DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account

%3CLINGO-SUB%20id%3D%22lingo-sub-2595068%22%20slang%3D%22en-US%22%3EDirectoryServicesClient%20CreateLdapConnectionAsync%20failed%20to%20retrieve%20group%20managed%20service%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2595068%22%20slang%3D%22en-US%22%3E%3CP%3EI%20created%20a%20gMSA%20on%20one%20of%20the%20DC's%20because%20the%20ADFS%20server%20could%20not%20communicate%20to%20the%20DC's%20themselves%20and%20I%20figured%20a%20service%20account%20wasn't%20cutting%20it.%20Now%20I%20am%20getting%20an%20error%20saying%2C%3CEM%3E%20%22%3C%2FEM%3E%3CSPAN%3E%3CEM%3EDirectory%20services%20user%20credentials%20are%20incorrect%22%26nbsp%3B%20-%20%22Credentials%20for%20the%20directory%20services%20user%20%23%23%23%23%23%23%23%23%20are%20incorrect.%20Your%20MDI%20sensor(s)%20cannot%20connect%20to%20%23%23%23%23%23%23%23%23%23%20and%20%23%23%23%23%23%23%23%23%23%20without%20these%20credentials.%3C%2FEM%3E%20%3CEM%3EThe%20directory%20services%20user%20is%20required%20to%20perform%20LDAP%20queries%20against%20the%20domain%20controllers.%3C%2FEM%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EAny%20ideas%20of%20where%20to%20start.%20I%20will%20also%20open%20a%20ticket.%20It%20just%20seems%20like%20ADFS%20has%20not%20been%20able%20to%20connect%20to%20the%20DC's%20even%20with%20the%20new%20gMSA.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2596583%22%20slang%3D%22en-US%22%3ERe%3A%20DirectoryServicesClient%20CreateLdapConnectionAsync%20failed%20to%20retrieve%20group%20managed%20service%20accou%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2596583%22%20slang%3D%22en-US%22%3EThe%20machine%20account%20does%20not%20have%20permissions%20to%20pull%20the%20gmsa%20password%2C%20you%20need%20to%20fix%20it.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2595090%22%20slang%3D%22en-US%22%3ERe%3A%20DirectoryServicesClient%20CreateLdapConnectionAsync%20failed%20to%20retrieve%20group%20managed%20service%20accou%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2595090%22%20slang%3D%22en-US%22%3EIt%20seems%20like%20it%20can't%20get%20an%20LDAP%20connection%20going%3F%20Permissions%3F%3CBR%20%2F%3E%3CBR%20%2F%3EError%20DirectoryServicesClient%2B%3CCREATELDAPCONNECTIONASYNC%3Ed__38%20Microsoft.Tri.Infrastructure.ExtendedException%3A%20CreateLdapConnectionAsync%20failed%20%5BDomainControllerDnsName%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%5D%3CBR%20%2F%3Eat%20async%20Task%3CLDAPCONNECTION%3E%20Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData%20domainControllerConnectionData%2C%20bool%20isGlobalCatalog%2C%20bool%20isTraversing)%3CBR%20%2F%3Eat%20async%20Task%3CBOOL%3E%20Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData%20domainControllerConnectionData%2C%20bool%20isGlobalCatalog%2C%20bool%20isTraversing)%3CBR%20%2F%3E2021-07-29%2014%3A26%3A41.4138%20Error%20DirectoryServicesClient%20Microsoft.Tri.Infrastructure.ExtendedException%3A%20Failed%20to%20communicate%20with%20configured%20domain%20controllers%3CBR%20%2F%3Eat%20new%20Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager%20configurationManager%2C%20IDomainNetworkCredentialsManager%20domainNetworkCredentialsManager%2C%20IRemoteImpersonationManager%20remoteImpersonationManager%2C%20IMetricManager%20metricManager%2C%20IWorkspaceApplicationSensorApiJsonProxy%20workspaceApplicationSensorApiJsonProxy)%3CBR%20%2F%3Eat%20object%20lambda_method(Closure%2C%20object%5B%5D)%3CBR%20%2F%3Eat%20object%20Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()%3CBR%20%2F%3Eat%20void%20Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type%5B%5D%20moduleTypes)%3CBR%20%2F%3Eat%20new%20Microsoft.Tri.Sensor.SensorModuleManager()%3CBR%20%2F%3Eat%20ModuleManager%20Microsoft.Tri.Sensor.SensorService.CreateModuleManager()%3CBR%20%2F%3Eat%20async%20Task%20Microsoft.Tri.Infrastructure.Service.OnStartAsync()%3CBR%20%2F%3Eat%20void%20Microsoft.Tri.Infrastructure.TaskExtension.Await(Task%20task)%3CBR%20%2F%3Eat%20void%20Microsoft.Tri.Infrastructure.Service.OnStart(string%5B%5D%20args)%3CBR%20%2F%3E%3CBR%20%2F%3EI%20also%20see%20this%3A%20DirectoryServicesClient%20CreateLdapConnectionAsync%20failed%20to%20retrieve%20group%20managed%20service%20account%20password%3C%2FBOOL%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2595079%22%20slang%3D%22en-US%22%3ERe%3A%20DirectoryServicesClient%20CreateLdapConnectionAsync%20failed%20to%20retrieve%20group%20managed%20service%20accou%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2595079%22%20slang%3D%22en-US%22%3EInspect%20the%20local%20sensor%20logs%20for%20more%20details%20about%20the%20error.%3C%2FLINGO-BODY%3E%3C%2FLDAPCONNECTION%3E%3C%2FCREATELDAPCONNECTIONASYNC%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2759337%22%20slang%3D%22en-US%22%3ERe%3A%20DirectoryServicesClient%20CreateLdapConnectionAsync%20failed%20to%20retrieve%20group%20managed%20service%20accou%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2759337%22%20slang%3D%22en-US%22%3EHow%20we%20can%20verify%20it%20and%20set%20permission%20if%20not%20present.%3C%2FLINGO-BODY%3E
New Contributor

I created a gMSA on one of the DC's because the ADFS server could not communicate to the DC's themselves and I figured a service account wasn't cutting it. Now I am getting an error saying, "Directory services user credentials are incorrect"  - "Credentials for the directory services user ######## are incorrect. Your MDI sensor(s) cannot connect to ######### and ######### without these credentials. The directory services user is required to perform LDAP queries against the domain controllers.

Any ideas of where to start. I will also open a ticket. It just seems like ADFS has not been able to connect to the DC's even with the new gMSA. 

5 Replies
Inspect the local sensor logs for more details about the error.
It seems like it can't get an LDAP connection going? Permissions?

Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__38 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName===========]
at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
at async Task<bool> Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
2021-07-29 14:26:41.4138 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers
at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDomainNetworkCredentialsManager domainNetworkCredentialsManager, IRemoteImpersonationManager remoteImpersonationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at new Microsoft.Tri.Sensor.SensorModuleManager()
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)

I also see this: DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password
The machine account does not have permissions to pull the gmsa password, you need to fix it.
How we can verify it and set permission if not present.
you can use this:
https://docs.microsoft.com/en-us/powershell/module/activedirectory/test-adserviceaccount?view=window...

Ans, if you contact support, they have a tool they can give you to test it specifically with ldap.
They can walk you through correct usage of this test tool.