Thursday, April 17, 2014

SharePoint 2013: How to change the Distributed Cache service account

Introduction

You cannot change the Distributed Cache service account through Central Administration.  You must use PowerShell.  This posting shows you how.

When you first install and configure a SharePoint 2013 farm, the farm's Distributed Cache is initially run under the farm service account.  It's set to this service account automatically.  This situation will eventually trigger a rule definition error:

TitleThe server farm account should not be used for other services.
Severity1 - Error
CategorySecurity
Explanation[farmServiceAccount], the account used for the SharePoint timer service and the central administration site, is highly privileged and should not be used for any other services on any machines in the server farm.  The following services were found to use this account: Distributed Cache Service(Windows Service)
RemedyBrowse to [your CA host]/_admin/FarmCredentialManagement.aspxand change the account used for the services listed in the explanation. For more information about this rule, see "http://go.microsoft.com/fwlink/?LinkID=142685".
Failing Servers 
Failing ServicesSPTimerService (SPTimerV4)
Rule SettingsView
 
The remedy presented by this rule definition error works for most service accounts, but not for the Distributed Cache service.  In fact, if you navigate to CA > Security > Configure service accounts, and then try to change the service account for Windows Service - Distributed Cache, you will experience an error:

The only way to change this at present, is to use PowerShell.  These steps are shown next.

Procedure
  1. Identify an AD account that you want to use for the Distributed Cache service account.
  2. Register this account with the farm as a managed account.
  3. Login to a farm server using your administrator account.  No need to use the farm administration account, just your own.
  4. Open a farm management shell as administrator (right-click, choose Run as Administrator).
  5. Execute each of the following statements, in order:
    $Farm=Get-SPFarm
    $CacheService=$Farm.Services | Where {$_.Name -eq "AppFabricCachingService"}
    $Accnt = Get-SPManagedAccount -Identity Domain\ServiceAccount
    $CacheService.ProcessIdentity.CurrentIdentityType = "SpecificUser"
    $CacheService.ProcessIdentity.ManagedAccount = $Accnt
    $CacheService.ProcessIdentity.Update()
     
    
    where Domain\ServiceAccount is the service account you identified previously.
    Though it states AppFabricCachingService, don't worry: you are configuring the right one.  This is because the Distributed Cache service is dependent on the App Fabric caching service.  Also, "SpecificUser" is not user-defined but is the correct value you need to type here.
  6. Wait.  It can take several minutes for this to complete.
  7. After completion, verify by navigating to:  CA > Security > Configure service accounts, selecting Windows Service - Distributed Cache.  The new account should now be displayed.
References
Notes
  • Thanks to reviewer Mark for catching the fact that the Deploy method in this case is unnecessary.  I've added the reference he cites to the References section.

9 comments:

Mark C. Davis said...

Thank you for your post on this. I ran the command but it errored on the final deploy command:

Exception calling "Deploy" with "0" argument(s):
"ErrorCode:SubStatus:TCP port 22234 is already
in use."
At line:1 char:1
+ $CacheService.ProcessIdentity.Deploy()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : CmdletInvocationException

Did a quick Google search and hit this article. https://social.technet.microsoft.com/Forums/sharepoint/en-US/bc5d5765-2f48-4b05-b235-77d7776cdffd/unable-to-change-service-account-for-the-distributed-cache?forum=sharepointadmin

Seems that the deploy command is not necessary to complete the process. I checked my Dist Cache service and it is running as my service account now. Hope this helps. Thanks again!

Al said...

Mark - I verified and you are correct. Thank you for catching this.

Anonymous said...

Good job, pal.

Than Htat Aung said...

Hi I can change the account according to this help.
But I stilled see this error, not disappeared yet.

Al said...

Than - you should only see this error if you attempted to change the service account from Central Administration. Can you provide the steps you took that generated this error?

Than Htat Aung said...

Hi Al,

Firstly After I setup my SharePoint VM for development, I noticed this error.
And I found your blog,
So I follow your procedure, but in step 5, I add one more code
$CacheService.ProcessIdentity.Deploy()

After that I check from CA, the account is changed.
To be sure, I even restarted the VM, noticed, this message is still there.

Than Htat Aung said...

Sorry, I need to reanalyze the health score.
And it is refresh, Thank Al, :)

Unknown said...

I had the same trouble as Than.

I had to run the Deploy command before the DistributedCacheService.exe was running under the new account. Before that, Central Administration showed it was configured to run under the new account, but even after a reboot it was still using the old account (as viewed via Task Manager).

I'm not sure why some of us need to run the command and others don't, but I think it's worth putting it in as an optional step.

greenbag said...

I have Distributed Cache running on four servers but the script only changed user on one server where I ran it. To change on other servers, I stopped and started Distributed Cache service from Central Administration for each other server.