ADFS couldn’t start service adfssrv under another gMSA error 1064, 220

OZ 226 Reputation points
2024-01-05T02:02:54.5466667+00:00

I'm trying to start the ADFS service under a new gMSA and at about 10 seconds I get a 1064 error, unless I make a mistake while reading the internal WID database. I had this problem in a production environment, I get the same error in a lab environment. I just deployed DC01 (WS2022) and ADFS server (WS2022), there is nothing else. I deployed the ADFS role under the adfs_gmsa service account in the classic way. Everything is working. The goal is to get the ADFS server running under adfs_gmsa2 (in my case adfs_gmsa3, it doesn’t matter).

2024-01-05_043212

2024-01-05_043346

  • I create adfs_gmsa3 and bind to ADFS server
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
New-ADServiceAccount -Name adfs_gmsa3 –RestrictToSingleComputer
$Identity = Get-ADComputer -identity ADFS
Add-ADComputerServiceAccount -Identity $identity -ServiceAccount adfs_gmsa3

Install-ADServiceAccount -Identity adfs_gmsa3
  • Next I assign adfs_gmsa3 to the adfssrv service
  • I give the same rights in the database to adfs_gmsa3 as for adfs_gmsa

2024-01-05_043558

  • Granted more rights to the certificate

2024-01-05_043725

Didn't do anything else. I'm trying to start the ADFS service and the error is like in the screenshots. I suspect that I can't read the database. But there are still the same rights for adfs_gmsa3. What's wrong?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,228 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,264 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Thameur-BOURBITA 33,006 Reputation points
    2024-01-05T10:32:08.0266667+00:00

    Hi @OZ

    I think you forgot to specify the list of server allowed to retrieve the GMSA password when you create the service account.

    You can specify adfs server to retrieve password by following command:

    Set-ADServiceAccount -Identity adfs-gmsa1 -PrincipalsAllowedToRetrieveManagedPassword "ADFS-SRV-Name$"


    Please don't forget to accept helpful answer


  2. Thameur-BOURBITA 33,006 Reputation points
    2024-01-12T14:37:52.9766667+00:00

    Hi @OZ • Thank you for your feedback. I will add you answer as a comment to let you accept it as helpful and help other forum visitor facing the same issue to identify helpful answer.

    ---Please don't forget to accept helpful answer


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.