cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account

jwilliams1490
Copper Contributor

‎Jul 29 2021 07:07 AM

‎Jul 29 2021 07:07 AM

DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account

I created a gMSA on one of the DC's because the ADFS server could not communicate to the DC's themselves and I figured a service account wasn't cutting it. Now I am getting an error saying, "Directory services user credentials are incorrect"  - "Credentials for the directory services user ######## are incorrect. Your MDI sensor(s) cannot connect to ######### and ######### without these credentials. The directory services user is required to perform LDAP queries against the domain controllers.

Any ideas of where to start. I will also open a ticket. It just seems like ADFS has not been able to connect to the DC's even with the new gMSA. 

10.9K Views
1 Like
6 Replies
Reply
6 Replies
Eli Ofek

‎Jul 29 2021 07:19 AM

‎Jul 29 2021 07:19 AM

Re: DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service accou

Inspect the local sensor logs for more details about the error.
0 Likes
Reply
jwilliams1490

‎Jul 29 2021 07:31 AM

‎Jul 29 2021 07:31 AM

Re: DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service accou

It seems like it can't get an LDAP connection going? Permissions?

Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__38 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName===========]
at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
at async Task<bool> Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
2021-07-29 14:26:41.4138 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers
at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDomainNetworkCredentialsManager domainNetworkCredentialsManager, IRemoteImpersonationManager remoteImpersonationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at new Microsoft.Tri.Sensor.SensorModuleManager()
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)

I also see this: DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password
0 Likes
Reply
Eli Ofek

‎Jul 30 2021 03:13 PM

‎Jul 30 2021 03:13 PM

Re: DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service accou

The machine account does not have permissions to pull the gmsa password, you need to fix it.
0 Likes
Reply
pugazhendhi

‎Sep 17 2021 12:30 AM

‎Sep 17 2021 12:30 AM

Re: DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service accou

How we can verify it and set permission if not present.
0 Likes
Reply
Eli Ofek

‎Sep 18 2021 01:56 PM

‎Sep 18 2021 01:56 PM

Re: DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service accou

you can use this:
https://docs.microsoft.com/en-us/powershell/module/activedirectory/test-adserviceaccount?view=window...

Ans, if you contact support, they have a tool they can give you to test it specifically with ldap.
They can walk you through correct usage of this test tool.
0 Likes
Reply
ytakeaki

‎Mar 21 2023 11:41 PM

‎Mar 21 2023 11:41 PM

Re: DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service accou

@jwilliams1490 

I got the same error too. I resolved it with the following settings.

 

https://learn.microsoft.com/en-US/defender-for-identity/directory-service-accounts

* Verify that the gMSA account has the required rights (if needed)

  You have to check  Group Policy.

 

  Domain > Default Domain Policy 

  or 

  Domain > Domain Controllers > Default Domain Controllers Policy 

  or

  other GPO settings 

 

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Log on as a service is set.
If the setting is configured, add the gMSA account to the list of accounts that can log on as a service in the Group Policy Management Editor.

 

after that,  Do  gpupdate.

 

0 Likes
Reply