Product: PowerShell Universal
Version: 5.4.1
IIS Install/SQL Express
AppPool ID: LocalSystem
Greetings, first post here!
I am struggling through the initial learning curve of PSU and trying to use a gMSA to run a script. I’m experienced in the ways of gMSA, so it’s been properly created and the local machine has rights to retrieve the password. The account has both “Log on as a batch job” and “Log on as a service” rights.
I’ve registered the gMSA as a PSCredential variable (DOMAIN\user$), and checked the box for “Password not required”. No test can be performed on the credential, as for standard accounts. I assume this is a limitation of gMSAs.
I can select the credential in the script properties. All good. But when running the script, I get:
Error executing job: Failed to login user (1326). System.ComponentModel.Win32Exception (1326): The user name or password is incorrect.
In the Windows Security Log, I see confirmation that IIS is initiating the logon, but finding “Unknown user name or bad password”:
Subject:
Security ID: SYSTEM
Account Name: MYCOMPUTER$
Account Domain: MYDOMAIN
Logon ID: 0x3E7
Logon Type: 4
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: svc_gMSA$
Account Domain: MYDOMAIN
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A
Process Information:
Caller Process ID: 0x1048
Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe
The IIS app pool is running under LocalSystem. From the docs I am understanding that if I were to run it under a custom service account, then I could not use alternate credentials.
How does one get this working?
Thank you!
Just to cover a few additional bases:
- forwardWindowsAuthToken is set to “true”
- Using a standard AD account as alternate credentials works fine
- Tried granting additional User Rights in Local Security Policy: Impersonate a client after authentication, Replace a process level token, Obtain an impersonation token for another user in the same session
