Forum Discussion
C-Fou
May 05, 2022Copper Contributor
GMSA issue to fetch the password
Hi,
I have a weird issue that doesn't allow gsma account installation.
The context : 2 test Hyper-V VMs from a unique base disk containing a fresh install of Windows Server 2019 with all default settings and syspreped (no windows update kb). This disk was used before with other VMs (and DC) without any isssue. Now, any test cause it.
2 VMs, 1 DC, 1 member server, network connected to an internal vswitch with no NAT (so no Internet connection)
on DC TestDC, install Active Directory with this
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools | Out-Null Install-ADDSForest -DomainName test.adds -SafeModeAdministratorPassword $pass -NoDnsOnNetwork -DomainNetbiosName TEST -Confirm:$false -WarningAction SilentlyContinue
After reboot Add an OU Servers in the domain
Add the member server TestSrv into the domain :
Add-Computer -DomainName test.adds -Credential (Get-Credential) -OUPath "OU=Servers,DC=test,DC=adds" -Restart
Add a KDS Root Key
Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)
Create the gmsa
New-ADServiceAccount -Name gMSATest -DNSHostName gMSATest.test.adds -PrincipalsAllowedToDelegateToAccount TestSrv$
On the member server TestSrv (samAccountName = TestSrv$), login as a domain admin, install the PowerShell ActiveDirectory module and install the gmsa account
Install-ADServiceAccount gMSATest
This throws an "Access denied" error message
on the domain controler, there is a 2947 warning in the Directory Service event log ("An attempt to fetch the password of a group managed service account failed.") :
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System> <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" /> <EventID Qualifiers="32768">2947</EventID> <Version>0</Version> <Level>3</Level> <Task>2</Task> <Opcode>0</Opcode> <Keywords>0x8080000000000000</Keywords> <TimeCreated SystemTime="2022-05-04T18:00:35.792531000Z" /> <EventRecordID>200</EventRecordID> <Correlation /> <Execution ProcessID="656" ThreadID="1924" /> <Channel>Directory Service</Channel> <Computer>TestDC.test.adds</Computer> <Security UserID="S-1-5-21-3796816545-3530982558-2557181029-1103" /> </System> - <EventData> <Data>CN=gMSATest,CN=Managed Service Accounts,DC=test,DC=adds</Data> <Data>S-1-5-21-3796816545-3530982558-2557181029-1103</Data> <Data>192.168.19.31:49954</Data> <Data>8995</Data> </EventData> </Event>
Where this is really weird, is that this was working on previous VMs with the same base disk, now any VMs I try, even in recreating the DC will throw this error.
Going further:
MSA accounts are working correctly.
I tried to fully reinstall all including the base disk with an updated iso from 08/2021 version 17763.2114... with no success, same issue
Any thougths ?
Thanks
- LainRobertsonSilver Contributor
In your New-ADServiceAccount statement, you have mistakenly used "-PrincipalsAllowedToDelegateToAccount" where you ought to have used "-PrincipalsAllowedToRetrieveManagedPassword".
The "access denied" makes sense in this context.
Cheers,
Lain
- C-FouCopper Contributor
LainRobertsonoh, I am such a dumb, no misunderstood, only I did it so quickly with autocompletion. worse for me, I have repeated it several times !!!! Thanks 🙂
- LainRobertsonSilver Contributor