locked
Usage of -ServicePrincipalNames when creating a gMSA account RRS feed

  • Question

  • This question is based on the below article,

    https://docs.microsoft.com/en-us/powershell/module/addsadministration/new-adserviceaccount?view=win10-ps

    As per the example the usage will look like below for gMSA accounts,
    New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames @{Add='MSSQLSvc/sqlserver.xxxxxxx.com:GMSA','MSSQLSvc/sqlserver.xxxxxxx.com:<port#>'} -DNSHostName gMSAsqlservice.xxxxxxx.com -PrincipalsAllowedToRetrieveManaged SQL_gMSA_group

    We always get the below error,

    New-ADServiceAccount : The name reference is invalid
    At line:1 char:1
    + New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames @{Add="MSSQLSvc/sql ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (CN=gMSAsqlservice,CN=Man...=xxxxxxx,DC=com:String) [New-ADServiceAccount], ADException
        + FullyQualifiedErrorId : ActiveDirectoryServer:8373,Microsoft.ActiveDirectory.Management.Commands.NewADServiceAccount

    Was able to fix the issue using the below format. Not sure if the approach was correct but SPNs did get auto-registered in SQL Server.

    New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames ("MSSQLSvc/sqlserver.xxxxxxx.com:GMSA","MSSQLSvc/sqlserver.xxxxxxx.com:<port#>") -DNSHostName gMSAsqlservice.xxxxxxx.com PrincipalsAllowedToRetrieveManaged SQL_gMSA_group
    ************************************************************************************************************
    Questions :
    *****************************************
    1> Which is the correct syntax to create gMSA using -ServicePrincipalNames ?
    2> In the above example I have just used one server SPNs[ie., sqlserver]. But when we have several servers added to the gMSA Security Group, how do we use -ServicePrincipalNames?

    I feel we need to have more elaborate explanations to the -ServicePrincipalNames.

    Saturday, September 8, 2018 9:09 AM

All replies

  • The docs are wrong.  "New SP" uses a string array.  "Set SP" uses a hash.


    \_(ツ)_/

    Saturday, September 8, 2018 5:44 PM
  • Hi,

    Thanks for your question.

    I agree with jrv's reply. Thanks for sharing about this problem. 

    Best Regards,

    Lee


    Just do it.

    Monday, September 10, 2018 7:06 AM
  • Hi JRV and Lee,

    I am not a developer. And i was not able to find documentation on Set SP. Can you please help me how we can change the below query? 


    New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames @{Add='MSSQLSvc/sqlserver.xxxxxxx.com:GMSA','MSSQLSvc/sqlserver.xxxxxxx.com:<port#>'} -DNSHostName gMSAsqlservice.xxxxxxx.com -PrincipalsAllowedToRetrieveManaged SQL_gMSA_group

    Thanks.
    Monday, September 10, 2018 11:12 AM
  • A simple search finds this.

    https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx

    You cannot use a hash with this command as I noted before.  It only accepts an array of strings. Please read the help for th ecommand carefully.


    \_(ツ)_/


    • Edited by jrv Monday, September 10, 2018 11:19 AM
    Monday, September 10, 2018 11:17 AM
  • Hi,

    Just checking in to see if the information provided was helpful. 
    Please let us know if you would like further assistance.

    Best Regards,
    Lee

    Just do it.

    Friday, September 14, 2018 8:40 AM