Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

ATP GMSA Password password could not be retrieved

Copper Contributor

I have 8 Domain Controllers in my test environment.  Four are failing with the error above.

 

The gmsa is configured and the DC's are in a security groups that has "PrincipalsAllowedToRetrivePassword".

 

Running Test-ADServiceAccount returns "True"

 

I have a GPO assigned so that the GMSA can Log On As a Service.  Running GP Results shows that the GPO is applied and setting is correct.

 

Error Message is:

Directory services user credentials are incorrect

Credentials for the directory services user GMSA are incorrect.  Your MDI sensor(s) cannot connect to 4 Domain Controllers without these credentials.  The directory services user is required to perform LDAP queries against the domain controllers.

3 Replies

@Chrisagardner63 

Are the 4 DCs in a different domain? They won't be able to access the credentials if there isn't a two-way kerberos trust between the two domains. 

 

Otherwise, I'd recommend opening a Service Request for this one. Seems like you hit all the obvious nails. 

Did you ever get this resolved? I've come across the same issue.

Hi @DevRin,

Recently, I came across the same problem I have followed the steps below, and it's solved my problem  

1. Removed the gMSA used by MDI. I have also removed the gMSA response action account.
2. Removed the credentials entries MDI.
3. Added a brand new gMSA account for MDI and a new.gMSA account for MDI response actions
4. Added the gMSA accounts credentials back in MDI.

I have done these steps from the Microsoft Defender Portal:

1. Logged in through https://security.microsoft.com;
2. Go to ‘Settings’;
3. Go to ‘Identities’

Maybe this can also solve your problem.

Kind Regards,
Tiennes