This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 4%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
Hello, I am about to install MIM Synchronization Service on a Windows 2012R2 system. I used SP2 if MIM2016 to install it and updated it to the lates hotfix release 4.6.359.0. I used the available descriptions to install the sync service using a gMSA account.
The service runs OK and I can access everything as expected with the service manager.
But one thing is just not working out - exporting the encryption keys via miiskmu.exe.
I started it via 'run as admin' and started miiskmu.exe via administrative command line: miiskmu.exe /e c:\configBU\exp3.bin /u:"mydomain\SVC-MIMSync$" The output is as follows:
Installing assembly 'C:\Program Files\Microsoft Forefront Identity Manager\2010\ Synchronization Service\Bin\Microsoft.IdentityManagement.KeyProtectService.exe'. Affected parameters are: assemblypath = C:\Program Files\Microsoft Forefront Identity Manager\2010\Syn chronization Service\Bin\Microsoft.IdentityManagement.KeyProtectService.exe logfile = C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchron ization Service\Bin\Microsoft.IdentityManagement.KeyProtectService.InstallLog Installing service MIMKeyProtectService...
Creating EventLog source MIMKeyProtectService in log Application...
The contents of the installLog ends at the same line 'Creating EventLog source MIMKeyProtectService in log Application...'.
The same works without a problem when using a standard account instead of a gMSA account.
For any reason the spun up application is not able to create an event log source when running with a gMSA account.
Can someone give me a hint what I am missing? Thanks a lot!
Hi,
Do you get the same error if you run the application GUI?
Br,
Leo
Yes - the screenshot is from using the GUI. And yes I used 'run as admin'.
Another question comes into my mind. What is the impact of this tool and the encryption keys anyways. I have changed the MIM Sync Service Account now for serval times from local to domain and gMSA users, but I was still able to start the service and my management agents without any problems so far. It is only miiskmu which is not working when using a domain account as a service account. Miiskmu is working when using a local account as service account.
To be more specific about the environment I am using. It is just the sync service I am using, no Sharepoint, MIM Service or anything else is running.
Problem has been solved after installing everything on a new and clean installed machine.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 20%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDL%3C/text%3E%3C/svg%3E)
I encountered the exact same error and it turned out to be I skipped a prerequisite. The sync engine could still install and if I didn't use a GMSA it would export the keys. Apparently, the when using a GMSA, miiskmu uses the Key Protect Service which has a dependency on the pre-req I missed. I think it was the Install Visual C++ 2013 Redistributable Packages as documented in https://learn.microsoft.com/en-us/microsoft-identity-manager/prepare-server-ws2016