Running Distributed Cache in a least privileged way

In a previous post, I mentioned the steps to least privilege the Distributed Cache; but, I really never explained the steps, I only gave the powershell.

In this post, I’ll explain the steps and provide the powershell for each of the steps.

 

High-level steps:

Note: this differs from modifying the size of the cache, which is also something that should be done, along with making sure garbage collection is configured.

Step 1: Remove the Distributed Cache Service from the other hosts in the cache cluster

Step 2: Run the powershell to update the App Fabric identity

Step 3: Add the other hosts back into the distributed cache cluster

 

Detailed Steps:

Step 1:  On all but one of the servers in the farm run the following powershell to remove the distributed cache service instance.  After running the powershell open the Windows Operating System services console (services.msc) and verify that the AppFabric Caching Service is disabled.

Remove-SPDistributedCacheServiceInstance

If you’re working with a SharePoint 2016 farm, you can change the role of the server from something other than distributedCache, SingleServerFarm, or WebFrontEndWithDistributedCache to Custom and then you can remove the distributed cache service instance.  In order to do this you do not need to disconnect the server from the farm and then join it back in with a new value for the local server role parameter.  You can use this powershell to change the role, or you can use the GUI

Set-SPServer -Identity SERVER1 -Role Custom

This blog post gives a solid instruction on how to use the GUI to make the change – Link

Step 2:  Make sure that the identity that will be used is a non-administrative account on the server, does not have any special permissions in active directory, and is the same identity that the application pool holding the service applications run under or the account has been given GrantAccessToProcessIdentity on the web applications in the farm.  If the identity is not the same identity that runs the service application’s application pool, run this code:

$wa = Get-SPWebApplication http://readonly.domain.com
$wa.GrantAccessToProcessIdentity("domain\dev_SP_DistributedCacheIDName") 

In the example above, the web application url was fictional, the term readonly has nothing to do with the actual state of the web app, and the name of the active directory account is dev_SP_DistributedCacheIDName.  This might be the issue if you run the following and it fails to properly change.

Then run the following code to least privilege the service:

1. $farm = Get-SPFarm
$cacheService = $farm.Services | where {$_.Name -eq "AppFabricCachingService"}
$accnt = Get-SPManagedAccount -Identity domain_name\user_name
$cacheService.ProcessIdentity.CurrentIdentityType = "SpecificUser"
$cacheService.ProcessIdentity.ManagedAccount = $accnt
$cacheService.ProcessIdentity.Update() 
$cacheService.ProcessIdentity.Deploy()

So, in our example code above, we’d need to replace domain_name\user_name with domain\dev_sp_DistributedCacheIDName.

NOTE: This part takes about 8 minutes to complete.  You can open the services console (services.msc) and watch the process by refreshing.  Do not proceed to step 3 until after the service shows as running.

Step 3:  Verify that step 2 has completed and that the AppFabric service is running on the server by opening the Windows Operating System Services Console (services.msc).  Then, add the other hosts that will be part of the Distributed Cache cluster back into the cluster via powershell, or via a combination of powershell and the Central Admin GUI.  In the previous post, I assumed you only had one server in the distributed cache cluster.  These steps assume you have more than one.  If you only have one server that is running the distributed cache service instance, you can stop now, you’re done.  If not, then proceed.

 

Run the following command to add the Distributed Cache Service instance to the server

Add-SPDistributedCacheServiceInstance

If working with a SharePoint 2016 Farm, use one of the following values for the role parameter,

DistributedCache,

SingleServerFarm,

WebFrontEndWithDistributedCache,

Custom

For example, in a single server farm that is used for production, and has a separate back-end SQL, you’d run this:

Add-SPDistributedCacheServiceInstance -Role Custom

After the host is added, check that the status of the Distributed Cache Service instance and that it is started.  By looking at the services on server page in the farm you will now see that the server has the Distributed Cache Service instantiated and in a stopped state, more than likely.  You can start it from here or you can run this powershell to start the service:

 

$instance = Get-SPServiceInstance | ? {$_.TypeName -eq "Distributed Cache" -and $_.Server.Name -eq $env:computername}
$instance.Provision()