Overview
This is a quick documenting of an issue I ran into while working with gMSA’s. Hopefully this helps other people with this same issue that hopefully come across this page.
Primer
What is a gMSA? A gMSA, or group managed service account, is a managed domain account that provides automated password management via a directory service, in my case Active Directory, simplified Service Principal Name Management, and the ability to delegate the management to other administrators. This is a specific type of account that is different than your normal user accounts in AD. It can be used by multiple workloads, unlock standalone managed services accounts, that makes them easier to manage at scale.
Why would I want to use a gMSA? a gMSA as mentioned before provides automated password management. This is a big bonus for things like SQL server where rotating the password means causing a service outage, even if its momentarily, to rotate the password. This addresses that in a few instances.
The Problem
After creating the gMSA, assigning rights the appropriate workloads and users, I received the error below:
Install-ADServiceAccount : Cannot install service account. Error Message: 'The provided context did not match the
target.'.
At line:1 char:1
+ Install-ADServiceAccount -Identity <accountIdentity>
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (<accountIdentity>:String) [Install-ADServiceAccount], ADException
+ FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:InstallServiceAcccountFailure,Microsoft.ActiveDirectory.Management.Commands.InstallADServiceAccount
I went back, double checked everything on the account, but everything was correct. What gives?
Better Error
Microsoft is known for providing helpful error codes, that is sarcasm since this is text and its easily misunderstood.
I found a cmdlet called Test-ADServiceAccount which when run, produce an error that was much more insightful.
Test-ADServiceAccount -Identity <accountIdentity>
False
WARNING: Test failed for Managed Service Account <gMSA_accouynt>. If standalone Managed Service Account, the account is
linked to another computer object in the Active Directory. If group Managed Service Account, either this computer does
not have permission to use the group MSA or this computer does not support all the Kerberos encryption types required
Wait, what gives? I checked all the permissions. The clue is in the last part of the sentence referencing encryption.
Solution
After some digging on everyone’s favorite site, reddit, I found a threat discussing that gMSA’s default to RC4 encryption if not otherwise specified.
If your domain has RC4 disabled, it will “break” the gMSA install function if no encryption is specified for the gMSA
Command to fix the issue:
Set-aDServiceAccount -Identity <accountIdentity> -KerberosEncryptionType AES256