Failed to Start Norskale Infrastructure Service by Using gMSA Account Due to Error 1069

One of the benefits of gMSA account is that domain administrators don’t need to schedule password changes or manage service outages.

To integrate gMSA account with Workspace Environment Management, we introduce the configuration of gMSA account for Norskale Broker in the steps below:

However, there are several tips to make the gMSA account work as expected:

1. We need to make sure the configured gMSA account is granted with the permission of “Log on as a Service” on the WEM server.

Open Local Security Policies > Security Settings > Local Policies > User Rights Assignment > Log on as a Service, verify that the gMSA account is added in it.

2. Allow WEM servers to retrieve the password of gMSA account from AD by setting principles:

Set-ADServiceAccount [-Identity] ITFarm1 -PrincipalsAllowedToRetrieveManagedPassword Host1$,Host2$,Host3$


Set-ADServiceAccount -Identity TestGMSA -PrincipalsAllowedToRetrieveManagedPassword W2K19TEST

Additionally, we need to uncheck the setting “Enable Windows account impersonation” from WEM infrastructure service configuration utility:



  • No Related Posts

Leave a Reply