ATP GMSA Password password could not be retrieved

%3CLINGO-SUB%20id%3D%22lingo-sub-1994958%22%20slang%3D%22en-US%22%3EATP%20GMSA%20Password%20password%20could%20not%20be%20retrieved%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1994958%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%208%20Domain%20Controllers%20in%20my%20test%20environment.%26nbsp%3B%20Four%20are%20failing%20with%20the%20error%20above.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20gmsa%20is%20configured%20and%20the%20DC's%20are%20in%20a%20security%20groups%20that%20has%20%22PrincipalsAllowedToRetrivePassword%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERunning%20Test-ADServiceAccount%20returns%20%22True%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20GPO%20assigned%20so%20that%20the%20GMSA%20can%20Log%20On%20As%20a%20Service.%26nbsp%3B%20Running%20GP%20Results%20shows%20that%20the%20GPO%20is%20applied%20and%20setting%20is%20correct.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EError%20Message%20is%3A%3C%2FP%3E%3CP%3E%3CSPAN%3EDirectory%20services%20user%20credentials%20are%20incorrect%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ECredentials%20for%20the%20directory%20services%20user%20GMSA%20are%20incorrect.%26nbsp%3B%20Your%20MDI%20sensor(s)%20cannot%20connect%20to%204%20Domain%20Controllers%20without%20these%20credentials.%26nbsp%3B%20The%20directory%20services%20user%20is%20required%20to%20perform%20LDAP%20queries%20against%26nbsp%3Bthe%20domain%20controllers.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2003124%22%20slang%3D%22en-US%22%3ERe%3A%20ATP%20GMSA%20Password%20password%20could%20not%20be%20retrieved%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2003124%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F904237%22%20target%3D%22_blank%22%3E%40Chrisagardner63%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAre%20the%204%20DCs%20in%20a%20different%20domain%3F%20They%20won't%20be%20able%20to%20access%20the%20credentials%20if%20there%20isn't%20a%20two-way%20kerberos%20trust%20between%20the%20two%20domains.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOtherwise%2C%20I'd%20recommend%20opening%20a%20Service%20Request%20for%20this%20one.%20Seems%20like%20you%20hit%20all%20the%20obvious%20nails.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

I have 8 Domain Controllers in my test environment.  Four are failing with the error above.

 

The gmsa is configured and the DC's are in a security groups that has "PrincipalsAllowedToRetrivePassword".

 

Running Test-ADServiceAccount returns "True"

 

I have a GPO assigned so that the GMSA can Log On As a Service.  Running GP Results shows that the GPO is applied and setting is correct.

 

Error Message is:

Directory services user credentials are incorrect

Credentials for the directory services user GMSA are incorrect.  Your MDI sensor(s) cannot connect to 4 Domain Controllers without these credentials.  The directory services user is required to perform LDAP queries against the domain controllers.

1 Reply

@Chrisagardner63 

Are the 4 DCs in a different domain? They won't be able to access the credentials if there isn't a two-way kerberos trust between the two domains. 

 

Otherwise, I'd recommend opening a Service Request for this one. Seems like you hit all the obvious nails.