Error RBAC authorization returns Access Denied for user. Reason: User was not found.. for group Managet Service Account

Hello!

I try use group managet service account for run IIS application that should run some scripts. This scripts try open powershell session to exchange server via New-PSSession. Kerberos authentication is OK, but i get error from RBAC:

(Process w3wp.exe, PID 11080) "RBAC authorization returns Access Denied for user DOMAIN\gMSA$ (SID=S-1-5-21-...-8416). Reason: User was not found on Domain Controller dc1.domain.local."

gMSA added to Organization Management and in Domain Admins, Local Admins on Exchange Servers.

Have someone any ideas?

April 5th, 2015 6:11am

Hi,

According to your description, I understand that run IIS and return error with w3wp.exe RBAC authorization returns Access Denied for user DOMAIN\gMSA$ (SID=S-1-5-21-...-8416). Reason: User was not found on Domain Controller dc1.domain.local.
If I misunderstand your concern, please do not hesitate to let me know.

This issue may be caused by the improper RBAC permission, please run below command to double check:
Get-Mailbox Identity | FL RoleAssignmentPolicy
Get-RoleAssignmentPolicy Identiy | FL Name,AssignedRole

If theres no relevant role, please add it or new role assignment policy with correct role permission.
Additional, I find an similar thread about a blog for this question. For your reference:
https://social.technet.microsoft.com/Forums/office/en-US/abb76bfd-bee8-451a-b8b9-5691a12d8599/eventid-17-w3wp-rbac-authorization-returns-access-denied-no-role-assignments?forum=exchange2010
http://blogs.technet.com/b/eileenor/archive/2011/04/19/msexchange-rbac-error-17.aspx

Thanks

Free Windows Admin Tool Kit Click here and download it now
April 5th, 2015 10:28pm

Hello Allen, thanks for reply.

Today I check you recommendations and write result. Thanks again!

April 21st, 2015 3:04am

Hi,

Any update for this issue? Please post relevant error for further troubleshooting.

Free Windows Admin Tool Kit Click here and download it now
April 28th, 2015 5:55am

Hi Allen!

I use Managment Service Account DOMAIN\gMSA$ for run IIS application, not domain user. And i can't run

Get-Mailbox Identity | FL RoleAssignmentPolicy

again MSA account.

Links in your reply, they about "Reason: No role assignments associated with the specified user were found on Domain Controller". In my case error:"Reason: User was not found on Domain Controller dc1.domain.local"

DOMAIN\gMSA$ are member of Organization Management group and should use rights for executing exchange cmdlets as another member of this group, but look like RBAC authorization mechanism can't work with MSA.

I have domain user account, that also are member of Organization Management group and then IIS app work under this domain user - all ok. Then i try use MSA account for IIS, RBAC authorization  failed.

April 28th, 2015 2:25pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics