Dom Cosgrove Blog

Don’t use service account names with more than 20 characters! Why… read on!

Recently, I was working on updating the Windows SharePoint Service Help Search Accounts. The issue was that when the DEV, UAT and production farms where originally built the same service accounts were used for each environment. This is NOT best practice, so I went about changing DEV and UAT, leaving Production using the original accounts. The process of updating the service accounts is simple enough using STSADM:

stsadm –o spsearch –farmserviceaccount [domain\serviceaccount] –farmservicepassword [password]

stsadm –o spsearch –farmcontentaccessaccount [domain\serviceaccount] –farmcontentaccesspassword [password]

An issue arose where we used the original service account post-fixed with the environment e.g.

When trying to update the service accounts I kept getting the following message:

Basically, saying that the account being provided is not valid. If I did the same update through the Central Administration I got the following message:

The username and password entered are not valid.

After several rounds of changing the password, recreating the account and trying manually set the service account, it was discovered that SharePoint uses the sAMAccountName rather than the UPN when it passes credentials. The sAMAccountName has a 20 character limit for backward compatibility.

The work around is simple keep the service account names to less than 20 characters. An alternative approach, one that I’ve not tested yet is to use the following format for the account [service account]@[domain.com]. Anyway I hope that this will save you some time, I wish I had known this limitation before I embarked on updating the accounts.