gMSA troubleshooting steps
Troubleshooting Guide for GMSA account issues in Applications Manager
This guide provides step-by-step instructions to resolve authentication issues when using a Group Managed Service Account (gMSA) with ManageEngine Applications Manager for SQL Server connectivity.
Troubleshooting during Installation
If authentication via the gMSA account fails in the Applications Manager installation process, follow these steps:
Test the gMSA Account:
- Open a command prompt and run the following command to launch PowerShell under the gMSA account:
D:\ManageEngine\AppManager17>\PSTools\PsExec.exe -i -u <domain>\SQLgMSA$ -p ~ powershell.exe -Command "powershell.exe"- Replace
<domain>with your domain name (e.g.,apmkerberos). - Replace
SQLgMSA$with your gMSA account name (e.g.,SQLgMSA$).
- Replace
- In the PowerShell window, test the SQL Server connection:
Invoke-Sqlcmd -ServerInstance '<sql_server>' -Database 'master' -Query 'select getdate()'- Replace
<sql_server>with your SQL Server's hostname (e.g.,sql-kerb-1).
- Replace
Resolve "Invoke-Sqlcmd is not recognized" Error:
- If you encounter the error:
Invoke-Sqlcmd : The term 'Invoke-Sqlcmd' is not recognized as the name of a cmdlet, function, script file, or operable program. - Install the
SqlServermodule:Install-Module -Name SqlServer - Import the module:
Import-Module SqlServer - Verify the
Invoke-Sqlcmdcmdlet:Get-Command Invoke-Sqlcmd
Continue with Installation:
- Return to the Install Shield window and proceed. If authentication still fails, proceed to the next step.
- Return to the Install Shield window and proceed. If authentication still fails, proceed to the next step.
Verify gMSA Account Configuration:
- Test the gMSA account:
Test-ADServiceAccount SQLgMSA- Replace SQLgMSA with your gMSA account name. The command should return
True. If it returnsFalse:On the domain controller
apm-krb-dc1or a machine with the Active Directory PowerShell module and domain admin rights, run: Set-ADServiceAccount -Identity SQLgMSA -PrincipalsAllowedToRetrieveManagedPassword "apm-krb-1$" - Replace SQLgMSA with your gMSA account name andapm-krb-1$with your machine account name.Verify the configuration: Get-ADServiceAccount SQLgMSA -Properties PrincipalsAllowedToRetrieveManagedPassword | Select-Object PrincipalsAllowedToRetrieveManagedPassword This should display your machine account (e.g.,
apm-krb-1$).If the list is empty, on the domain member machine (e.g.,
apm-krb-1), run as administrator: Add-ADComputerServiceAccount -Identity apm-krb-1 -ServiceAccount SQLgMSA - Replaceapm-krb-1with your machine name and SQLgMSA with your gMSA account name.Re-verify on the domain controller (
apm-krb-dc1): Get-ADServiceAccount SQLgMSA -Properties PrincipalsAllowedToRetrieveManagedPassword | Select-Object PrincipalsAllowedToRetrieveManagedPasswordTest again: Test-ADServiceAccount SQLgMSA - It should return
True.
Troubleshooting when Starting Applications Manager
If you encounter an "access denied" error when starting Applications Manager or SQL Server, follow these steps:
Grant "Log on as a service" Right:
- On the machine hosting SQL Server and Applications Manager, open the Group Policy Editor:
gpedit.msc - Navigate to:
Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment - Edit the "Log on as a service" policy and add the gMSA account (e.g.,
APMKERBEROS\SQLgMSA$).
Check for Startup Errors:
- Start the Applications Manager service. If it fails, check
StartUpLogs_out.txtfor errors like:[10:59:58:902]|[06-04-2025]|[STARTUP_OUT]|[DEBUG]|[20]: Exception Message: Kerberos Login failed: Integrated authentication failed. ClientConnectionId:b4838d9e-9dfb-4f6f-bddd-89f6722b3f0b due to javax.security.auth.login.LoginException (Cannot get any of properties: [user, USER] from con properties not available to garner authentication information from the user) [10:59:58:918]|[06-04-2025]|[STARTUP_OUT]|[DEBUG]|[20]: CONSOLE LOG : Unable to login with database 'AMDB' due to SQL authentication failure. - If these errors appear, ensure a login exists for the gMSA in SQL Server:
- Open SQL Server Management Studio (SSMS) and connect to your SQL Server instance.
- In Object Explorer, expand Security, right-click Logins, and select New Login...
- Enter the login name:
DOMAIN\gmsa_account_name$(e.g.,APMKERBEROS\SQLgMSA$). Include the$. - Select Windows Authentication.
- Under Server Roles, assign roles (e.g.,
sysadmin,dbcreator) as needed. - Click OK.
- (Optional) Map the login to a database:
- Navigate to the database → Security → Users → New User...
- Select the gMSA login and assign database roles.
- Open SQL Server Management Studio (SSMS) and connect to your SQL Server instance.
Verify Service Principal Names (SPNs):
- Restart the Applications Manager service. If it fails with the same errors, check SPNs:
setspn -L <domain>\SQLgMSA$- Replace
<domain>with your domain name (e.g.,APMKERBEROS). - Expected output:
MSSQLSvc/apm-krb-1.apmkerberos.com MSSQLSvc/apm-krb-1.apmkerberos.com:1433
- Replace
- If SPNs are incorrect or missing, remove them:
setspn -D MSSQLSvc/apm-krb-1.apmkerberos.com <domain>\SQLgMSA$ setspn -D MSSQLSvc/apm-krb-1.apmkerberos.com:1433 <domain>\SQLgMSA$ - Register correct SPNs:
setspn -A MSSQLSvc/apm-krb-1.apmkerberos.com <domain>\SQLgMSA$ setspn -A MSSQLSvc/apm-krb-1.apmkerberos.com:1433 <domain>\SQLgMSA$
Final Notes
- Run all commands with administrative privileges.
- Replace placeholders (e.g.,
<domain>,SQLgMSA,apm-krb-1) with your environment-specific values. - Restart the Applications Manager service after each step and verify functionality. If issues persist, recheck logs and configurations.
New to ADSelfService Plus?
Related Articles
Real User Monitor (RUM) - Troubleshooting
If the monitor has not polled data for a long time, follow the below steps for troubleshooting. Step 1: Check the RUM Agent configuration Real User Monitor requires the RUM Agent to be installed and mapped to the Applications Manager. Refer this help ...Enabling gMSA Account Authentication for SQL Server In Applications Manager
Using a gMSA Account for Applications Manager's SQL Server Backend Important prerequisites before starting the installation: A gMSA account can only be used when Applications Manager is running as a service on Windows platform. To use gMSA account ...Troubleshooting steps for Server Hardware Health Monitoring
1. SNMP Mode of monitoring: Monitoring Dell hardware status: Dell OpenManage Server Administrator and make sure SNMP agent is enabled Installation steps: http://www.dell.com/downloads/global/power/ps2q06-20050112-Lou-OE.pdf Monitoring HP hardware ...APMInsight Guided-Installation Troubleshooting Steps
Steps to troubleshoot errors while executing the Guided-Installation command: (Applicable for APM v172100 & above) Prerequisite: Connectivity: Ensure that a connection between the Applications Manager server and the application server is established. ...IIS Server monitor - Troubleshooting steps
Unable to add IIS Server monitor Follow the below given below to add an IIS server monitor in Applications Manager: First, check whether all the prerequisites are done. Check the IIS Server URL is accessible from Applications Manager server. If your ...