Create new user in domain activity not working after updating mid server service to GMSA account

dan167 · ‎03-20-2024

Hi everyone,

We are testing a new GMSA account for a mid server service and a create new user in said domain flow is not completing after updating the credential in SN to use the mid server service account. I can run our password reset flow for the same domain and that works with the same GMSA account. GMSA account has same permissions in AD as previous account.

When running the flow it gets to the create user activity and then stops before it gets to the powershell part of action. Almost like it does not know what connection alias to use.

Do you all know if we need to update anything in SN after switching over to a GMSA account in SN other than the credential?

Attached a few images of flow, action and mid server script.

When we flip the account back to a standard domain account and update the credential to where we type out the password and UID the flow works.

Any assistance would be appreciated.

dan167 · ‎12-17-2024

Cannot use GMSA accounts with Active Directory Spokes

View solution in original post

williame · 3 weeks ago

We opened a ticket with ServiceNow - V2 is not supported, however V1 is supported with gMSA - we are currently using gMSA in our instance using V1. We are hoping they make v2 compatible eventually.

dan167 · 3 weeks ago

yeah that would be nice. Are you just having the credential run as the mid server account? Cant remember if I tried on V1 or V2 spoke.

williame · 3 weeks ago

So what we did is installed the MID Server with the User/PW , and then stopped the services and changed it to the gMSA account using DOMAIN\gmsaacct$ and restarted the mid server service

Here is the basic setup we used and has been running for about 2 years now 🙂

Here is our connection Alias

Here is the gMSA Connection

Finally the windows credential

Hope this helps!

dan167 · 3 weeks ago

If I remember correctly that is the same setup we had tried. Must have been on the V2 spoke.