Windows Server 2025 enhances failover clustering security by replacing SAS tokens with managed identities for Cloud Witness quorum resources, eliminating credential storage in the cluster database.
Windows Server 2025 introduces a significant security enhancement for failover clustering by enabling managed identity authentication for Cloud Witness quorum resources. This update replaces the previous method of storing SAS tokens (StorageAccountAccessKey) in the cluster database with a more secure approach that only stores the managed identity name.
What Changed in Windows Server 2025
The Cloud Witness feature, first introduced in Windows Server 2016, allows failover clusters to use Azure storage accounts as quorum witnesses. Previously, clusters stored SAS tokens directly in the cluster database to authenticate with Azure storage accounts. Windows Server 2025 replaces this approach with managed identity authentication, eliminating the need to store sensitive credentials within the cluster.
Why This Matters for Cluster Security
Storing credentials in the cluster database posed security risks, as anyone with database access could potentially retrieve the SAS token. By using managed identities, only the identity name is stored, significantly reducing the attack surface. This aligns with modern security best practices that emphasize minimizing credential storage and leveraging identity-based authentication.
How Cloud Witness Quorum Works
The Cloud Witness quorum resource uses a Paxos tag system where only the date-time stamp and filename (the cluster GUID) are stored in Azure storage. This lightweight approach contrasts with Disk Witness quorum resources that contain full cluster database copies. The Paxos tag serves as a tiebreaker during network partitions, allowing the cluster to maintain functionality when split-brain scenarios occur.
Implementation Steps
Creating New Clusters with Managed Identity
- Create an Azure storage account (e.g., cloudwitnessdemo)
- Deploy Windows Server 2025 VMs or physical servers with Failover Clustering feature enabled
- Install latest Windows updates on all nodes
- Connect each server to Azure Arc to automatically create managed identities
- Assign Storage Blob Data Contributor role to each node's managed identity via Azure Portal Access Control
- Create the cluster using New-Cluster cmdlet
- Configure Cloud Witness with managed identity using Set-ClusterQuorum cmdlet
Converting Existing Clusters
For existing clusters, the process involves similar steps but requires updating the Cloud Witness configuration. The Set-ClusterQuorum cmdlet with -UseManagedIdentity parameter will replace the existing Cloud Witness setup with the new managed identity configuration.
Verification and Monitoring
Administrators can verify the managed identity configuration using Get-ClusterResource cmdlet, which displays parameters including AccountName, EndpointInfo, ContainerName, and IsManagedIdentity flag. The IsManagedIdentity value of 1 confirms successful implementation.
Business Impact
This enhancement provides several benefits:
- Enhanced security through credential elimination
- Simplified credential management
- Better alignment with Azure identity best practices
- Reduced administrative overhead for credential rotation
- Improved compliance with security standards
The update maintains backward compatibility while offering a more secure path forward for organizations deploying or upgrading to Windows Server 2025. For detailed implementation guidance, refer to the official Microsoft documentation on deploying quorum witnesses.
This security enhancement represents Microsoft's ongoing commitment to improving cloud-integrated infrastructure security while maintaining the reliability and availability that failover clustering provides for critical workloads like Hyper-V VMs, SQL Server Availability Sets, and Scale-out File Server deployments.
Comments
Please log in or register to join the discussion