Post reply

Configuring Datbase Mirror Endpoints using Group Managed Service Accounts (gMSA)

  • November 30, 2018 at 8:49 am

    #409352

    Has anyone configured gMSA to work with database mirroring?

    I'm seeing the following error in the logs for one of my servers. (I have modified some of the values so I can post this)
    Database Mirroring login attempt by user 'DOMAIN\gMSA$.' failed with error: 'Connection handshake failed. The login 'DOMAIN\gMSA$' does not have CONNECT permission on the endpoint. State 84.'.  [CLIENT: 1.1.1.1]

    I run the following check and I see the account has connect to the endpoint.


    SELECT EP.name, SP.STATE,

    CONVERT(nvarchar(38), suser_name(SP.grantor_principal_id))  

    AS GRANTOR,  

    SP.TYPE AS PERMISSION, 

    CONVERT(nvarchar(46),suser_name(SP.grantee_principal_id))  

    AS GRANTEE  

    FROM sys.server_permissions SP , sys.endpoints EP 

    WHERE SP.major_id = EP.endpoint_id 

    ORDER BY Permission,grantor, grantee;  

    GO

    name STATE GRANTOR PERMISSION GRANTEE
    TSQL Local Machine G sa CO   public
    TSQL Named Pipes G sa CO   public
    TSQL Default TCP G sa CO   public
    TSQL Default VIA G sa CO   public
    mirror_endpoint G sa CO   domain\sqlaccount
    mirror_endpoint G sa CO   domain\gMSA$

    So since that account has connect I'm a little stumped on the next step to diagnose this.  Has anyone worked with Group Manage Service accounts and may know what the issue is?

  • November 30, 2018 at 10:42 am

    #2015153

    eccentricDBA - Friday, November 30, 2018 8:49 AM

    Has anyone configured gMSA to work with database mirroring?

    I'm seeing the following error in the logs for one of my servers. (I have modified some of the values so I can post this)
    Database Mirroring login attempt by user 'DOMAIN\gMSA$.' failed with error: 'Connection handshake failed. The login 'DOMAIN\gMSA$' does not have CONNECT permission on the endpoint. State 84.'.  [CLIENT: 1.1.1.1]

    I run the following check and I see the account has connect to the endpoint.


    SELECT EP.name, SP.STATE,

    CONVERT(nvarchar(38), suser_name(SP.grantor_principal_id))  

    AS GRANTOR,  

    SP.TYPE AS PERMISSION, 

    CONVERT(nvarchar(46),suser_name(SP.grantee_principal_id))  

    AS GRANTEE  

    FROM sys.server_permissions SP , sys.endpoints EP 

    WHERE SP.major_id = EP.endpoint_id 

    ORDER BY Permission,grantor, grantee;  

    GO

    name STATE GRANTOR PERMISSION GRANTEE
    TSQL Local Machine G sa CO   public
    TSQL Named Pipes G sa CO   public
    TSQL Default TCP G sa CO   public
    TSQL Default VIA G sa CO   public
    mirror_endpoint G sa CO   domain\sqlaccount
    mirror_endpoint G sa CO   domain\gMSA$

    So since that account has connect I'm a little stumped on the next step to diagnose this.  Has anyone worked with Group Manage Service accounts and may know what the issue is?

    Could be that a step or two was missed when initially setting up the gmsa for SQL Server. Try going through the steps in this article:
    Using Group Managed Service Accounts with SQL Server

    Sue

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply