[MSDN Redirect] BUG: Azure AD Connect attempting to connect to SQL Instance using machine account instead of gMSA

kobulloc-MSFT 26,131 Reputation points Microsoft Employee
2020-02-19T03:44:54.61+00:00

Hi All,

I couldn't find a Category and Forum specific to Azure AD Connect, so please feel free to move this post, if it is the wrong location.

The issue is as described: Azure AD Connect is attempting to connect to its configured SQL Instance using machine account of the server on which it is installed in addition to its gMSA. The service is working using gMSA, and is otherwise synchronising, but the additional connection attempts using the machine account are obviously generating errors on SQL Server as well, as the machine account is not permitted access to the instance.

Stopping the "Microsoft Azure AD Sync" service stops further errors being generated, so it's definitely Azure AD Connect doing it, but it clearly shouldn't be.

Has anyone else encountered this?

Cheers,

SMLatCST

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,589 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,336 Reputation points Microsoft Employee
    2020-02-20T01:40:33.177+00:00

    What SQL error do you get? Make sure you're using an account that's a system admin in SQL when you're running the wizard.

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions

    (Please also share any relevant screenshots if you can.)

    0 comments No comments

  2. SMLatCST 1 Reputation point
    2020-02-21T16:37:07.133+00:00

    The SQL errors appear every 5 minutes while the "Microsoft Azure AD Sync" running, and there are always two each time, with the below messages:

    Login failed for user 'DOMAIN\MACHINE$'. Reason: Could not find a login matching the name provided. [CLIENT: IP ADDRESS]
    and
    Error: 18456, Severity: 14, State: 5.

    To clarify, I do not believe this is an issue of permissions or configuration, as Azure AD Connect appears to be working correctly using the gMSA (i.e. accounts are being sync'ed and the database is being updated). The issue is that it is also, in addition and not as configured, attempting to connect to the SQL instance using the machine account as well. The machine account doesn't have access to SQL, so the error is a legitimate refusal. It is the authentication attempt that is made in error.

    This seems like a bug to me. Have you encountered it before?