Usage of -ServicePrincipalNames when creating a gMSA account RRS feed

  • Question

  • This question is based on the below article,


    As per the example the usage will look like below for gMSA accounts,
    New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames @{Add='MSSQLSvc/sqlserver.xxxxxxx.com:GMSA','MSSQLSvc/sqlserver.xxxxxxx.com:<port#>'} -DNSHostName gMSAsqlservice.xxxxxxx.com -PrincipalsAllowedToRetrieveManaged SQL_gMSA_group

    We always get the below error,

    New-ADServiceAccount : The name reference is invalid
    At line:1 char:1
    + New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames @{Add="MSSQLSvc/sql ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (CN=gMSAsqlservice,CN=Man...=xxxxxxx,DC=com:String) [New-ADServiceAccount], ADException
        + FullyQualifiedErrorId : ActiveDirectoryServer:8373,Microsoft.ActiveDirectory.Management.Commands.NewADServiceAccount

    Was able to fix the issue using the below format. Not sure if the approach was correct but SPNs did get auto-registered in SQL Server.

    New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames ("MSSQLSvc/sqlserver.xxxxxxx.com:GMSA","MSSQLSvc/sqlserver.xxxxxxx.com:<port#>") -DNSHostName gMSAsqlservice.xxxxxxx.com PrincipalsAllowedToRetrieveManaged SQL_gMSA_group
    Questions :
    1> Which is the correct syntax to create gMSA using -ServicePrincipalNames ?
    2> In the above example I have just used one server SPNs[ie., sqlserver]. But when we have several servers added to the gMSA Security Group, how do we use -ServicePrincipalNames?

    I feel we need to have more elaborate explanations to the -ServicePrincipalNames.

    Saturday, September 8, 2018 9:09 AM

All replies

  • The docs are wrong.  "New SP" uses a string array.  "Set SP" uses a hash.


    Saturday, September 8, 2018 5:44 PM
  • Hi,

    Thanks for your question.

    I agree with jrv's reply. Thanks for sharing about this problem. 

    Best Regards,


    Just do it.

    Monday, September 10, 2018 7:06 AM
  • Hi JRV and Lee,

    I am not a developer. And i was not able to find documentation on Set SP. Can you please help me how we can change the below query? 

    New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames @{Add='MSSQLSvc/sqlserver.xxxxxxx.com:GMSA','MSSQLSvc/sqlserver.xxxxxxx.com:<port#>'} -DNSHostName gMSAsqlservice.xxxxxxx.com -PrincipalsAllowedToRetrieveManaged SQL_gMSA_group

    Monday, September 10, 2018 11:12 AM
  • A simple search finds this.


    You cannot use a hash with this command as I noted before.  It only accepts an array of strings. Please read the help for th ecommand carefully.


    • Edited by jrv Monday, September 10, 2018 11:19 AM
    Monday, September 10, 2018 11:17 AM
  • Hi,

    Just checking in to see if the information provided was helpful. 
    Please let us know if you would like further assistance.

    Best Regards,

    Just do it.

    Friday, September 14, 2018 8:40 AM