Share via

Issue with Azure Devops installation on Onprimses

NETTEM Swetha (SAFRAN) 0 Reputation points
2026-02-17T12:15:38.7+00:00

We installing an Azure DevOps on premise.

We are trying to configure the application with a gMSA account.

It doesn't work and we don't understand why?{F2CF4926-15E4-4E74-B921-D27D4A6841AA}

Azure DevOps

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pravallika KV 10,725 Reputation points Microsoft External Staff Moderator
    2026-02-17T13:05:32.34+00:00

    Hi @NETTEM Swetha (SAFRAN),

    Thanks for reaching out to Microsoft Q&A.

    Here are some steps you can follow to troubleshoot the issue:

    1. Ensure that the gMSA account is created correctly in Active Directory and is configured to allow the necessary permissions.
    2. Check Service Account Permissions:
      • The account must have the appropriate SQL Server permissions. Ensure that the account is in the sysadmin server role in SQL Server for the installation process.
      • The account should also be granted permissions to the file system where Azure DevOps is installed.
    3. Run a simple command to test the gMSA account by checking its authentication. You can use the PowerShell command Test-ADServiceAccount <gMSA_Name> to verify if it is functioning as expected.
    4. Make sure that during the installation, the Configuration Wizard was completed successfully without errors. Pay attention to any warnings that might illuminate the issue.

    Hope this helps!

    References:

    Hope this helps!

    0 comments
  2. Marcin Policht 81,705 Reputation points MVP Volunteer Moderator
    2026-02-17T12:56:24.1433333+00:00

    From the screenshot the error indicates that the -pswd option requires a value and then Azure DevOps reports that a password is required for the user account. When you use a gMSA, there is no password you manually provide, but TfsConfig.exe still requires the parameter to be present. If you omit it entirely, the tool throws that error.

    For a gMSA account you should include the password parameter and pass an empty string. The account name must also end with $.

    The command should look like this:

    TfsConfig.exe Accounts /change /AccountType:ApplicationTier /Account:DOMAIN\gmsa_account$ /Password:""

    If it still fails after that, verify the gMSA itself is correctly configured on the server. On the Azure DevOps server, run:

    Install-ADServiceAccount gmsa_account

    Test-ADServiceAccount must return True. If it returns False, the machine is not authorized to use the gMSA or the KDS root key has not been properly created in Active Directory.

    Also confirm that:

    setspn -L DOMAIN\gmsa_account$

    returns valid SPNs and that the computer object of the Azure DevOps server is listed in the gMSA’s PrincipalsAllowedToRetrieveManagedPassword.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.