ATP GMSA Password password could not be retrieved

Occasional Visitor

I have 8 Domain Controllers in my test environment.  Four are failing with the error above.


The gmsa is configured and the DC's are in a security groups that has "PrincipalsAllowedToRetrivePassword".


Running Test-ADServiceAccount returns "True"


I have a GPO assigned so that the GMSA can Log On As a Service.  Running GP Results shows that the GPO is applied and setting is correct.


Error Message is:

Directory services user credentials are incorrect

Credentials for the directory services user GMSA are incorrect.  Your MDI sensor(s) cannot connect to 4 Domain Controllers without these credentials.  The directory services user is required to perform LDAP queries against the domain controllers.

3 Replies


Are the 4 DCs in a different domain? They won't be able to access the credentials if there isn't a two-way kerberos trust between the two domains. 


Otherwise, I'd recommend opening a Service Request for this one. Seems like you hit all the obvious nails. 

Did you ever get this resolved? I've come across the same issue.

Hi @DevRin,

Recently, I came across the same problem I have followed the steps below, and it's solved my problem  

1. Removed the gMSA used by MDI. I have also removed the gMSA response action account.
2. Removed the credentials entries MDI.
3. Added a brand new gMSA account for MDI and a new.gMSA account for MDI response actions
4. Added the gMSA accounts credentials back in MDI.

I have done these steps from the Microsoft Defender Portal:

1. Logged in through;
2. Go to ‘Settings’;
3. Go to ‘Identities’

Maybe this can also solve your problem.

Kind Regards,