question

kobulloc-MSFT avatar image
0 Votes"
kobulloc-MSFT asked SMLatCST answered

[MSDN Redirect] BUG: Azure AD Connect attempting to connect to SQL Instance using machine account instead of gMSA

Hi All,

I couldn't find a Category and Forum specific to Azure AD Connect, so please feel free to move this post, if it is the wrong location.

The issue is as described: Azure AD Connect is attempting to connect to its configured SQL Instance using machine account of the server on which it is installed in addition to its gMSA. The service is working using gMSA, and is otherwise synchronising, but the additional connection attempts using the machine account are obviously generating errors on SQL Server as well, as the machine account is not permitted access to the instance.

Stopping the "Microsoft Azure AD Sync" service stops further errors being generated, so it's definitely Azure AD Connect doing it, but it clearly shouldn't be.

Has anyone else encountered this?

Cheers,

SMLatCST

[Source]: https://social.msdn.microsoft.com/Forums/en-US/d438fae4-02d3-4113-8ad5-72b4e55c9390/bug-azure-ad-connect-attempting-to-connect-to-sql-instance-using-machine-account-instead-of-gmsa?forum=azureappconfiguration

azure-active-directory
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered

What SQL error do you get? Make sure you're using an account that's a system admin in SQL when you're running the wizard.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions

(Please also share any relevant screenshots if you can.)

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SMLatCST avatar image
0 Votes"
SMLatCST answered

The SQL errors appear every 5 minutes while the "Microsoft Azure AD Sync" running, and there are always two each time, with the below messages:

Login failed for user 'DOMAIN\MACHINE$'. Reason: Could not find a login matching the name provided. [CLIENT: IP ADDRESS]
and
Error: 18456, Severity: 14, State: 5.

To clarify, I do not believe this is an issue of permissions or configuration, as Azure AD Connect appears to be working correctly using the gMSA (i.e. accounts are being sync'ed and the database is being updated). The issue is that it is also, in addition and not as configured, attempting to connect to the SQL instance using the machine account as well. The machine account doesn't have access to SQL, so the error is a legitimate refusal. It is the authentication attempt that is made in error.

This seems like a bug to me. Have you encountered it before?

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.