none
How can I run an AGPM Service with a MSA account? (Windows 2008R2 domain and forest functional level)

    Question

  • I did a search on Internet and it seems that I'm not the only that have some troubles to install this service with a MSA account.

    I have installed an MSA account 'AGPM1svc' in an AD with Windows 2008R2 domain and functional level. This account will be used only on one single server. I ran the necessary PowerShell commands.

    As a test I ran this PS command on the server where AGPM server is installed:

    Test-ADServiceAccount agpm1svc  -> Result= True

    I have added "AGPM1svc" in the correct AD groups "backup operators and Group Policy creator owners"

    Provide the account full control on the archive folder and temp folder on the AGPM server.

    But when I try to start the AGPM service I get this error in event viewer:

    "Service cannot be started. Microsoft.Agpm.AgpmException: Service startup was aborted because no matching SPN was found registered for the service account: CN=AGPM1svc,CN=Managed Service Accounts,DC=ki,DC=com

       at Microsoft.Agpm.Spn.Verify()

       at Microsoft.Agpm.AgpmServerHost.Start()

       at Microsoft.Agpm.AgpmService.OnStart(String[] args)

       at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)"

    Is it possible to use MSA accounts on an AGPM service?

    Can someone help me with this?

    Thanks


    • Edited by SIGI EMEA Monday, April 25, 2016 11:58 AM
    Monday, April 25, 2016 11:39 AM

Answers

  • Am 25.04.2016 um 13:39 schrieb SIGI EMEA:
    > /"Service cannot be started. Microsoft.Agpm.AgpmException: Service
    > startup was aborted because no matching SPN was found registered for the
    > service account: CN=AGPM1svc,CN=Managed Service Accounts,DC=ki,DC=com/
     
    Assuming that this is the right account, you might check which SPNs it
    has registered and compare that to a "normal" user account.
     
    setspn.exe can assist if you do not want to edit attributes directly :)
     
    • Marked as answer by SIGI EMEA Monday, April 25, 2016 1:51 PM
    Monday, April 25, 2016 12:43 PM

All replies

  • Am 25.04.2016 um 13:39 schrieb SIGI EMEA:
    > /"Service cannot be started. Microsoft.Agpm.AgpmException: Service
    > startup was aborted because no matching SPN was found registered for the
    > service account: CN=AGPM1svc,CN=Managed Service Accounts,DC=ki,DC=com/
     
    Assuming that this is the right account, you might check which SPNs it
    has registered and compare that to a "normal" user account.
     
    setspn.exe can assist if you do not want to edit attributes directly :)
     
    • Marked as answer by SIGI EMEA Monday, April 25, 2016 1:51 PM
    Monday, April 25, 2016 12:43 PM
  • Hi,
     
    Am 25.04.2016 um 13:39 schrieb SIGI EMEA:
    > I did a search on Internet and it seems that I'm not the only that have
    > some troubles to install this service with a MSA account.
     
    Take a look at:
     
    Mark
     
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Monday, April 25, 2016 1:46 PM
  • Thanks Martin. Problem is fixed.

    That was what I needed. I compared both accounts I saw that spn was missing on the MSA account.

    Monday, April 25, 2016 1:50 PM