我正在测试使用 gMSA 帐户来运行 SF 应用程序，而不是 NETWORKSERVICE。

按照此处的说明进行操作:
https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-application-runas-security

New-ADServiceAccount -name MySA$ -DnsHostName MySA.contoso -ServicePrincipalNames http/MySA.contoso -PrincipalsAllowedToRetrieveManagedPassword Node0Machine$, Node1Machine$, Node2Machine$

<Principals>
    <Users>
      <User Name="MySA" AccountType="ManagedServiceAccount" AccountName="Contoso\MySA$"/>
</Users>
</Principals>
<Policies>
    <SecurityAccessPolicies>
      <SecurityAccessPolicy ResourceRef="ConfigurationEncipherment" PrincipalRef="MySa" ResourceType="Certificate" />
    </SecurityAccessPolicies>
<DefaultRunAsPolicy UserRef="MySA"/>
</Policies>

Error event: SourceId='System.Hosting', Property='CodePackageActivation:Code:SetupEntryPoint'.
There was an error during CodePackage activation.Service host failed to activate. Error:0x8007052e

"security": {
    "WindowsIdentities": {
            "ClustergMSAIdentity": "MySA$@contoso",
            "ClusterSPN": "http/MySa.contoso",
            "ClientIdentities": [
                {
                    "Identity": "contoso\\MySA$",
                    "IsAdmin": true
                }
            ]
   },

Error:0x8007052e 可能与登录失败有关。

根据 Secure a standalone cluster on Windows by using Windows security 和 Connect to a secure cluster

如果您有 10 个以上的节点或可能会增长或缩小的集群。 Microsoft 强烈建议使用组托管服务帐户 (gMSA) 方法。

您还将看到:



您还可以在 Getting Started with Group Managed Service Accounts 上找到帮助

根据您的评论，一旦您将 gMSA 添加到 ServiceFabricAdministrators 组，一切都会正常工作，这可能是因为“管理员可以完全访问管理功能”