This guide provides step-by-step instructions to resolve authentication issues when using a Group Managed Service Account (gMSA) with ManageEngine Applications Manager for SQL Server connectivity.
If authentication via the gMSA account fails in the Applications Manager installation process, follow these steps:
Test the gMSA Account:
D:\ManageEngine\AppManager17>\PSTools\PsExec.exe -i -u <domain>\SQLgMSA$ -p ~ powershell.exe -Command "powershell.exe"
<domain>
with your domain name (e.g., apmkerberos
).SQLgMSA$
with your gMSA account name (e.g., SQLgMSA$
).Invoke-Sqlcmd -ServerInstance '<sql_server>' -Database 'master' -Query 'select getdate()'
<sql_server>
with your SQL Server's hostname (e.g., sql-kerb-1
).Resolve "Invoke-Sqlcmd is not recognized" Error:
Invoke-Sqlcmd : The term 'Invoke-Sqlcmd' is not recognized as the name of a cmdlet, function, script file, or operable program.
SqlServer
module:Install-Module -Name SqlServer
Import-Module SqlServer
Invoke-Sqlcmd
cmdlet:Get-Command Invoke-Sqlcmd
Continue with Installation:
Verify gMSA Account Configuration:
Test-ADServiceAccount SQLgMSA
- Replace SQLgMSA with your gMSA account name.
The command should returnTrue
. If it returnsFalse
:
On the domain controllerapm-krb-dc1
or a machine with the Active Directory PowerShell module and domain admin rights, run: Set-ADServiceAccount -Identity SQLgMSA -PrincipalsAllowedToRetrieveManagedPassword "apm-krb-1$" - Replace SQLgMSA with your gMSA account name andapm-krb-1$
with your machine account name.
Verify the configuration: Get-ADServiceAccount SQLgMSA -Properties PrincipalsAllowedToRetrieveManagedPassword | Select-Object PrincipalsAllowedToRetrieveManagedPassword This should display your machine account (e.g.,apm-krb-1$
).
If the list is empty, on the domain member machine (e.g.,apm-krb-1
), run as administrator: Add-ADComputerServiceAccount -Identity apm-krb-1 -ServiceAccount SQLgMSA - Replaceapm-krb-1
with your machine name and SQLgMSA with your gMSA account name.
Re-verify on the domain controller (apm-krb-dc1
): Get-ADServiceAccount SQLgMSA -Properties PrincipalsAllowedToRetrieveManagedPassword | Select-Object PrincipalsAllowedToRetrieveManagedPassword
Test again:
Test-ADServiceAccount SQLgMSA
- It should return True
.
If you encounter an "access denied" error when starting Applications Manager or SQL Server, follow these steps:
Grant "Log on as a service" Right:
gpedit.msc
Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
APMKERBEROS\SQLgMSA$
).Check for Startup Errors:
StartUpLogs_out.txt
for errors like:[10:59:58:902]|[06-04-2025]|[STARTUP_OUT]|[DEBUG]|[20]: Exception Message: Kerberos Login failed: Integrated authentication failed. ClientConnectionId:b4838d9e-9dfb-4f6f-bddd-89f6722b3f0b due to javax.security.auth.login.LoginException (Cannot get any of properties: [user, USER] from con properties not available to garner authentication information from the user)
[10:59:58:918]|[06-04-2025]|[STARTUP_OUT]|[DEBUG]|[20]: CONSOLE LOG : Unable to login with database 'AMDB' due to SQL authentication failure.
DOMAIN\gmsa_account_name$
(e.g., APMKERBEROS\SQLgMSA$
). Include the $
.sysadmin
, dbcreator
) as needed.Verify Service Principal Names (SPNs):
setspn -L <domain>\SQLgMSA$
<domain>
with your domain name (e.g., APMKERBEROS
).MSSQLSvc/apm-krb-1.apmkerberos.com
MSSQLSvc/apm-krb-1.apmkerberos.com:1433
setspn -D MSSQLSvc/apm-krb-1.apmkerberos.com <domain>\SQLgMSA$
setspn -D MSSQLSvc/apm-krb-1.apmkerberos.com:1433 <domain>\SQLgMSA$
setspn -A MSSQLSvc/apm-krb-1.apmkerberos.com <domain>\SQLgMSA$
setspn -A MSSQLSvc/apm-krb-1.apmkerberos.com:1433 <domain>\SQLgMSA$
<domain>
, SQLgMSA
, apm-krb-1
) with your environment-specific values.