Forum Discussion
Azure ATP Service Fails to Start
Hi Everyone,
I'm deploying Azure ATP with a client and we have installed a standalone sensor. The Azure ATP service tries to start and then stops. We're seeing an error stating "Sequence contains no elements". Attached is a screenshot of the errors. Has anyone seen this error before? Any guidance is appreciated. Thanks!
12 Replies
I'd like to add to this thread, I'm seeing seemingly the exact same error when deploying to production.
For context, we deployed to a test environment (each environment looks like: Two forests, primary forest has company.com and two child.company.com domains, second forest has an external trust) with only a single account in the primary child domain, and that worked fine.
However, when trying to install a standalone sensor, I get the same error as in the first screenshot here:
2019-07-03 18:30:29.2434 Error Enumerable System.InvalidOperationException: Sequence contains no elements
at TSource System.Linq.Enumerable.First<TSource>(IEnumerable<TSource> source)
at void Microsoft.Tri.Sensor.DomainNetworkCredentialsManager.UpdateConfigurations(ConfigurationCollection configurations)
at Func<Task> Microsoft.Tri.Infrastructure.ActionExtension.ToAsyncFunction(Action action)+(TItem _) => { }
at async Task Microsoft.Tri.Infrastructure.ConfigurationManager.RegisterConfigurationAsync(Func<ConfigurationCollection, Task> onConfigurationsUpdateAsync, Type[] configurationTypes)
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at new Microsoft.Tri.Sensor.DomainNetworkCredentialsManager(IConfigurationManager configurationManager)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)We have the account for both the child.testcompany.com and child.company.com domains listed in the ATP domain services config.
According to the https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-multi-forest
- Add credentials on the Directory services page for all forests in your environment.
- One credential is required per forest with two-way trust.
- Additional credentials are required for each forest with non-Kerberos trust or no trust.
If I'm reading this right, we should only need two credentials per environment. One for the primary forest 'company.com' and its child domains, as well as one for the external trusted domain?
If I have all that right, I'm wondering two things:
- Why this worked in test?
- The only difference is that we started with the Domain controller sensors in test, but in prod we are installing a standalone sensor to start with. We do not have a standalone sensor in test.
- How are you supposed to configure this if you have external trusts to forests you don't have any control over, and can't create an account in?
- EliOfek
Microsoft
For the standalone one, did you configure it as to which mirrored DC it is monitoring?
while integrated is auto configured, in standalone you need to manually configure.
Just wanted to make sure the basics are correct.
If you have a forest with an external trust only, and no read only account there, you can't monitor it...
But how could you anyway? I am guessing you can't install a sensor there ...
Or maybe I misunderstood what you are after?
Thanks for the quick reply.
We have not configured it to mirror any DCs.
1: The instructions show that step as after this step, and we are not even getting the service to start, which appears to be expected before configuring the mirroring settings.
2: This particular sensor is being installed to accept vpn accounting logs via RADIUS, not to mirror a domain controller. Is this not a supported configuration? We will be installing sensors on the DCs separately for monitoring them.
- Add credentials on the Directory services page for all forests in your environment.
- EliOfek
meliss0215 , you most likely missed this step in the system configuration:
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/install-atp-step2
so the sensor does not have the needed info to start properly.
Thanks EliOfek for the advice! We did configure a username and password to connect to AD, but I will double check this again. I did see another post where you mentioned there could be either a missing or duplicate NTDS settings record for a similar error. Would this be something to look at too? I didn't see any documentation regarding this may cause an issue for Azure ATP.
- EliOfek
No, NTDS setting is a different callstack.. I don't think it's related here.
How many credentials did you provide in the mentioned step? do you have coverage with these credentials to cover all the domains/forests which might not be working with full trust?
