KSC Domain account lose device permissions after task run, reboot KSC fix it

[MatheusPP]

Hi,

I have recently splitted my KSC in servers/desktops and recreated them on Windows Server 2022, following the online documentation for installation, the only difference been one was configured with a AD group managed service account and the other using the autogenerated local account. After this rebuild I am seeing a wierd behavior on the KSC with the gMSA account.

Every time I, using the my priviledged account that installed the application, run a task like installing KES remotely, I lose all my permissions to see devices after some progress on the task. I can disconnect and connect normally, but on the monitoring dashboard it reports 0 devices managed (normally would display near 200), if I browse to the groups I cant see any devices.

If I reboot the KSC server and reconnect the console, everything is back to normal. At first it seems to be random, but I manage to correlate it to happen after I start some tasks.

I was unable to reproduce this problem on the other KSC that is running with the local account.

I tried to look into the documentation for a way to change the service account, but it seems it is not possible to migrate out of a gMSA for a local account, only the other way around.

Any idea in how to fix this?

[Renan Corassa]

Hello, @MatheusPP
Does the account selected during installation have password rotation?

[MatheusPP]

The account used for the installation of KSC do not have automatic password rotation and has not changed its password since installation.

The account that runs the services is a group Managed Service Account that also connects to the database (SQL Server) using Windows Authentication, configured following guidance from:

 Step 9. Selecting the account to start Administration Server (kaspersky.com)

[Renan Corassa]

Have you ever experienced a disconnection from the MMC console while using the interface?

Check the KSC Server event viewer to try to locate any warning and/or failure events.

I believe there may be some failure between KSC and the Database.

 

Edited August 23 by Renan Corassa

[MatheusPP]

I only saw disconnects during reboots, it stays connected, I can browse the menus, see policies and KSC server properties, can see the tasks, packages, but all the devices go missing.

I should point out, I have other collegues using the same KSC and they are unable to reproduce my problem. I believe this to be an issue with my account been the one used to install the KSC.

[Renan Corassa]

Does the KSC Server for Servers use the same DBMS as the KSC Server for Desktops?

Edited August 23 by Renan Corassa

[MatheusPP]

No, each server has its own DBMS, they are locally installed on each server, with the only diffence been this configuration as far as I remember.

[JL - KL DACH]

Hello,

please can you try using KLSRVSWCH Utility on the Adminsitrationserver directly to change the Service Account?
It is located in the Installation folder of Adminserver and have to be started "as Adminsitrator". Then try changing the account to another one which should be a Domain Administrator. More Info here:
https://support.kaspersky.com/help/KSC/14/en-US/13053.htm

Thank you in advance

Best Regards

 

[MatheusPP]

I tried that, the "LocalSystem Account" option is greyed out, it seems I can only change to other AD Service account or I need to generate the local account manually somehow...

[MatheusPP]

Do the local account the KSC can generate on installation (KL-...) have any special property or I can generate a manual local account on the server?

[JL - KL DACH]

Hello,

local System account is greyed as described in the above link. 

"Windows Vista and later Windows versions do not allow the use of a LocalSystem account for the Administration Server. In these Windows versions, the LocalSystem account option is inactive."

Please refer to section:

To change an Administration Server service account to a user account or a managed service account:

 

Best Regards