Forum Discussion

BC-ITGuy's avatar
BC-ITGuy
Copper Contributor
Nov 16, 2022

Azure Advanced Threat Protection service failing to start after installing November MS Patches

Azure Advanced Threat Protection service failing to start after installing November MS Patches:

 

** .NET CU - KB5020627 - November 8, 2022-KB5020627 Cumulative Update for .NET Framework 3.5 and 4.7.2 for Windows 10, version 1809 and Windows Server 2019
** WINDOWS 2019 OS CU - KB5019966 - Cumulative Update for Windows Server 2019 for x64-based Systems (KB5019966)

 

Here's the error from the "C:\Program Files\Azure Advanced Threat Protection Sensor\2.193.15824.20477\Logs\Microsoft.Tri.Sensor.log" log:

 

022-11-16 07:09:38.0502 Info RemoteImpersonationManager CreateImpersonatorInternalAsync started [UserName=%OURGMSA% Domain=%SOMEDOMAIN% IsGroupManagedServiceAccount=True]
2022-11-16 07:09:38.0658 Info RemoteImpersonationManager GetGroupManagedServiceAccountTokenAsync finished [UserName=%OURGMSA% Domain=%SOMEDOMAIN% IsSuccess=False]
2022-11-16 07:09:38.0658 Info RemoteImpersonationManager CreateImpersonatorInternalAsync finished [UserName=%OURGMSA% Domain=%SOMEDOMAIN%]
2022-11-16 07:09:38.0814 Warn DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password. [DomainControllerDnsName=%DOMAINCONTROLLER01%.%SOMEDOMAIN% Domain=%SOMEDOMAIN% UserName=%OURGMSA% ]
2022-11-16 07:09:38.0970 Info DirectoryServicesClient CreateLdapConnectionAsync failed to connect [DomainControllerDnsName=%DOMAINCONTROLLER01%.%SOMEDOMAIN% Domain=s%SOMEOTHERDOMAIN% UserName=%SOMESERVICEACCOUNT% ResultCode=82]
2022-11-16 07:09:38.0970 Info DirectoryServicesClient CreateLdapConnectionAsync failed to connect [DomainControllerDnsName=%DOMAINCONTROLLER01%.%SOMEDOMAIN% Domain=%ANOTHERDOMAIN% UserName=%SOMESERVICEACCOUNT% ResultCode=82]
2022-11-16 07:09:38.1126 Info DirectoryServicesClient CreateLdapConnectionAsync failed to connect [DomainControllerDnsName=%DOMAINCONTROLLER01%.%SOMEDOMAIN% Domain=%YETANOTHERDOMAIN% UserName=%SOMESERVICEACCOUNT% ResultCode=82]
2022-11-16 07:09:38.1126 Info RemoteImpersonationManager CreateImpersonatorInternalAsync started [UserName=%SOMEOTHERGMSA% Domain=%SOMEOTHERDOMAIN% IsGroupManagedServiceAccount=True]
2022-11-16 07:09:53.1035 Info RemoteImpersonationManager GetGroupManagedServiceAccountTokenAsync finished [UserName=%SOMEOTHERGMSA% Domain=%SOMEOTHERDOMAIN% IsSuccess=False]
2022-11-16 07:09:53.1035 Info RemoteImpersonationManager CreateImpersonatorInternalAsync finished [UserName=%SOMEOTHERGMSA% Domain=%SOMEOTHERDOMAIN%]
2022-11-16 07:09:53.1035 Warn DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password. [DomainControllerDnsName=%DOMAINCONTROLLER01%.%SOMEDOMAIN% Domain=%SOMEOTHERDOMAIN% UserName=%SOMEOTHERGMSA% ]
2022-11-16 07:09:53.1035 Info DirectoryServicesClient CreateLdapConnectionAsync failed to connect [DomainControllerDnsName=%DOMAINCONTROLLER01%.%SOMEDOMAIN% Domain=%YETYETANOTHERDOMAIN% UserName=svc-prod-azureatp ResultCode=82]
2022-11-16 07:09:53.1035 Info DirectoryServicesClient CreateLdapConnectionAsync failed to connect [DomainControllerDnsName=%DOMAINCONTROLLER01%.%SOMEDOMAIN% Domain=%YETYETYETANOTHERDOMAIN%UserName=svc-ATP ResultCode=82]
2022-11-16 07:09:53.1192 Info DirectoryServicesClient CreateLdapConnectionAsync failed to connect [DomainControllerDnsName=%DOMAINCONTROLLER01%.%SOMEDOMAIN% Domain=%YETYETYETYETANOTHERDOMAIN% UserName=%ANOTHERSOMESERVICEACCOUNT% ResultCode=82]
2022-11-16 07:09:53.1192 Info DirectoryServicesClient CreateLdapConnectionAsync failed to connect [DomainControllerDnsName=%DOMAINCONTROLLER01%.%SOMEDOMAIN% Domain=%YETYETYETYETYETANOTHERDOMAIN% UserName=%SOMESERVICEACCOUNT% ResultCode=82]
2022-11-16 07:09:53.1192 Info DirectoryServicesClient CreateLdapConnectionAsync failed to connect [DomainControllerDnsName=%DOMAINCONTROLLER01%.%SOMEDOMAIN% Domain=%YETYETYETYETYETANOTHERDOMAIN% UserName=%SOMESERVICEACCOUNT% ResultCode=82]
2022-11-16 07:09:53.1348 Info DirectoryServicesClient CreateLdapConnectionAsync failed to connect [DomainControllerDnsName=%DOMAINCONTROLLER01%.%SOMEDOMAIN% Domain=%YETYETYETYETYETYETANOTHERDOMAIN%UserName=%SOMESERVICEACCOUNT% ResultCode=82]
2022-11-16 07:09:54.2441 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__47 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName=%DOMAINCONTROLLER01%.%SOMEDOMAIN%]
at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
at async Task<bool> Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
2022-11-16 07:09:54.2754 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers [ _domainControllerConnectionDatas=%DOMAINCONTROLLER01%.%SOMEDOMAIN%]
at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDirectoryServicesDomainNetworkCredentialsManager domainNetworkCredentialsManager, IDomainTrustMappingManager domainTrustMappingManager, IRemoteImpersonationManager remoteImpersonationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at new Microsoft.Tri.Sensor.SensorModuleManager()
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)

 

FYI:


Following this document, we confirmed that the gMSA is setup correctly.

https://learn.microsoft.com/en-us/defender-for-identity/troubleshooting-known-issues#sensor-failed-to-retrieve-group-managed-service-account-gmsa-credentials

 

Again, this all started after patching and rebooting.

 

Is this a known issue with the Nov patches?

 

Any assistance on this is greatly appreciated!

Resources