gMSA troubleshooting steps

gMSA troubleshooting steps

Troubleshooting Guide for GMSA account issues in Applications Manager

This guide provides step-by-step instructions to resolve authentication issues when using a Group Managed Service Account (gMSA) with ManageEngine Applications Manager for SQL Server connectivity. 

Troubleshooting during Installation

If authentication via the gMSA account fails in the Applications Manager installation process, follow these steps:

  1. Test the gMSA Account:

    • Open a command prompt and run the following command to launch PowerShell under the gMSA account:
      D:\ManageEngine\AppManager17>\PSTools\PsExec.exe -i -u <domain>\SQLgMSA$ -p ~ powershell.exe -Command "powershell.exe"
      
      • Replace <domain> with your domain name (e.g., apmkerberos).
      • Replace SQLgMSA$ with your gMSA account name (e.g., SQLgMSA$).

    • In the PowerShell window, test the SQL Server connection:
      Invoke-Sqlcmd -ServerInstance '<sql_server>' -Database 'master' -Query 'select getdate()'
      
      • Replace <sql_server> with your SQL Server's hostname (e.g., sql-kerb-1).

  2. Resolve "Invoke-Sqlcmd is not recognized" Error:

    • If you encounter the error:
      Invoke-Sqlcmd : The term 'Invoke-Sqlcmd' is not recognized as the name of a cmdlet, function, script file, or operable program.
      
    • Install the SqlServer module:
      Install-Module -Name SqlServer
      
    • Import the module:
      Import-Module SqlServer
      
    • Verify the Invoke-Sqlcmd cmdlet:
      Get-Command Invoke-Sqlcmd
      
      
  3. Continue with Installation:

    • Return to the Install Shield window and proceed. If authentication still fails, proceed to the next step.

  4. Verify gMSA Account Configuration:

    • Test the gMSA account:
      Test-ADServiceAccount SQLgMSA
      
       - Replace SQLgMSA with your gMSA account name.
    • The command should return True. If it returns False:
    • On the domain controller apm-krb-dc1 or a machine with the Active Directory PowerShell module and domain admin rights, run:
      
      Set-ADServiceAccount -Identity SQLgMSA -PrincipalsAllowedToRetrieveManagedPassword "apm-krb-1$"
      
       - Replace SQLgMSA with your gMSA account name and apm-krb-1$ with your machine account name.
    • Verify the configuration:
      
      Get-ADServiceAccount SQLgMSA -Properties PrincipalsAllowedToRetrieveManagedPassword | Select-Object PrincipalsAllowedToRetrieveManagedPassword
      
      This should display your machine account (e.g., apm-krb-1$).
    • If the list is empty, on the domain member machine (e.g., apm-krb-1), run as administrator:
      
      Add-ADComputerServiceAccount -Identity apm-krb-1 -ServiceAccount SQLgMSA
      
       - Replace apm-krb-1 with your machine name and SQLgMSA with your gMSA account name.
    • Re-verify on the domain controller (apm-krb-dc1):
      
      Get-ADServiceAccount SQLgMSA -Properties PrincipalsAllowedToRetrieveManagedPassword | Select-Object PrincipalsAllowedToRetrieveManagedPassword
    • Test again:
      
      Test-ADServiceAccount SQLgMSA
      
       - It should return True.
      
      

Troubleshooting when Starting Applications Manager

If you encounter an "access denied" error when starting Applications Manager or SQL Server, follow these steps:

  1. Grant "Log on as a service" Right:

    • On the machine hosting SQL Server and Applications Manager, open the Group Policy Editor:
      gpedit.msc
      
    • Navigate to:
      Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
      
    • Edit the "Log on as a service" policy and add the gMSA account (e.g., APMKERBEROS\SQLgMSA$).
  2. Check for Startup Errors:

    • Start the Applications Manager service. If it fails, check StartUpLogs_out.txt for errors like:
      [10:59:58:902]|[06-04-2025]|[STARTUP_OUT]|[DEBUG]|[20]: Exception Message: Kerberos Login failed: Integrated authentication failed. ClientConnectionId:b4838d9e-9dfb-4f6f-bddd-89f6722b3f0b due to javax.security.auth.login.LoginException (Cannot get any of properties: [user, USER] from con properties not available to garner authentication information from the user)
      [10:59:58:918]|[06-04-2025]|[STARTUP_OUT]|[DEBUG]|[20]: CONSOLE LOG : Unable to login with database 'AMDB' due to SQL authentication failure.
      
