again immediately.
To make matters worse, I was unable to use Central Admin to reset the passwords.
Here’s what I did to solve the issue:
- In IIS I noted the name of the Service Account assigned to the stopped App Pool
- In Active Directory, I reset the password and set the account to never expire
- On the SharePoint server, I used PowerShell to reset the Service Account password to a known password using this command:
Set-SPManagedAccount -identity Domain\User -ExistingPassword (Convertto-Securestring “P@ssword” -AsPlainText –Force)
- Back to IIS again, restarted the App Pool
- Repeat for all Managed Accounts with automatic password refresh
So what caused this?
A Windows update installed onto the Domain Controllers was the issue. KB3177108 has a known issues which prevents the Kerberos negotiate process from falling back to NTLM. The KB article goes into detail on this and some work arounds.
Phew! We’re back online again. Happy days!