This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 14.000000000000002%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
Cx is unable to start a sensor when he uses gMSA account instead of personal account.
The customer also had a Security Group in AD with their DC and standalone sensors included.
We added the gMDSA account in the policy Log on as a service but still faces the same error.
Unable to run AATP Ldap Binder tester tool to test MDI sensor AD access using a gMSA accout, shows "PC can't run this app error."
The DC is 2016
-
The picture descriptions got jumbled up.
@EPSrookie
Thank you for your detailed post and I apologize for the delayed response!
Based off your error message, I found a troubleshooting doc that details root causes for your error and solutions, which I'll share below to hopefully help point you in the right direction to resolve this issue.
Sensor failed to retrieve group managed service account (gMSA) credentials
Error Message: Directory services user credentials are incorrect
Root Cause 1:
The domain controller hasn't been granted permission to retrieve the password of the gMSA account.
Troubleshooting:
Validate that the computer running the sensor has been granted permissions to retrieve the password of the gMSA account. For more information, see Granting the permissions to retrieve the gMSA account's password.
Root Cause 2:
This was the solution for one of the Support Requests
The sensor service runs as LocalService and performs impersonation of the directory services account. If the user rights assignment policy Log on as a service is configured for this domain controller, impersonation will fail unless the gMSA account is granted the Log on as a service permission.
Troubleshooting:
Configure Log on as a service for the gMSA accounts, when the user rights assignment policy Log on as a service is configured on the affected domain controller. For more information, see Verify that the gMSA account has the required rights.
Root Cause 3:
If the domain controller Kerberos ticket was issued before the domain controller was added to the security group with the proper permissions. This group won't be part of the Kerberos ticket, so it won't be able to retrieve the password of the gMSA account.
Troubleshooting: Do one of the following to resolve this issue
klist -li 0x3e7 purge3) Assign the permission to retrieve the gMSA's password to a group the domain controller is already a member of, such as the Domain Controllers group.
Additional Link:
Microsoft Defender for Identity - Azure ATP Deployment and Troubleshooting
Resources for Defender for Identity
If you have any other questions or are still having issues, please let me know.
Thank you for your time and patience throughout this issue.
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
@EPSrookie
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 62%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKF%3C/text%3E%3C/svg%3E)
Hi,
I have the Same issue.
Did you @EPSrookie find a solution?
Regards
Farhad