I'm trying to start the ADFS service under a new gMSA and at about 10 seconds I get a 1064 error, unless I make a mistake while reading the internal WID database. I had this problem in a production environment, I get the same error in a lab environment. I just deployed DC01 (WS2022) and ADFS server (WS2022), there is nothing else. I deployed the ADFS role under the adfs_gmsa service account in the classic way. Everything is working. The goal is to get the ADFS server running under adfs_gmsa2 (in my case adfs_gmsa3, it doesn’t matter).
![2024-01-05_043212](https://learn-attachment.microsoft.com/api/attachments/8bf37a1d-11c8-41f2-8c05-ae257206f3d2?platform=QnA)
![2024-01-05_043346](https://learn-attachment.microsoft.com/api/attachments/02054251-5501-4c81-a17a-7e2f26842849?platform=QnA)
- I create adfs_gmsa3 and bind to ADFS server
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
New-ADServiceAccount -Name adfs_gmsa3 –RestrictToSingleComputer
$Identity = Get-ADComputer -identity ADFS
Add-ADComputerServiceAccount -Identity $identity -ServiceAccount adfs_gmsa3
Install-ADServiceAccount -Identity adfs_gmsa3
- Next I assign adfs_gmsa3 to the adfssrv service
- I give the same rights in the database to adfs_gmsa3 as for adfs_gmsa
![2024-01-05_043558](https://learn-attachment.microsoft.com/api/attachments/94ab93f1-cae2-4700-ab68-9e96129db0ba?platform=QnA)
- Granted more rights to the certificate
![2024-01-05_043725](https://learn-attachment.microsoft.com/api/attachments/73b1171e-505b-4264-9c35-72f985268d25?platform=QnA)
Didn't do anything else. I'm trying to start the ADFS service and the error is like in the screenshots. I suspect that I can't read the database. But there are still the same rights for adfs_gmsa3. What's wrong?