Service Accounts are generally used for running services and other background processes on Windows computers, but they can also be used for interactive logon where multiple users must access the same logon session. Some of examples of this scenario include:
- Lab or data logger equipment that runs for several days/weeks/months.
- Complex models that run for extended periods of time.
- Other applications that require continuous logon to run.
With the implementation of Two Factor Authentication (TFA), it is possible to map multiple Active Directory (AD) user accounts to a single service account using the altSecurityIdentities AD attribute. To have the accounts mapped, your local IT staff should open a ticket with the Service Desk. They will need to provide the name of the service account and the names of the users that will have their altSecurityIdentities attribute mapped to the service account.
Once completed, users will be able to logon interactively as that service account using their DOI PIV credential:
- The user enters his or her smart card PIN as they normally do.
- The user enters the service account name in the username hint box below the PIN entry field, as shown below, and then presses Enter.
- The user will be logged in as the service account:
- When the user is finished, they should either lock the console (if logged on locally) or disconnect the session (if logged on remotely) instead of logging out. Any other user whose AD account is mapped to that service account will then be able to logon to that session as the service account.