Failed to Start Norskale Infrastructure Service by Using gMSA Account Due to Error 1069
Article ID: CTX553488
Updated On:
Description
After changing logon account to gMSA, the Norskale Infrastructure Service can't start due to error 1069 "The service did not start due to a logon failure"
Resolution
One of the benefits of gMSA account is that domain administrators don't need to schedule password changes or manage service outages.
To integrate gMSA account with Workspace Environment Management, we introduce the configuration of gMSA account for Norskale Broker in the steps below:
https://docs.citrix.com/en-us/workspace-environment-management/current-release/install-and-configure/infrastructure-services.html#group-managed-service-account
However, there are several tips to make the gMSA account work as expected:
1. We need to make sure the configured gMSA account is granted with the permission of "Log on as a Service" on the WEM server.
Open Local Security Policies > Security Settings > Local Policies > User Rights Assignment > Log on as a Service, verify that the gMSA account is added in it.
2. Allow WEM servers to retrieve the password of gMSA account from AD by setting principles:
Set-ADServiceAccount [-Identity] ITFarm1 -PrincipalsAllowedToRetrieveManagedPassword Host1$,Host2$,Host3$
Example:
Set-ADServiceAccount -Identity TestGMSA -PrincipalsAllowedToRetrieveManagedPassword W2K19TEST
Additionally, we need to uncheck the setting "Enable Windows account impersonation" from WEM infrastructure service configuration utility:
To integrate gMSA account with Workspace Environment Management, we introduce the configuration of gMSA account for Norskale Broker in the steps below:
https://docs.citrix.com/en-us/workspace-environment-management/current-release/install-and-configure/infrastructure-services.html#group-managed-service-account
However, there are several tips to make the gMSA account work as expected:
1. We need to make sure the configured gMSA account is granted with the permission of "Log on as a Service" on the WEM server.
Open Local Security Policies > Security Settings > Local Policies > User Rights Assignment > Log on as a Service, verify that the gMSA account is added in it.
2. Allow WEM servers to retrieve the password of gMSA account from AD by setting principles:
Set-ADServiceAccount [-Identity] ITFarm1 -PrincipalsAllowedToRetrieveManagedPassword Host1$,Host2$,Host3$
Example:
Set-ADServiceAccount -Identity TestGMSA -PrincipalsAllowedToRetrieveManagedPassword W2K19TEST
Additionally, we need to uncheck the setting "Enable Windows account impersonation" from WEM infrastructure service configuration utility:
Problem Cause
gMSA account is not fully configured for allowing starting and retrieving automated password for Norskale Infrastructure Service on WEM broker (infrastructure) servers.Issue/Introduction
gMSA account configuration in WEM
Additional Information
Group-managed service accounts (gMSAs) are domain accounts to help secure services.
After you configure your services to use a gMSA principal, account password management is handled by the Windows operating system (OS), and their passwords are randomly generated and automatically rotated.
The service accounts themselves are ‘installed’ on the server that is to query the password information from Active Directory at their run time.
Reference:
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/service-accounts-group-managed
After you configure your services to use a gMSA principal, account password management is handled by the Windows operating system (OS), and their passwords are randomly generated and automatically rotated.
The service accounts themselves are ‘installed’ on the server that is to query the password information from Active Directory at their run time.
Reference:
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/service-accounts-group-managed
Was this article helpful?
Yes
No
Powered by
