ADFS couldn’t start service adfssrv under another gMSA error 1064, 220

OZ 226

I'm trying to start the ADFS service under a new gMSA and at about 10 seconds I get a 1064 error, unless I make a mistake while reading the internal WID database. I had this problem in a production environment, I get the same error in a lab environment. I just deployed DC01 (WS2022) and ADFS server (WS2022), there is nothing else. I deployed the ADFS role under the adfs_gmsa service account in the classic way. Everything is working. The goal is to get the ADFS server running under adfs_gmsa2 (in my case adfs_gmsa3, it doesn’t matter).

2024-01-05_043212

2024-01-05_043346

I create adfs_gmsa3 and bind to ADFS server

Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
New-ADServiceAccount -Name adfs_gmsa3 –RestrictToSingleComputer
$Identity = Get-ADComputer -identity ADFS
Add-ADComputerServiceAccount -Identity $identity -ServiceAccount adfs_gmsa3

Install-ADServiceAccount -Identity adfs_gmsa3

Next I assign adfs_gmsa3 to the adfssrv service
I give the same rights in the database to adfs_gmsa3 as for adfs_gmsa

2024-01-05_043558

Granted more rights to the certificate

2024-01-05_043725

Didn't do anything else. I'm trying to start the ADFS service and the error is like in the screenshots. I suspect that I can't read the database. But there are still the same rights for adfs_gmsa3. What's wrong?

2 answers

Thameur-BOURBITA 32,621 Reputation points

2024-01-05T10:32:08.0266667+00:00

Hi @OZ

I think you forgot to specify the list of server allowed to retrieve the GMSA password when you create the service account.

You can specify adfs server to retrieve password by following command:

Set-ADServiceAccount -Identity adfs-gmsa1 -PrincipalsAllowedToRetrieveManagedPassword "ADFS-SRV-Name$"

Please don't forget to accept helpful answer
Please sign in to rate this answer.
OZ 226 Reputation points

2024-01-05T15:05:40.0033333+00:00

OZ 226 Reputation points

2024-01-05T15:13:21.9666667+00:00

Okay, I'll think further. It all started when we migrated the ADFS machine from hyperv to vmware in productive env and the ADFS service stopped running under the old gMSA (the server stopped working). But if I specify a user account with domain admin rights, then everything works. As a temporary solution, I have now created a domain admin account with a complex, never-expiring password and started the service under it. I know this is not a good idea.

OZ 226 Reputation points

2024-01-05T15:14:50.51+00:00

It would be interesting to start by getting ADFS to work under another gMSA in a test environment.

Thameur-BOURBITA 32,621 Reputation points

2024-01-05T15:32:22.17+00:00

@OZ •

Try this command and check if the service account has the right to run a service on ADFS server.

Get-ADServiceAccount -Identity adfs-gmsa1 | Set-ADServiceAccount -PrincipalsAllowedToRetrieveManagedPassword "ADFS-SRV-Name$"

Why you used a service account member of domain admins ?Did you install ADFS service on you domain contrôler ?

Please don't forget to accept helpful answer

OZ 226 Reputation points

2024-01-05T17:19:31.69+00:00

No, ADFS server is not installed on the domain controller. The ADFS service runs only under domain admin and does not run under a user in the local ADFS server Administrators group.

PS C:\Windows\system32> Get-ADServiceAccount -Identity adfs_gmsa3 DistinguishedName : CN=adfs_gmsa3,CN=Managed Service Accounts,DC=loreal,DC=fr Enabled : True Name : adfs_gmsa3 ObjectClass : msDS-ManagedServiceAccount ObjectGUID : 5605ac96-4e74-44eb-a1ba-c5c20512a78c SamAccountName : adfs_gmsa3$ SID : S-1-5-21-1723313071-2957981642-1429365048-1110 UserPrincipalName : PS C:\Windows\system32> Get-ADServiceAccount -Identity adfs_gmsa3 | Set-ADServiceAccount -PrincipalsAllowedToRetrieveManagedPassword "ADFS$" Set-ADServiceAccount : An attempt was made to modify an object to include an attribute that is not legal for its class At line:1 char:45 + ... dfs_gmsa3 | Set-ADServiceAccount -PrincipalsAllowedToRetrieveManagedP ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (CN=adfs_gmsa3,C...DC=loreal,DC=fr:ADServiceAccount) [Set-ADServiceAccount], ADException + FullyQualifiedErrorId : ActiveDirectoryServer:8317,Microsoft.ActiveDirectory.Management.Commands.SetADServiceAccount PS C:\Windows\system32>

Thameur-BOURBITA 32,621 Reputation points

2024-01-05T22:31:10.9033333+00:00

@OZ •

I think you should specify the FQDN of ADFS sever as mentioned in the command below :

Get-ADServiceAccount -Identity adfs_gmsa3 | Set-ADServiceAccount -PrincipalsAllowedToRetrieveManagedPassword "ADFS.loreal.fr"

Please don't forget to accept helpful answer

OZ 226 Reputation points

2024-01-07T16:10:35.2466667+00:00

In short, FQDN didn't help either. Same mistake. I found a workaround. I created the security group "ADFSMachines" and added an ADFS server there and rebooted the ADFS server. I did all this under the new adfs_gmsa4. In short, I gave all the same rights to the WIM database and it didn’t work. Same error 1064, 220, 102 after 8 seconds. It feels like the database is not being read.

