Forum Discussion
DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account
I created a gMSA on one of the DC's because the ADFS server could not communicate to the DC's themselves and I figured a service account wasn't cutting it. Now I am getting an error saying, "Directory services user credentials are incorrect" - "Credentials for the directory services user ######## are incorrect. Your MDI sensor(s) cannot connect to ######### and ######### without these credentials. The directory services user is required to perform LDAP queries against the domain controllers.
Any ideas of where to start. I will also open a ticket. It just seems like ADFS has not been able to connect to the DC's even with the new gMSA.
6 Replies
I got the same error too. I resolved it with the following settings.
https://learn.microsoft.com/en-US/defender-for-identity/directory-service-accounts
* Verify that the gMSA account has the required rights (if needed)
You have to check Group Policy.
Domain > Default Domain Policy
or
Domain > Domain Controllers > Default Domain Controllers Policy
or
other GPO settings
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Log on as a service is set.
If the setting is configured, add the gMSA account to the list of accounts that can log on as a service in the Group Policy Management Editor.after that, Do gpupdate.
- EliOfek
Microsoft
Inspect the local sensor logs for more details about the error.- It seems like it can't get an LDAP connection going? Permissions?
Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__38 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName===========]
at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
at async Task<bool> Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
2021-07-29 14:26:41.4138 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers
at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDomainNetworkCredentialsManager domainNetworkCredentialsManager, IRemoteImpersonationManager remoteImpersonationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at new Microsoft.Tri.Sensor.SensorModuleManager()
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
I also see this: DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password- EliOfekThe machine account does not have permissions to pull the gmsa password, you need to fix it.
