I have an IIS application running a .Net app as a gMSA that needs to perform an action on a remote .Net Web API using Windows authentication. The gMSA is also a member of a special group that should allow the user to perform the action on the API (my Windows account is also a member of this group). When the application contacts the API, it correctly authenticates as the gMSA account but it is denied with a 403 Forbidden. I debugged the API code and have the API spitting out the groups for the gMSA user, but there is no groupsid claim for the group that should allow the action. If I connect to the API as myself, I do see the sid for the group show as a groupsid claim and I am allowed to perform the action.
Any idea on how to check group membership for gMSA accounts?