Share via

Azure Arc fails to connect because NT SERVICES\himds is not allowed to log on as a service

Johnathan Sagar 75 Reputation points
2024-09-19T18:02:36.52+00:00

The short version: How do I get Azure Arc to connect to Azure if GPO is limiting which accounts are allowed to log on as a service and the himds service requires "NT SERVICE\himds" to log in as a service? (I am unable to add "NT SERVICE\himds" to the GPO due to the account failing lookup/validation.)

The long version:

  1. Azure Arc is installed on a domain controller.
  2. All domain controllers in the environment have a GPO defining which accounts can log on as a service.
  3. Running "azcmagent show" returns the following output:
    1. azcmagent show INFO Exit Code: AZCM0064: Unable to establish communication with himds server INFO Please check if the Hybrid Instance Metadata Service (HIMDS) is running. If it is in the stopped state, review the relevant logs (himds.log, event log (Windows), and journal/system log (Linux)); start the service if it was deliberately stopped or report crashes to the Microsoft Support. HIMDS could be busy if encountering networking issues, which can be identified in himds.log. INFO For more troubleshooting tips, please refer to https://aka.ms/arc/azcmerror FATAL open \.\PIPE\himds: The system cannot find the file specified.
  4. Unable to start "Azure Hybrid Instance Metadata Service" (himds) due to Error 1069: logon failure
  5. the service "Azure Hybrid Instance Metadata Service" (himds) is configured to log on using "NT SERVICE\himds" automatically during installation.
  6. Found that GPO is defining which accounts are allowed to log on as a service and "NT SERVICE\himds" is not in that list
  7. The Deny log on as a service policy is enabled but there are no accounts listed
  8. I'm unable to add "NT SERVICE\himds" into the allow log on as a service policy due to the account failing validation/lookup (see screenshot)User's image
Azure Arc
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
443 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,312 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,684 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Johnathan Sagar 75 Reputation points
    2024-09-24T16:54:00.0933333+00:00

    Well... I set the himds "Azure Hybrid Instance Metadata Service" Log On settings to use the Local System account and started the himds service. The machine is now online in Azure Arc and I was able to scan for updates. I assume that not running the service with the himds accounts might break some functionality, but it appears to be managing Windows Updates which is all I need it for.

    0 comments
  2. MarkNewall-5651 0 Reputation points
    2024-11-15T10:59:33.49+00:00

    Hi Jonathan,

    I ran into this exact problem and was relieved to find I'm not the only one with this issue. I was able to add "NT SERVICE\himds" to the GPO when editing the GPO on a machine which is also connected to Azure Azc as that user exists on the local machine. Trying to add that user on a machine that is not connected to Azure Arc failed, just as you described.

    I don't know about the security implications of allowing this user to logon as a service. I have read that you need to be very careful when granting access to the Azure Arc management interface as the agent is able to run arbitary powershell scripts on connected machines. When that included domain controllers you are effectively granting domain admin priviledges to anyone with admin access to Azure Arc. We are currently just doing a PoC on our test domain whilst we access the risk vs reward or Azure Arc.

    Regards,

    Mark

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.