Forum Discussion

Copper Contributor

Oct 02, 2019

Azure ATP Service Account getting locked out

Hello. For the past few weeks the service account we have configured in the Azure ATP portal keeps getting locked out by Domain Controllers. I am not sure why this would happen since the agent se...

EliOfek

Microsoft

Oct 02, 2019

The sensor is using those credentials for various scenarios for authentication, for LDAP, for name resolution, for lateral movement mapping...
The thing is that if one of the sensors was using a wrong password, it should have failed starting...

Are you using just a single set of credentials?

Idea:

create new set of credentials for AATP, and replace in the portal.

make sure not to disclose the credentials to anyone else.

After all sensors get synced with the new credentials, unlock the old account and see if it still locks out.

If it does, there is something other than AATP that is trying (and fails) to use this account, and you might want to trace who is it by increasing auditing in the DC.

Robren

Copper Contributor

Oct 03, 2019

EliOfek i uninstalled the agent on each DC and then reinstalled it. The account got locked out again using the new account. i checked the error log on the offending agent, and this is what it showed:

2019-10-03 17:55:08.1794 Error DomainNetworkCredentialsManager GetInternal failed [domainName=med]

our domain name in the Azure ATP portal on the Directory Services tab is not "med". it is "domainname.med".

EliOfek
Microsoft
Oct 03, 2019
Robren , if this error was produced after the account lockout it is expected I guess.

Do you have only one domain ? or is it a forest where med is the parent domain?

AATP will try to traverse all the domains in the forest, not just the domain of the AATP account you provided.
- Robren
  Copper Contributor
  Oct 03, 2019
  EliOfek just one domain.
  - EliOfek
    Microsoft
    Oct 03, 2019
    Robren Can you send a screenshot of the Directory services tab from the config screen ( in a private message) ?