Forum Discussion

19873306's avatar
19873306
Copper Contributor
Sep 14, 2020

ATP and group managed service account not working on RODC

We have ATP sensors set up on our domain controllers. A group managed service account (gMSA) is being used.  There are a few read only domain controllers that can't seem to read the password, even th...
Sensor
19873306's avatar
19873306
Copper Contributor

EliOfek Case 120091525000664  created.  The technician is indicating that there are issues with npcap or winpcap.  We have other servers in our environment which are running ATP sensor without either NPCAP or WINPCAP.Are either required for AZURE ATP sensor? I do not see them listed in the pre-requisites here https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-prerequisites

 
The server once had Wireshark installed. I have uninstalled Wireshark, and Winpcap.  

 

The problem I am having is not with installation, it is with the sensor not running. 
EliOfek's avatar
EliOfek
Icon for Microsoft rankMicrosoft
Sep 17, 2020

19873306 , if you don't have npcap installed before you install the sensor,

the sensor deployment will auto install a "local" winpcap install. you won't see it in "add\remove" programs, but you can see the driver service running with this command:
sc qc npf

 

  • EliOfek's avatar
    EliOfek
    Icon for Microsoft rankMicrosoft
    Sep 19, 2020

    19873306 
    So it seems you are over the initial issue.

    As for the Gmsa issue, it's a bit more tricky.

    Check errors and warnings in both the sensor logs and the updater logs around this time span to see if you get new insights about what went wrong, or else I suggest opening a support case  as it might be tricky.

  • 19873306's avatar
    19873306
    Copper Contributor
    Sep 18, 2020

    EliOfek I uninstalled the sensor, rebooted, then reinstalled.

     

    I now have 

    C:\WINDOWS\system32>sc qc npf
    [SC] QueryServiceConfig SUCCESS

    SERVICE_NAME: npf
    TYPE : 1 KERNEL_DRIVER
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : \??\C:\WINDOWS\system32\drivers\npf.sys
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : NetGroup Packet Filter Driver
    DEPENDENCIES :
    SERVICE_START_NAME :

    C:\WINDOWS\system32>

     

     

    However, the sensor still will not start

     

    Partial error message:

    2020-09-18 22:55:35.0283 Warn DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password.

     

    The referenced group managed service account is installed on the server, ands tests true from powershell. 

     

    Partial event log message in directory services indicate the password is fetched successfully:

     

    A caller successfully fetched the password of a group managed service account.

    Group Managed Service Account Object:
    CN=Microsoft Azure ATP Sensor,OU=ATP,OU=Azure

  • EliOfek's avatar
    EliOfek
    Icon for Microsoft rankMicrosoft
    Sep 17, 2020

    19873306 Make sure you are running elevated when running this.

    If you still can't find npf driver, check also

    sc qc npcap

     

    If you don't have this one as well, then you have no capturing driver installed, which means the sensor cannot work.

    I would try to uninstall and reinstall. if the same problem returns, it means you have something that is somehow blocking or reversing the driver installation.

    Most likely a 3rd party security software, so try to disable during before deployment to see if it makes things work.

  • 19873306's avatar
    19873306
    Copper Contributor
    Sep 17, 2020
    sc qc npf does not return anything.

    I also tried powershell get-service:

    Get-Service npf
    Get-Service : Cannot find any service with service name 'npf'.
    At line:1 char:1
    + Get-Service npf
    + ~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (npf:String) [Get-Service], ServiceCommandException
    + FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetServiceCommand

Resources