I'm trying to start the ADFS service under a new gMSA and at about 10 seconds I get a 1064 error, unless I make a mistake while reading the internal WID database. I had this problem in a production environment, I get the same error in a lab environment. I just deployed DC01 (WS2022) and ADFS server (WS2022), there is nothing else. I deployed the ADFS role under the adfs_gmsa service account in the classic way. Everything is working. The goal is to get the ADFS server running under adfs_gmsa2 (in my case adfs_gmsa3, it doesn’t matter).
- I create adfs_gmsa3 and bind to ADFS server
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
New-ADServiceAccount -Name adfs_gmsa3 –RestrictToSingleComputer
$Identity = Get-ADComputer -identity ADFS
Add-ADComputerServiceAccount -Identity $identity -ServiceAccount adfs_gmsa3
Install-ADServiceAccount -Identity adfs_gmsa3
- Next I assign adfs_gmsa3 to the adfssrv service
- I give the same rights in the database to adfs_gmsa3 as for adfs_gmsa
- Granted more rights to the certificate
Didn't do anything else. I'm trying to start the ADFS service and the error is like in the screenshots. I suspect that I can't read the database. But there are still the same rights for adfs_gmsa3. What's wrong?