Dec 16 2020 10:30 AM
I have 8 Domain Controllers in my test environment. Four are failing with the error above.
The gmsa is configured and the DC's are in a security groups that has "PrincipalsAllowedToRetrivePassword".
Running Test-ADServiceAccount returns "True"
I have a GPO assigned so that the GMSA can Log On As a Service. Running GP Results shows that the GPO is applied and setting is correct.
Error Message is:
Directory services user credentials are incorrect
Credentials for the directory services user GMSA are incorrect. Your MDI sensor(s) cannot connect to 4 Domain Controllers without these credentials. The directory services user is required to perform LDAP queries against the domain controllers.
Dec 18 2020 03:13 PM
Are the 4 DCs in a different domain? They won't be able to access the credentials if there isn't a two-way kerberos trust between the two domains.
Otherwise, I'd recommend opening a Service Request for this one. Seems like you hit all the obvious nails.
Jul 26 2022 07:31 AM
Jul 27 2022 03:18 PM - edited Jul 27 2022 03:19 PM
Hi @DevRin,
Recently, I came across the same problem I have followed the steps below, and it's solved my problem
1. Removed the gMSA used by MDI. I have also removed the gMSA response action account.
2. Removed the credentials entries MDI.
3. Added a brand new gMSA account for MDI and a new.gMSA account for MDI response actions
4. Added the gMSA accounts credentials back in MDI.
I have done these steps from the Microsoft Defender Portal:
1. Logged in through https://security.microsoft.com;
2. Go to ‘Settings’;
3. Go to ‘Identities’
Maybe this can also solve your problem.
Kind Regards,
Tiennes