Hi,
We are running into following issue while trying to impersonate as the gMSA account from a program that is NOT a Windows Service. We would like to know how can we use the gMSA account in a program which is not a Windows Service.
Here are our steps:
- We created a gMSA ( vayu\TestgMSA$) in Domain Controller, and this gMSA can be used in a Machine A which is a member server of the domain used (Domain Name: Vayu)
- We configured a Windows Service (SQL Server Service) on Machine 1 to logon using this gMSA account with empty password and verified that Service is able to run using the gMSA account successfully
- We wrote a simple test application (It is NOT a Windows Service) and we are trying to impersonate as the gMSA in this application.
Here is the code, we are passing user and domain name to LogonUser API and passing an empty string as the password because we are expecting the API to retrieve password on its own.
+++++++++++++++++++++++++++++++++++++++++++++
int main()
{
HANDLE tokenHandle;
BOOL bRet = LogonUser("TestgMSA$", "vayu", "", LOGON32_LOGON_BATCH, LOGON32_PROVIDER_DEFAULT, &tokenHandle);
if (!bRet)
{
cout << "Logon failed with error code: " << GetLastError() << endl;
return -1;
}
if(!ImpersonateLoggedOnUser(tokenHandle))
{
cout << "User impersonation failed!" << endl;
CloseHandle(tokenHandle);
return -1;
}
CloseHandle(tokenHandle);
return 0;
}+++++++++++++++++++++++++++++++++++++++++++++
Here is the command showing that the machine on which this code is run has been configured to be able to retrieve gMSA password
+++++++++++++++++++++++++++++++++++++++++++++
PS C:\Users\Administrator.VAYU> Test-ADServiceAccount TestgMSA
True
++++++++++++++++++++++++++++++++++++++++++++
However, when we run above code on Machine A using a Domain Administrator user (vayu\Administrator), it fails with following output
+++++++++++++++++++++++++++++++++++++++++++++
Logon failed with error code: 1326
Error Description: The user name or password is incorrect
+++++++++++++++++++++++++++++++++++++++++++++
We further investigated this to determine which of the two things User Name or Password is incorrect here and with below details we are able to confirm that incorrect password is getting used here.
Following Logon Failure Event is logged into Event Viewer with value for Sub Status field logged as 0xC000006A. Description for Sub Status value 0xC000006A is “user name is correct but the password is wrong” which verifies that provided user name vayu\TestgMSA$ is indeed correct but somehow the program is not able to retrieve the password for this gMSA account from AD even though the machine on which this program is running has been configured to be able to retrieve gMSA password.
+++++++++++++++++++++++++++++++++++++++++++++
An account failed to log on.
Subject:
Security ID: VAYU\Administrator
Account Name: Administrator
Account Domain: VAYU
Logon ID: 0x60120A
Logon Type: 4
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: TestgMSA$
Account Domain: vayu
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A
Process Information:
Caller Process ID: 0x1814
Caller Process Name: C:\Test\TryLogin_GMSA.exe
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
+++++++++++++++++++++++++++++++++++++++++++++
Are we missing any additional configuration either on the user account being used to launch this program (vayu\Administrator) or the gMSA account (vayu\TestgMSA$)itself?
We saw some discussion regarding this at https://social.technet.microsoft.com/Forums/lync/en-US/7aec7a1e-7b5f-4fa1-abf7-ce00a0c5356a/impersonate-as-group-managed-service-account-gmsa-in-windows-2012?forum=winserverDS and tried to implement following suggestion from the post.
“If you wanted your code sample to work, you could configure the security context your code is running as to delegate to your gMSA with protocol transition ("Any protocol" in the UI).” - In our case, security context our code is running as is a domain user (vayu\Administrator) and so we tried following settings in terms of SPN Registration and Kerberos Delegation. May be we are doing something wrong here. Any help regarding this will be highly appreciated.
SPNs for vayu\TestgMSA$
MSSQLSvc/VISHALCLIENT.VAYU.COMMVAULT.COM:VISHALSQL
MSSQLSvc/VISHALCLIENT.VAYU.COMMVAULT.COM:63254
SPNs for vayu\Admnistrator
CVAPP/VISHALCLIENT.vayu.commvault.com
CVAPP/VISHALCLIENT
Delegation Settings for vayu\Admnistrator
Trust this user for delegation to specified services only
--> Use any authentication protocol
----> Services to which this account can present delegated credentials
Service Type User or Computer Port
MSSQLSvc VISHALCLIENT.VAYU.COMMVAULT.COM 63254
MSSQLSvc VISHALCLIENT.VAYU.COMMVAULT.COM VISHALSQL
With Kind Regards,
Vishal Khule.