Forum Discussion

C-Fou's avatar
C-Fou
Copper Contributor
May 05, 2022

GMSA issue to fetch the password

Hi,

 

I have a weird issue that doesn't allow gsma account installation.

 

The context : 2 test Hyper-V VMs from a unique base disk containing a fresh install of Windows Server 2019 with all default settings and syspreped (no windows update kb). This disk was used before with other VMs (and DC) without any isssue. Now, any test cause it.

 

2 VMs, 1 DC, 1 member server, network connected to an internal vswitch with no NAT (so no Internet connection)

on DC TestDC, install Active Directory with this

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools | Out-Null
Install-ADDSForest -DomainName test.adds -SafeModeAdministratorPassword $pass -NoDnsOnNetwork -DomainNetbiosName TEST -Confirm:$false -WarningAction SilentlyContinue

After reboot Add an OU Servers in the domain

Add the member server TestSrv into the domain :

Add-Computer -DomainName test.adds -Credential (Get-Credential) -OUPath "OU=Servers,DC=test,DC=adds" -Restart

Add a KDS Root Key

Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)

Create the gmsa

New-ADServiceAccount -Name gMSATest -DNSHostName gMSATest.test.adds -PrincipalsAllowedToDelegateToAccount TestSrv$

On the member server TestSrv (samAccountName = TestSrv$), login as a domain admin, install the PowerShell ActiveDirectory module and install the gmsa account

Install-ADServiceAccount gMSATest

This throws an "Access denied" error message

on the domain controler, there is a 2947 warning in the Directory Service event log ("An attempt to fetch the password of a group managed service account failed.") :

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" /> 
  <EventID Qualifiers="32768">2947</EventID> 
  <Version>0</Version> 
  <Level>3</Level> 
  <Task>2</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8080000000000000</Keywords> 
  <TimeCreated SystemTime="2022-05-04T18:00:35.792531000Z" /> 
  <EventRecordID>200</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="656" ThreadID="1924" /> 
  <Channel>Directory Service</Channel> 
  <Computer>TestDC.test.adds</Computer> 
  <Security UserID="S-1-5-21-3796816545-3530982558-2557181029-1103" /> 
  </System>
- <EventData>
  <Data>CN=gMSATest,CN=Managed Service Accounts,DC=test,DC=adds</Data> 
  <Data>S-1-5-21-3796816545-3530982558-2557181029-1103</Data> 
  <Data>192.168.19.31:49954</Data> 
  <Data>8995</Data> 
  </EventData>
  </Event>

 

Where this is really weird, is that this was working on previous VMs with the same base disk, now any VMs I try, even in recreating the DC will throw this error.

 

Going further:

MSA accounts are working correctly.

I tried to fully reinstall all including the base disk with an updated iso from 08/2021 version 17763.2114... with no success, same issue

 

Any thougths ?

Thanks

  • LainRobertson's avatar
    LainRobertson
    Silver Contributor

    C-Fou 

     

    In your New-ADServiceAccount statement, you have mistakenly used "-PrincipalsAllowedToDelegateToAccount" where you ought to have used "-PrincipalsAllowedToRetrieveManagedPassword".

     

    The "access denied" makes sense in this context.

     

    Cheers,

    Lain

    • C-Fou's avatar
      C-Fou
      Copper Contributor

      LainRobertsonoh, I am such a dumb, no misunderstood, only I did it so quickly with autocompletion. worse for me, I have repeated it several times !!!! Thanks 🙂

      • LainRobertson's avatar
        LainRobertson
        Silver Contributor

        C-Fou 

         

        Ah, we all do it (multiple times a day in my case) - don't worry about it.

         

        Cheers,

        Lain

Resources