Forum Discussion

aaaaaaaanonymous's avatar
aaaaaaaanonymous
Copper Contributor
Nov 16, 2020

Azure ATP - AD gMSA services accounts to sensor affinity or lack of?

Hi

We have multiple domains and using gMSA. MS advises there is a limitation of sharing gMSA across domains. As  a result each domain's sensor will use it's owns domains gMSA acct. We have 5 domains so we created 5 gMSAs. We have seen in the DC  logs where a sensor from a different domain is unable to retrieve the gMSA password of any account from a different domain that is expected as it is not in the gMSA group . These events are registered on the DCs event log and can flood the logs.

Is there a way tell each sensor to use a particular gMSA instead of cycling through the list of 5 and generate unecessary events on the DC?

 

 

  • aaaaaaaanonymous , If all the 5  domains have full trust, you can use a single gmsa account for all domains, you just need to give all the relevant DCs permissions to get the gmsa password, it should work, will be easier to manage and you won't see those failures.

    Sadly there is no way to lock down a sensor to specific credentials manually,

    a sensor will lock itself down once it's running to a set of working credentials automatically.

    • aaaaaaaanonymous's avatar
      aaaaaaaanonymous
      Copper Contributor

      EliOfek  Thanks for your reply. Yes Full trust exist 1 root and 4 child. So are you saying If I add my sensor DCs from various domains into one group  that is PrincipalsAllowedToRetrieveManagedPassword ,  for 1 gMSA then it should work?  

      my testing of multiple DC sensor servers from different domains into one group using 1 gMSA. When running Install-ADServiceAccount or Test-ADServiceAccount : results in errors.  is this the fault of the above 2 commands where it only sends request to it's own domain controllers but ATP sensor is smart enough to seek beyond its domain?

       

       

       

      • EliOfek's avatar
        EliOfek
        Icon for Microsoft rankMicrosoft

        aaaaaaaanonymous 
        Indeed in  our lab, Test-ADServiceAccount will also only work on the same domain, but the sensor still works across the forest if permissions were set correctly, I suggest to try.

Resources