0 0 Share PDF

gMSA authentication with forest fails

Issue

When Windows nodes are configured to use gMSA authentication with multi-domain forest, authentication fails consistently. With a single domain Active Directory, authentication works as expected.

Prerequisites

This issue applies only to those customers who wish to join Windows worker nodes using gMSA authentication.

Step-by-step instruction can be found in Create a Container with Active Directory Support.

Root Cause

The setup script needs to be adjusted to work with forest instead of single domain.

A fix has been submitted for this: Fixed forest/domain name configuration in CredSpec #711

Resolution

Use the fixed version of CredentialSpec.psm1 instead.