    • If these errors appear, ensure a login exists for the gMSA in SQL Server:

      • Open SQL Server Management Studio (SSMS) and connect to your SQL Server instance.

      • In Object Explorer, expand Security, right-click Logins, and select New Login...

      • Enter the login name: DOMAIN\gmsa_account_name$ (e.g., APMKERBEROS\SQLgMSA$). Include the $.

      • Select Windows Authentication.

      • Under Server Roles, assign roles (e.g., sysadmin, dbcreator) as needed.

      • Click OK.

      • (Optional) Map the login to a database:
        • Navigate to the database → SecurityUsersNew User...
        • Select the gMSA login and assign database roles.

  3. Verify Service Principal Names (SPNs):

    • Restart the Applications Manager service. If it fails with the same errors, check SPNs:
      setspn -L <domain>\SQLgMSA$
      
      • Replace <domain> with your domain name (e.g., APMKERBEROS).
      • Expected output:
        MSSQLSvc/apm-krb-1.apmkerberos.com
        MSSQLSvc/apm-krb-1.apmkerberos.com:1433
        
    • If SPNs are incorrect or missing, remove them:
      setspn -D MSSQLSvc/apm-krb-1.apmkerberos.com <domain>\SQLgMSA$
      setspn -D MSSQLSvc/apm-krb-1.apmkerberos.com:1433 <domain>\SQLgMSA$
      
    • Register correct SPNs:
      setspn -A MSSQLSvc/apm-krb-1.apmkerberos.com <domain>\SQLgMSA$
      setspn -A MSSQLSvc/apm-krb-1.apmkerberos.com:1433 <domain>\SQLgMSA$
      
      

Final Notes

  • Run all commands with administrative privileges.
  • Replace placeholders (e.g., <domain>, SQLgMSA, apm-krb-1) with your environment-specific values.
  • Restart the Applications Manager service after each step and verify functionality. If issues persist, recheck logs and configurations.

                  New to ADSelfService Plus?

                    • Related Articles

                    • Real User Monitor (RUM) - Troubleshooting

                      If the monitor has not polled data for a long time, follow the below steps for troubleshooting. Step 1: Check the RUM Agent configuration Real User Monitor requires the RUM Agent to be installed and mapped to the Applications Manager. Refer this help ...
                    • Troubleshooting steps for Server Hardware Health Monitoring

                      1. SNMP Mode of monitoring: Monitoring Dell hardware status: Dell OpenManage Server Administrator and make sure SNMP agent is enabled Installation steps:  http://www.dell.com/downloads/global/power/ps2q06-20050112-Lou-OE.pdf Monitoring HP hardware ...
                    • APMInsight Guided-Installation Troubleshooting Steps

                      Steps to troubleshoot errors while executing the Guided-Installation command: (Applicable for APM v172100 & above) Prerequisite: Connectivity: Ensure that a connection between the Applications Manager server and the application server is established. ...
                    • Enabling gMSA Account Authentication for SQL Server In Applications Manager

                      Using a gMSA Account for Applications Manager's SQL Server Backend Important prerequisites before starting the installation: A gMSA account can only be used when Applications Manager is running as a service on Windows platform. To use gMSA account ...
                    • IIS Server monitor - Troubleshooting steps

                      Unable to add IIS Server monitor Follow the below given below to add an IIS server monitor in Applications Manager: First, check whether all the prerequisites are done. Check the IIS Server URL is accessible from Applications Manager server. If your ...