Issue
When Windows nodes are configured to use gMSA authentication with multi-domain forest, authentication fails consistently. With a single domain Active Directory, authentication works as expected.
Prerequisites
This issue applies only to those customers who wish to join Windows worker nodes using gMSA authentication.
Step-by-step instruction can be found in Create a Container with Active Directory Support.
Root Cause
The setup script needs to be adjusted to work with forest instead of single domain.
A fix has been submitted for this: Fixed forest/domain name configuration in CredSpec #711
Resolution
Use the fixed version of CredentialSpec.psm1 instead.