Field Notes: Service running with gMSA account not starting

I recently deployed a new Active Directory Forest in my lab on Windows Server 2022. I wanted to configure the Microsoft On Demand Assessments for Active Directory and also needed to deploy Microsoft Defender for Identity (MDI). I wanted to use a Group Managed Service account to run these instead of a normal service account.

I created the KDS Root Key and my gMSA accounts making sure the PrincipalsAllowedToRetrieveManagedPassword attribute is correctly configured for the computer accounts that need to retrieve the gMSA account password. What I found though was that I couldn’t execute the scheduled task and my MDI services did not want to start. Logs indicated that the gMSA account password could not be retrieved.

I immediately assumed I may have done something wrong when creating the KDS Root Key or the gMSA accounts but when checking could not find any specific problems.

I wasn’t quite sure where to go next and then remembered that the November updates (released November 8, 2022) installed on a Domain Controller may cause Kerberos authentication issues.

You can find more information at the link below which will take you directly to the specific issue. Multiple Operating Systems are affected, it is not specific to Server 2022.

Sign in failures and other issues related to Kerberos authentication

Microsoft released out-of-band updates on November 17, 2022 and November 18, 2022.

I downloaded and installed the update for Server 2022 on all my Domain Controllers. The updates are not available from Windows Update and will not automatically install. I downloaded the update by searching for the KB number on the Microsoft Update Catalog site.

This out-of-band update should only be installed on your Domain Controllers to resolve the documented issues. You don’t need to deploy this to the client devices, or other servers in your environment.

Needless to say, after the installation and reboot, the MDI services started up successfully and I could execute the scheduled task running with the gMSA accounts.

As a final note, please take note of the security hardening changes for Netlogon and Kerberos starting with the November 2022 security update. Refer to the article below to understand what actions to take and the dates of the full enforcement phases for each.

Take action: Security hardening for Netlogon and Kerberos starting with November 2022 security update


Author