Aug 03 2022 12:08 AM
I set up mdi and am getting the following error in the logs:
2022-08-03 07:00:49.2776 Debug DirectoryServicesClient SetState Creating 2022-08-03 07:00:49.3401 Info RemoteImpersonationManager CreateImpersonatorInternalAsync started [UserName=GA-MDI-READ$ Domain=tbh.local IsGroupManagedServiceAccount=True] 2022-08-03 07:00:49.4026 Info RemoteImpersonationManager GetGroupManagedServiceAccountTokenAsync finished [UserName=GA-MDI-READ$ Domain=tbh.local IsSuccess=True] 2022-08-03 07:00:49.4026 Info RemoteImpersonationManager CreateImpersonatorInternalAsync finished [UserName=GA-MDI-READ$ Domain=tbh.local] 2022-08-03 07:00:49.4182 Info DirectoryServicesClient CreateLdapConnectionAsync failed to connect [DomainControllerDnsName=p-adc-v-01.tbh.local Domain=tbh.local UserName=GA-MDI-READ$ ResultCode=82] 2022-08-03 07:00:49.7149 Error DirectoryServicesClient+d__43 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName=p-adc-v-01.tbh.local] at async Task Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing) at async Task Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing) 2022-08-03 07:00:49.7306 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers [ _domainControllerConnectionDatas=p-adc-v-01.tbh.local] at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDirectoryServicesDomainNetworkCredentialsManager domainNetworkCredentialsManager, IRemoteImpersonationManager remoteImpersonationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy) at object lambda_method(Closure, object[]) at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate() at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes) at new Microsoft.Tri.Sensor.SensorModuleManager() at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager() at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync() at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task) at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
I already ruled out a few things:
Anyone know any more things to check for? Any help would be really apreciated!
Lars
Aug 03 2022 01:33 AM - edited Aug 03 2022 01:33 AM
I found a solution: adding the gMSA Account to the "Domain Users" Group seems to have fixed it!
Sep 07 2022 09:54 AM
@larsuhartmann
We are seeing the same error
2022-09-07 16:16:35.2886 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__47 RunPeriodic <RegisterPeriodicTask>b__1 failed
Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName=OURDC.COM]
and can also verify that we are using a gMSA which has access to the DC - From the logs
2022-09-07 16:16:34.0854 Info DirectoryServicesClient CreateLdapConnectionAsync connected successfully [DomainControllerDnsName=ourdc.domain.com Domain=Ourdomain UserName=OurgMSA ]
2022-09-07 16:16:34.1635 Info LocalImpersonationManager CreateImpersonatorInternalAsync started [UserName=OurgMSA Domain=Ourdomain IsGroupManagedServiceAccount=True]
2022-09-07 16:16:34.1948 Info LocalImpersonationManager GetGroupManagedServiceAccountTokenAsync finished [UserName=OurgMSA Domain=Ourdomain IsSuccess=True]
2022-09-07 16:16:34.1948 Info LocalImpersonationManager CreateImpersonatorInternalAsync finished [UserName=OurgMSA Domain=Ourdomain]
2022-09-07 16:16:34.1948 Debug GroupPolicyHelper GetKerberosPolicy started [domainDnsName=Ourdomain.org]
2022-09-07 16:16:34.2104 Debug GroupPolicyHelper GetKerberosPolicy finished [domainDnsName=Ourdomain.org MaxTicketAge=10 MaxRenewAge=7]
2022-09-07 16:16:34.2104 Info DirectoryServicesClient CreateLdapConnectionAsync connected successfully [DomainControllerDnsName=ourdc.domain.com Domain=Ourdomain UserName=OurgMSA ]
2022-09-07 16:16:34.3510 Info DirectoryServicesResolver CreateDomainAsync created domain DC=Ourdomain,DC=org
2022-09-07 16:16:34.3667 Info DirectoryServicesClient CreateLdapConnectionAsync connected successfully [DomainControllerDnsName=ourdc.domain.com Domain=Ourdomain UserName=OurgMSA ]
We're going to try adding the gMSA to the Domain Users group, but wanted to get confirmation that this isn't a security issue