SQL SERVER – gMSA: The Service Did Not Start Due to a Logon Failure

This is one of the most common errors which is seen my most DBA when they are using a domain account as the service account. In this blog, we would learn about the cause and solution of error The service did not start due to a logon failure while using gMSA.

Log Name: System
Source: Service Control Manager
Event ID: 7000
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: node1.sqlauthority.com
Description:
The SQL Server (MSSQLSERVER) service failed to start due to the following error:
The service did not start due to a logon failure.

SQL SERVER - gMSA: The Service Did Not Start Due to a Logon Failure gmsa-01

Some of you might run into the same error where the password is really expired. I have blogged about that earlier.

SQL SERVER – Event ID 7000 – The service did not start due to a logon failure

SQL SERVER – FIX – ERROR – Service Logon Failure (ObjectExplorer)

Interestingly, this time the situation was little different. My client was using group managed service account (gMSA) for SQL Server service account. In such account, the password is auto-managed by the domain controller. Here are some documentation which talks about how to configure it

SQL Server 2014; Click here and check “Group Managed Service Accounts”.

SQL Server 2016; Click here and see the section under “Managed Service Accounts, Group Managed Service Accounts, and Virtual Accounts.”

While using gMSA, you don’t provide a password in configuration manager so earlier blogs won’t help.

WORKAROUND/SOLUTION

When we setup gMSA, you need to allow machines to retrieve the latest password from the domain controller. This setting is called “PrincipalsAllowedToRetrieveManagedPassword”. My client had two nodes AlwaysOn availability group. Here are the commands we have to execute in PowerShell on the domain controller.

Import-Module ActiveDirectory
Set-ADServiceAccount -Identity sqlsvcacct -PrincipalsAllowedToRetrieveManagedPassword Node1$
Set-ADServiceAccount -Identity sqlsvcacct -PrincipalsAllowedToRetrieveManagedPassword Node2$

After running above command, we were able to start SQL Service on both the nodes.

Reference: Pinal Dave (https://blog.sqlauthority.com)

, , , ,
Previous Post
SQL SERVER – Database Mail Error: The SMTP Server Requires a Secure Connection or the Client was not Authenticated. The Server Response Was: 5.5.1
Next Post
New Trends and Challenges in Database Administration

Related Posts

3 Comments. Leave new

  • The commands in the workaround are incorrect. The second Set-ADServiceAccount command will overwrite the first and only one machine will have access. (I speak from experience.) Instead, put both (all) machines in one command separated by commas: Set-ADServiceAccount -Identity sqlsvcacct -PrincipalsAllowedToRetrieveManagedPassword Node1$, Nodes$

    Reply
  • I came here to say that.
    Guideness is wrong. Either set a security group, make SQL nodes member of it, and set this group as principalsAllowedToRetrieveManagedPaswords
    Or specify each computer object comma separated as seem above.

    Note that using security groups, would require nodes to be restarted to obtain membership status in the group.

    Reply
  • I believe this solution is not correct. You will setPrincipalsAllowedToRetrieveManagedPassword with node2$ only!! Its better todo: -PrincipalsAllowedToRetrieveManagedPassword node1$, node2$

    Reply

Leave a Reply

Menu