FAQ - gMSA Troubleshooting

Use this troubleshooting guide to diagnose the most common gMSA issues when running Nodinite services and agents.

"Logon failure: the user has not been granted the requested logon type"

The gMSA account does not have the local right "Log on as a service".

Add the account using How to set Logon as a Service right.

Test-ADServiceAccount returns False

The server cannot retrieve the managed password from Active Directory.

Checklist

1. Verify the server computer account is in the configured security group.
2. Run gpupdate /force and restart if membership changed recently.
3. Confirm the KDS root key exists and is already effective.
4. Verify replication between domain controllers.
5. Confirm the gMSA account is enabled.
6. Verify PrincipalsAllowedToRetrieveManagedPassword matches your security group.
7. Reinstall the gMSA account on the server and test again.

PowerShell Checks

$serverName = $env:COMPUTERNAME
Get-ADGroupMember -Identity "gmsaservergroup" | Where-Object { $_.Name -eq "$serverName$" }

Get-KdsRootKey
repadmin /showrepl

Get-ADServiceAccount -Identity "testgmsa" -Properties Enabled, PrincipalsAllowedToRetrieveManagedPassword

Uninstall-ADServiceAccount -Identity "testgmsa"
Install-ADServiceAccount -Identity "testgmsa"
Test-ADServiceAccount -Identity "testgmsa"

Service fails to start with gMSA account

Validate these common mistakes:

• Account format is DOMAIN\gMSAName$ (with trailing $).
• Password fields are left empty in Services and IIS identity settings.
• "Log on as a service" right is present.
• Local administrator membership is present if the selected monitoring agent requires it.

Authentication failures after password rotation

gMSA password rotation is automatic in Active Directory. Services should continue without manual password changes.

Quick Checks

• Verify server membership in PrincipalsAllowedToRetrieveManagedPassword group.
• Verify KDS root key exists and replicated.
• Run gpupdate /force and restart when group membership changed.
• Review Event Viewer for domain, KDS, or service logon errors.

Cannot access encrypted configuration files

This usually indicates certificate permission or certificate location issues.

Verify Certificate State

1. Confirm certificate is in Cert:\LocalMachine\My.
2. Confirm certificate thumbprint matches configuration.
3. Confirm HasPrivateKey is True.
4. Confirm gMSA has read access to private key material.

For certificate ACL guidance, see Microsoft: Grant access to a certificate private key.

Event Viewer Focus Areas

Review these logs:

• System log (Service Control Manager)
• Application log
• Security log

Look for entries mentioning logon failure, access denied, private key, or certificate errors.

Next Step

• Migrate Traditional Account to gMSA
• Install Certificates for gMSA
• Secret Management

Related Topics

• Configure Group Managed Service Accounts (gMSA)
• How to set Logon as a Service right
• Troubleshooting