Unable to install service under Managed Service Account


 I've seen the issue elsewhere, but the solution they were given is not working for me. When running the install and getting to the point where the web server is installed, I get the following in the logs:

[2016-10-21 16:10:57,503] FileTaskSettings                  [Info] Parsing service settings
[2016-10-21 16:10:57,503] FileTaskSettings                  [Info] Program to execute:   C:\Windows\system32\cmd.exe
[2016-10-21 16:10:57,503] FileTaskSettings                  [Info] Program arguments:    /c teamcity-server.bat run service
[2016-10-21 16:10:57,503] FileTaskSettings                  [Info] Program work dir:     D:\Program Files\TeamCity\bin
[2016-10-21 16:10:57,503] FileTaskSettings                  [Info] Program stop timeout: 900000
[2016-10-21 16:10:57,503] CreateServiceSettingsAction       [Info] Service log file is set to: D:\Program Files\TeamCity\logs\teamcity-winservice.log
[2016-10-21 16:10:57,503] CreateServiceSettingsAction       [Info] Installing service under SomeGMSA$ (domain=company.net) account
[2016-10-21 16:10:57,768] LogonUserCommand                 [Error] Failed to Logon user company.net\SomeGMSA$. The user name or password is incorrect. (1326)
[2016-10-21 16:10:57,784] LSAGrantPrivilegeCommand          [Info] User company.net\SomeGMSA$ was given 'Logon as Service' privilege
[2016-10-21 16:10:57,799] LogonUserCommand                 [Error] Failed to Logon user company.net\SomeGMSA$. The user name or password is incorrect. (1326)
[2016-10-21 16:10:57,799] CheckAndGrantLogOnAsServiceComma  [Info] Failed to give user enough rights to run as server
[2016-10-21 16:10:57,799] CreateServiceCheckAccountAction   [Info] Failed to give user enough rights to run as server
[2016-10-21 16:10:57,799] CreateServiceCheckAccountAction   [Info] Give user enough rights or add '/giveUserRights=false' commandline argument

The help others have gotten is to install using the SYSTEM account. Which I did, and then when I went to services.msc, and tried changing the logon account. Had to stop the service and start it back up. I get an access denied.  The account works, as it was tested with other services.  I am seeing the "Give user enough right or add '/giveUserRight=false' commandline argument", but am unsure where this goes. I tried reading through the teamcity-server.bat file and I don't see this as a valid argument.

Comment actions Permalink

Hello Jonathan,

We have the related request in our tracker: https://youtrack.jetbrains.com/issue/TW-45656. Please vote for it and try the workaround suggested in the issue.

Comment actions Permalink

That is the solution I mentioned above.  I install it as system and then I go into services.msc and try to change the account name there. Use the group managed service account id, the one that ends with "$", and leave the password blank. I get an error that access is denied.  My security team believes that all privileges required for the account are given, but we are revisiting that as well.  I know Tomcat7 and Java1.7 is installed and bundled with the windows installer. Could there be an issue with how credentials are passed to these applications? I tried installing Teamcity10, 9.1.7 and 9.1.6, they all do the same.

Comment actions Permalink

Any updates on this?
I am having the same issue.
Installed as system, changed to gMSA and granted full control to all TC folders and still seeing access denied in the server log.


Comment actions Permalink

you might want to check elsewhere.  Installing as SYSTEM does indeed work. Then going into the service and changing the logon id DOES work.  Please do make sure to:

1.     enter the full user id, including the "$"; domain\gmsa$

2.     leave both password fields below the id, password/confirm-password, empty

If you do not have the $ at the end of the id, AD will not know that it is a gMSA and retrieve the password.  Also make sure it has the proper logon as service permission and has access to that workstation as a whole, as well as the database that you are using for TC. 

Comment actions Permalink

Yes, I know that. My problem is not how to re-configure a service to run under a group managed service account, but that TC server fails during startup.

So the service itself is fine to run, but TC is giving me access denied errors even after granting full access to all TC folders to the new account.

So I am wondering what privileges do I need to grant to the new service account so that TC server can work ?

Comment actions Permalink

Well my gMSA has "Log on as a service" permission and I added it to the local admin group. It may not need admin group access, maybe just power users, but I gave it such since I use it for webdeploy.  Since the gMSA is tied to the workstation by AD, there is no risk putting it in the admin group. 

Comment actions Permalink

I've ended up granting admin access to the service account, but that's not the right thing. Like you don't see everyone running their CI systems on Linux as root.

I don't like over privileging, so would have been nice to know the exact list of permissions, like

- being able to listen on port 80 and 9090

- full access to teamcity folders


if anyone reading this can point me to a complete list, that would be appreciated




Please sign in to leave a comment.