Facing issue while using gMSA in AD integration with ISC

HI Team,

We are trying to integration AD with ISC using gMSA service account and TLS option.

We followed all the pre-requisite and permissions option but we are facing below error while testing the connection.

Does anyone implemented gMSA approach successfully?

We have detected an error from the managed system.

Error Received:

Detected password less authentication, but failed to retrieve passwords with error: Exception occurred while executing the RPCRequest: Errors returned from IQService. Buffer cannot be null. Parameter name: buffer

Thank you!

Sailaja

Hi Sailaja,

Seems typically points to an authentication issue with the account used by the IQService or a configuration mismatch in SailPoint.
Verify the IQService Account check if the password is same or not.
Thanks,

Ankit

when gMSA was created in AD, it would need to give the server/machine which would have access to it. make sure it was created correct:

New-ADServiceAccount -Name <gMSAName> -DNSHostName <gMSAName>.<domain> -PrincipalsAllowedToRetrieveManagedPassword <SecurityGroup>

This will be your IQService host:

DNSHostName

refer to below : Create a gMSA

also make sure of the below :

Thank you, yes All details are configured as per documentation.

Thank you. Yes, all are set as per pre-requisite.

Hi @prathisailaja, were you able to successfully complete this integration using the recommendations in this thread?

I’m exploring the idea of replacing a normal service account by a gMSA to remove the need of manually rotating passwords for our AD connections.

Also, did you enable TLS and port 636 for your connection?

I’ll follow this thread to see if this worked for you and what was your final configuration.

Thanks!

@prathisailaja Please ensure that the IQService service properties are updated to use the gMSA account as the Log On user, that any existing password is removed, and that the changes are saved successfully and restart the IQservice.

@eabedrapo1 I am running into same issue.
@sagar_kamalakar yes validated it is using gMSA account as logon user.

@Aayoush_Patel Double check with AD team that they have created gMSA user properly with correct permissions as below

Set-ADServiceAccount -Identity <gMSA-sAMAccountName>  -PrincipalsAllowedToRetrieveManagedPassword “<IQService LogOn User>”

Yes we already ran this command validated it is correct permissions.

@Aayoush_Patel We have configured this successfully in one the implementation few months back. Can you double check in Application source few things like inside domain setting Note: first check with non SSL port 389 its working or not

"enablePasswordLessAuthenticationForDomain":true,
"useSSL": false
"user":<abc@domain>

@sagar_kamalakar Can you please share your configuration? I’m also setting up gMSA account and facing same error. I checked domain setting and is set to SASL and port 389.

@prathisailaja were you able to find a solution?

If we use gMSA account as the LogOn user , we can not run the Powershell scripts? Have you tried this?

Hi @prathisailaja,

I had the same problem and the solution was to configure my own gmsa account as PrincipalsAllowedToRetrieveManagedPassword:

Set-ADServiceAccount -Identity GMSA_Account$ -PrincipalsAllowedToRetrieveManagedPassword GMSA_Account$

→ Support Articles - IQService test connection fails with “Error: Buffer cannot be null”