Issues in setting up ServiceNow discovery using gMSA

Ashok Sasidhara · ‎07-16-2025

We have followed the steps mentioned in the article below to set up gMSA:

https://www.servicenow.com/community/itom-articles/discovery-how-to-use-a-group-managed-service-acco...

But when we enter the credentials and test it, we are getting authentication error. We have checked with network team who confirmed that the ports are open and that firewalls are not blocking connectivity from MID server to target devices. If anyone has successfully implemented gMSA, can you please provide inputs on whether anything else needs to be done apart from what is mentioned in the article above?

Note: We need to use it along with JEA and so the protocol used will be WinRM and ports will be 5985 & 5986.

AJ-TechTrek · ‎07-22-2025

Hi @Ashok Sasidhara ,

Please refer below and might be helpful for you.

1. Double-check prerequisites
* MID Server must be on Windows Server 2012 or later (better: 2016+).
* MID Server machine must:
* Be joined to the same domain where the gMSA is created.
* Have the Active Directory PowerShell module installed.
* The gMSA account must:
* Have Allowed to authenticate permission on the target servers.
* Be added to the local Administrators group on the target machines (since JEA is also in scope, see next point).
* The gMSA must be granted required permissions in the JEA endpoint.

2. Configure the gMSA on the MID server
* Ensure gMSA is installed locally: Install-ADServiceAccount -Identity <gMSA name>* Confirm installation: Test-ADServiceAccount -Identity <gMSA name>
* The MID Server service must be configured to run as the gMSA:
* Go to services.msc → find the MID server service → set the Log On account as: domain\gmsa_name$
* Important: Do NOT enter a password; leave password blank.

3. JEA configuration check
* Ensure the gMSA is allowed in the JEA session configuration:
* The gMSA should be included in the security group that is permitted to use the JEA endpoint.
* Validate the PowerShell session endpoint: Get-PSSessionConfiguration
* Confirm that the endpoint allows your gMSA.

4. WinRM configuration
* On the target servers, ensure WinRM listener is configured properly: winrm quickconfig
* Ensure HTTPS listener (5986) is enabled if you plan to use SSL.
* Verify WinRM service is running: Get-Service WinRM
* Check trusted hosts if you’re not using certificates.

5. Credential test
* Instead of testing from Discovery directly, try testing from the MID Server host: Enter-PSSession -ComputerName <target server> -ConfigurationName <JEA endpoint> -Credential <domain\gmsa_name$>
* If it fails: check error for clue (auth failure, missing rights, etc.).

6. In ServiceNow
* When you create the credential in ServiceNow:
* Use the domain\gmsa_name$ format.
* No password needed, because the MID server is running as the gMSA.
* Make sure credential type is set correctly to Windows (WinRM).

7. MID Server permissions
* The MID server computer account must have:
* Permission to retrieve the gMSA password.
* Check Get-ADServiceAccount permissions.

8. Troubleshooting tips
* Enable verbose logging on MID server:
* Edit agent/conf/logging.xml and increase Discovery log level to DEBUG.
* Use Test Connection in ServiceNow Discovery credentials screen.
* Review wrapper.log on the MID Server for more details.

Common missed points:
1. gMSA must be installed locally on the MID server. 

2.MID Server service must run as the gMSA. 

3.gMSA must have Allowed to authenticate on targets.

 4. Proper WinRM configuration & firewall exceptions. 

5.MID server must be in correct AD security group to fetch gMSA password.

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.

Thank You
AJ - TechTrek with AJ
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
ServiceNow Community MVP 2025