Goodday,

We are running ADFS under a Group Managed Service account in on of our domains. Here we notice that ADFS stops every 30 days, at the same time as the GMSA password expires.

On the Active Directory servers we see eventID 2946 at the same time:

A caller succesfully fetched the password of a group managed service account. (with the account name en correct IP's of the ADFS servers).

I believe the issue itself resides in the Key Distribution Service. On this domain, the service starts once per month and only once per month we see eventID 2946. On other domains with GMSA we see that client servers ask the key every week. Is there a way to manipulate the client server in requesting the key more frequently or a way to troubleshoot this problem further? In the eventlogs there are no errors or warning listed about either the Key Distribution Service or on the ADFS server a hint that the service account has expired.

In the domains we only have one KDS Root Key and the configuration of the KDS is the same. All domain controllers reside in the Domain Controllers default OU and are not in child OU's.

• Edited by Bart Leving Friday, June 26, 2015 7:54 AM

Hi Bart,

>>Here we notice that ADFS stops every 30 days, at the same time as the GMSA password expires.

What's the version of our operating system, server 2008R2? If yes, we can install the following hotfix to see if the situation persists.

Managed service account authentication fails after its password is changed in Windows 7 or in Windows Server 2008 R2

https://support.microsoft.com/en-us/kb/2494158

Best regards,

Fran