Hi Jesse,
Those error messages in your screenshot should have corresponding Windows Event Log entries with additional details. Depending on where exactly they failed, the relevant log entries could be in the Windows Application, Windows System, or Laserfiche Audit Trail (names approximate) event channels.
The most common reason for service start failures like what you're showing are port listener conflicts or permissions issues where the new service identity doesn't have rights to listen on the port it needs to. That's not a gMSA-specific issue and can happen with normal AD accounts as well. An easy way to sanity check that is to temporarily put the gMSA in the local Administrators group (which gives it all the port listening rights) and see if the services start. If they do, you know you have a permissions/URL ACL issue and need to pinpoint where. For a general example of how you fix that, see this Note in Laserfiche Forms Notification Setup documentation:
- Run the following commands in an administrator command prompt:
netsh http add sslcert ipport=0.0.0.0:8181 certhash=#certhash appid={#appid}
netsh http add urlacl url=https://*:8181/ user="LOCAL SERVICE" listen=yes
Replace:
- #appid with a random GUID.
- LOCAL SERVICE with your local service account name.
Note: You only need to run the second command if the service account for the Hub service is not Local System or a member of the local Administrators group on the machine.
With all that said, is there a particular reason you're running every service as the gMSA? We typically recommend changing the default identities of only those Laserfiche Services and IIS application pools that connect to SQL Server so you can leverage Windows Authentication (Kerberos). Changing the default identities of other services (to either a gMSA or normal AD account) is usually much more trouble than it's worth because you suddenly have to sort out all these little-but-blocking Windows permissions issues for things that Just Work with the defaults.
Do also note that if you run Workflow as a gMSA or normal AD account it must be a member of the local Administrators group on that server in order to create Scheduled Starting Rules.
Hope that helps.
Cheers,
Sam