OZ 226 Reputation points

2024-01-07T16:18:27.5+00:00

I would like to note that the service works fine under the old original adfs_gmsa and if I look at the properties, then it is not the adfs_gmsa service account that appears there, but the ADFS computer itself in the container CN=Computers,DC=loreal,DC=fr. I'm confused and don't understand the meaning of everything - why are we changing here the server to gmsa.

OZ 226 Reputation points

2024-01-07T16:28:06.3333333+00:00

Then I tried to use the AdfsServiceAccountModule.psm1 module on github and the following error came up

OZ 226 Reputation points

2024-01-07T16:31:26.5966667+00:00

Then I tried using the AdfsServiceAccountModule.psm1 module on github to change gmsa

ipmo "C:\Program Files\WindowsPowerShell\Modules\AdfsServiceAccountModule.psm1"

Add-AdfsServiceAccountRule -ServiceAccount adfs_gmsa4$

In general, nothing works, the goal is simple - change gmsa1 to gmsa2 in a clean laboratory environment on Windows Server 2022.

Thameur-BOURBITA 32,621 Reputation points

2024-01-07T17:39:20.9266667+00:00

@OZ •

You can assign the server to retrieve GMSA password I have altready test it in my environment as mentioned in microsoft article : Set the principals allowed to retrieve the password for an MSA

Regarding the GMSA account , it's recommended to assign a group instead as you did for adfs_gmsa4 to be able to manage the list of server able retrieve adfs_gmsa4 password through AD group.

Regarding the new error can you please open new thread for that and close this one by accepting helpful answer ?

Please don't to accept helpful answer
Sign in to comment
Thameur-BOURBITA 32,621 Reputation points

2024-01-12T14:37:52.9766667+00:00

Hi @OZ • Thank you for your feedback. I will add you answer as a comment to let you accept it as helpful and help other forum visitor facing the same issue to identify helpful answer.

---Please don't forget to accept helpful answer
Please sign in to rate this answer.
OZ 226 Reputation points

2024-01-12T11:59:09.9233333+00:00

Here is the detailed solution: 1.       Create a group ADFSServers, add the ADFS server(s) there 2.       Reboot the ADFS server 3.       Create a new gMSA (allow only the ADFSServers group to communicate with gMSA) and check

Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))New-ADServiceAccount -Name adfs_gmsa2 -DNSHostName adfs-clust.loreal.fr -PrincipalsAllowedToRetrieveManagedPassword ADFSServers

Get-ADServiceAccount -Identity adfs_gmsa2 -Properties PrincipalsAllowedToRetrieveManagedPassword `| Select Name,ObjectClass,PrincipalsAllowedToRetrieveManagedPassword | Format-List

4.       Install the service on the ADFS server SRV1.loreal.fr (on all ADFS servers)

Install-ADServiceAccount -Identity adfs_gmsa2

5.       Install ActiveDirectory module for Powershell

Install-WindowsFeature RSAT-AD-PowerShell

6.       Install sqlcmd.exe https://www.minitool.com/news/sqlcmd.html Check: Type in Run sqlcmd.exe and SQL Console should open 7.       Install module adfstoolbox, and import AdfsServiceAccountModule.psm1

Install-Module -Name ADFSToolboximport-module adfstoolboxImport-Module "C:\Program Files\WindowsPowerShell\Modules\ADFSToolbox\2.0.17.0\serviceAccountModule\AdfsServiceAccountModule.psm1"

8.       Make sure that the ADFS service is running, if it starts, skip the next two steps 9.       Launch the ADFS service under any account with Domain Admins, the main thing is that the service is running (For a user - without a $ at the end, for gMSA - with a $ at the end)

$servicename = 'adfssrv'$serviceobject = get-wmiobject -class win32_service -filter "name='$servicename'"$serviceobject.stopservice() | out-null# change logon as settings$serviceobject.change($null, $null, $null, $null, $null, $null, "$env:userdomain\suser", $null, $null, $null, $null)

10.       Go to the properties of the ADFS service and if this is a regular account, manually enter the password. Starting the service 11.       Add a rule and apply it. Select the capital “C”, then “2” (if we have one ADFS server) and then the new gMSA loreal\adfs_gmsa2$ ($ at the end)

Add-AdfsServiceAccountRule -ServiceAccount adfs_gmsa2$Update-AdfsServiceAccount

Despite the swearing that we need to configure the Local Group Policy “Logon as Service”, we move on to the next point.

12.       Check setspn -q under which gMSA the service is running. If it's old, change gMSA for SPN host/adfs-clust.loreal.fr

setspn -q host/adfs-clust.loreal.frsetspn -d host/adfs-clust.loreal.fr adfs_gmsa$setspn -a host/adfs-clust.loreal.fr adfs_gmsa2$

Result:

13.       Run ADFS service account. The End

OZ 226 Reputation points

2024-01-12T12:01:54.99+00:00

P.S The site does not allow me to format normally.

OZ 226 Reputation points

2024-01-12T15:23:55.11+00:00

The same as a picture
Sign in to comment

Share via

ADFS couldn’t start service adfssrv under another gMSA error 1064, 220

2 answers