• Create security group in Active Directory (AD) to use gMSA for Windows worker node. See Preparing Active Directory for Using Group Managed Service Accounts with Windows Node Pools
• After upgrade VKS Service to 3.5.0 Pod with gMSA credential spec is unable to do Kerberos authentication with the error:
  
  kubectl exec -it <pod-name> -- powershell

PS C:\> nltest /sc_verify:<full-domain-name>
Flags: 80
Trusted DC Name
Trusted DC Connection Status Status = 1786 0x6fa ERROR_NO_TRUST_LSA_SECRET
Trust Verification Status = 1786 0x6fa ERROR_NO_TRUST_LSA_SECRET
The command completed successfully

vSphere Kubernetes Service

Windows worker node is not added to gMSA security group in Active Directory automatically while joining AD domain.

This is a known issue and will be fixed in future release of VKS Service. 

To workaround the issue:

1. Login AD server with Administrator permission.
2. Open Active Directory Users and Computers.
3. Locate the gMSA security group and right click to open its Properties.
4. Under Members tab click Add.
5. In the Select this object types click Object Types.
6. Check Computers and click OK.
7. In the Enter the object names to select box input the Windows worker node hostname and click Check Names
8. Select the correct Windows worker node and click OK.