Forum Discussion
Azure ATP Service Account getting locked out
MicrosoftThe sensor is using those credentials for various scenarios for authentication, for LDAP, for name resolution, for lateral movement mapping...
The thing is that if one of the sensors was using a wrong password, it should have failed starting...
Are you using just a single set of credentials?
Idea:
create new set of credentials for AATP, and replace in the portal.
make sure not to disclose the credentials to anyone else.
After all sensors get synced with the new credentials, unlock the old account and see if it still locks out.
If it does, there is something other than AATP that is trying (and fails) to use this account, and you might want to trace who is it by increasing auditing in the DC.
EliOfek i uninstalled the agent on each DC and then reinstalled it. The account got locked out again using the new account. i checked the error log on the offending agent, and this is what it showed:
2019-10-03 17:55:08.1794 Error DomainNetworkCredentialsManager GetInternal failed [domainName=med]
our domain name in the Azure ATP portal on the Directory Services tab is not "med". it is "domainname.med".
EliOfek thanks for the idea. I tried it, and it didn't work. I created a brand new account, put is in the portal, and a few hours later the new account locked out. I will also note that the old account, which is no longer associated with the ATP console, did NOT lockout.
is there a way to figure out which Azure ATP agent install is the cause?
Thank you,
Robert
- EliOfek
Robren , well, that eliminates any 3rd party action here...
First time I see this kind of outcome.
Are you aware of any special / non standard lockout policy in the forest?
It's weird, because if this is the only credentials you provided to AATP and did not put them anywhere else, then the sensor used them without problems if you see them all running.
If the password would fail, the sensor would not be able to start...
so I am guessing it is getting locked out because of a specific action it does (which is not a wrong password).
Can you share your workspace id (in text format) in a private message? I will try to see if I can find any clues in telemetry from this deployment.
My best suggestion at this point is to check for any special lockout policy besides failed logon attempts.
Also - If you search the new account in AATP portal and go to it's logical activities page, do you see any alerts on this account? any significant logical activities that look odd (besides the lockout which should also appear there).
Just to make sure - once the account is locked out - the sensors fail, correct?
