Forum Discussion
Azure Advanced Thread Protection Sensor service failed to start multi-forest DC
Tried the Quarantine bit and no change. Then tried many things that would add no value to this post so will leave them out and I will skip to the revelation... Started playing with Powershell trying to reproduce the error and oddly the same .NET libraries which were failing worked fine
[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols")
[System.Reflection.Assembly]::LoadWithPartialName("System.Net")
$cred = Get-Credential
$connLmk = New-Object System.DirectoryServices.Protocols.LdapConnection "DomainName"
$connLmk.Bind($cred)
Then conversations with a colleague led us down the path to requiring Kerberos (which makes some sense in a security product)… The default behavior of the library is to negotiate... Adding
$connLmk.AuthType = 'Kerberos'
Reproduced the error we were seeing in the Sensor logs. So now the question was why Kerberos was not working over the trust which was up and valid and working fine with NTLM... After reading a lot I decided to take a shortcut and changed the trust type to a Forest Trust because in my case the trusted domain was a single domain forest so no real difference.
Once I made that change both my repo and the sensor started working.
Hi,
Sound like it might be either a Trust or networking issue, have you checked the guidance on https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-multi-forest including the opened ports that must be opened?
This is not a stand alone sensor so network and ports are not relevant. Trust issue is my suspicion which is why I included trust configuration details... Eli Ofek just replied with a more relevant response...