1

I'm receiving NETLOGON errors EventID 5723 which states: "The session setup from computer [AccountName] failed because the security database does not contain a trust account [AccountName] referenced by the specified computer."

The only problem is the account being referenced is NOT a computer account. It's a Managed Service Account. How can this error be thrown for an account that isn't a computer?

Additional Info:

  • The account is used as the identity for an AppPool in IIS.
  • The account is trusted for delegation.
  • It has HTTP SPNs set.
josh
  • 73
  • 1
  • 2
  • 8

1 Answers1

1

As a matter of fact, Group Managed Service accounts are indeed a type of computer account. If you take a look at the objectClass attribute on one of them, you'll see a list of classes including:

  • computer
  • msDS-GroupManagedServiceAccount
  • organizationalPerson
  • person
  • top
  • user

Additionally, the sAMAccountType attribute is set to MACHINE_ACCOUNT instead of NORMAL_USER_ACCOUNT.

Ryan Bolger
  • 16,472
  • 3
  • 40
  • 59
  • I checked that, the objectClass does list "computer" but the sAMAccountType is NORMAL_USER_ACCOUNT. – josh Jul 13 '17 at 18:16
  • Is it actually a group managed service account that can be referenced by multiple machines? Or is it the old style managed service account that only a single machine can reference? The gMSAs on my 2012 R2 based domain all have a sAMAccountType of MACHINE_ACCOUNT. – Ryan Bolger Jul 13 '17 at 18:25
  • Their sAMAccountName attributes also all end with a '$' just like computers. – Ryan Bolger Jul 13 '17 at 18:29
  • It's an older MSA. Not a gMSA. The sAMAccountName does end in a '$' though. – josh Jul 13 '17 at 18:29
  • Ah ha. In that case. I'm not sure. My legacy MSAs don't even have computer as an object class. And all of their sAMAccountNames start with a '!' char. – Ryan Bolger Jul 13 '17 at 18:31