SPN missing Error when adding second AD FS server using Group Managed Service Account (GMSA), we didn’t see any issues configuring the first node, however, started getting different errors while adding another node to ADFS 2016, it failed on both GUI and PowerShell configuration and getting permission and SPN related errors
Also Read: Active Directory 2016 New Features
Getting Below errors while adding second node to ADFS 2016 farm using GMSA
username or password incorrect
There were no SPNs set on the following service account ‘Domain\Service-ADFS$’. Specify the service account used to configure the other Federation Servers in the farm, or set host SPN for the farm on the service account.
Unable to determine the Service SPN. There were no SPNs set on the following service account ‘Domain\Service-ADFS$’. Specify the service account used to configure the other Federation Servers in the farm, or set host SPN for the farm on the service account
Also Read: Can we Replace on-premise Domain Controller with Cloud-based Active Directory
Check configured SPN status for GMSA account
setspn -L Service-adfs
Check GMSA account permission to retrieve the password for installing the additional node
Get-ADServiceAccount Service-adfs -Properties * | Select-Object Name,PrincipalsAllowedToRetrieveManagedPassword|fl
Should show the first and second ADFS server DN on PrincipalsAllowedToRetrieveManagedPassword attribute
Also Read: Windows Server 2019 Features
You have to add the second ADFS server to fix the permission issue
$adfsgmsaaccount = Get-ADServiceAccount Service-adfs -Properties PrincipalsAllowedToRetrieveManagedPassword
$DNofprincipals = @(
((Get-ADUser MyAdminUser).DistinguishedName),
((Get-ADComputer ADFSserver02).DistinguishedName)
)
$DNofprincipals+=$adfsgmsaaccount.PrincipalsAllowedToRetrieveManagedPassword
Set-ADServiceAccount -Identity ‘Service-adfs’ -PrincipalsAllowedToRetrieveManagedPassword $DNofprincipals
Also Read: Active Directory on Cloud
Check again the permission status now (might take some time to replicate)
Get-ADServiceAccount Service-adfs -Properties PrincipalsAllowedToRetrieveManagedPassword
Now this will show the ADFSserver02 DN, this should fix the issue and now you can able to add the second ADFS server without any issues
This did not work for me. For those wishing to add a new Computer to the -PrincipalsAllowedToRetrieveManagedPassword property this worked for me:
$CurrentServers = Get-ADServiceAccount $gMSAName -Properties PrincipalsAllowedToRetrieveManagedPassword | `
Select-Object -ExpandProperty PrincipalsAllowedToRetrieveManagedPassword
$List = foreach($DN in $CurrentServers)
{
Get-ADComputer $DN -Properties * | Select SamAccountName
}
$Principals = $List + $Servers
Set-ADServiceAccount “$gMSAName” -PrincipalsAllowedToRetrieveManagedPassword $Principals