Skip Ribbon Commands
Skip to main content

Ondrej Sevecek's English Pages

:

Engineering and troubleshooting by Directory Master!
MCM: Directory

Quick Launch

Ondrej Sevecek's English Pages > Posts > Cannot install group managed service account - unspecified error
November 23
Cannot install group managed service account - unspecified error

If you try to install a group managed service account (gMSA) on a server by using the Install-ADServiceAccount cmdlet you may receive an error message saying:

Cannot install service account. An unspecified error has occured

 

This may happen if you didn't create the group managed service account by using the parameter -KerberosEncryptionType with value of AES128 or AES256. The Kerberos etype parameter is not mandatory and need not to be specified if you do not restrict possible Kerberos etypes on the server. But if the server, which you plan to install the service account on, restricts Kerberos encryption types to AES only, you have to configure the encryption types on the gMSA as well.

If you want to check if your server restricts the available Kerberos etypes, you can check the following local security policy value:

Security settings - Local Policies - Security Options
    Network Security: Configure encryption types allowed for Kerberos

 

If you see that only AES encryption types are allowed in the server's policy, you must use the -KerberosEncryptionType parameter and specify either the AES128 or the AES256.

Comments

You saved my day

I got this error no matter what I tried (almost all possible solutions I found on Internet). This tip did the trick. Thank you very much.
 on 10/03/2018 13:44

Add Comment

Title


You do not need to provide any value this column. It will automatically fill with the name of the article itself.

Author *


Body *


Type the year of the start of the WW1 *


This simple antispam field seems to work well. Just put here the number.

Attachments