Forum Discussion

meliss0215's avatar
meliss0215
Copper Contributor
May 29, 2019

Azure ATP Service Fails to Start

Hi Everyone,   I'm deploying Azure ATP with a client and we have installed a standalone sensor. The Azure ATP service tries to start and then stops. We're seeing an error stating "Sequence contains...
nomeara's avatar
nomeara
Copper Contributor
Jul 03, 2019

EliOfek 

I'd like to add to this thread, I'm seeing seemingly the exact same error when deploying to production.

 

For context, we deployed to a test environment (each environment looks like: Two forests, primary forest has company.com and two child.company.com domains, second forest has an external trust) with only a single account in the primary child domain, and that worked fine.

 

However, when trying to install a standalone sensor, I get the same error as in the first screenshot here:

2019-07-03 18:30:29.2434 Error Enumerable System.InvalidOperationException: Sequence contains no elements
at TSource System.Linq.Enumerable.First<TSource>(IEnumerable<TSource> source)
at void Microsoft.Tri.Sensor.DomainNetworkCredentialsManager.UpdateConfigurations(ConfigurationCollection configurations)
at Func<Task> Microsoft.Tri.Infrastructure.ActionExtension.ToAsyncFunction(Action action)+(TItem _) => { }
at async Task Microsoft.Tri.Infrastructure.ConfigurationManager.RegisterConfigurationAsync(Func<ConfigurationCollection, Task> onConfigurationsUpdateAsync, Type[] configurationTypes)
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at new Microsoft.Tri.Sensor.DomainNetworkCredentialsManager(IConfigurationManager configurationManager)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)

 

We have the account for both the child.testcompany.com and child.company.com domains listed in the ATP domain services config.

 

According to the https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-multi-forest

  • Add credentials on the Directory services page for all forests in your environment.
    • One credential is required per forest with two-way trust.
    • Additional credentials are required for each forest with non-Kerberos trust or no trust.

If I'm reading this right, we should only need two credentials per environment.  One for the primary forest 'company.com' and its child domains, as well as one for the external trusted domain?

 

If I have all that right, I'm wondering two things:

  1. Why this worked in test?
    1. The only difference is that we started with the Domain controller sensors in test, but in prod we are installing a standalone sensor to start with.  We do not have a standalone sensor in test.
  2. How are you supposed to configure this if you have external trusts to forests you don't have any control over, and can't create an account in?
  • EliOfek's avatar
    EliOfek
    Icon for Microsoft rankMicrosoft
    Jul 03, 2019

    nomeara 

    For the standalone one, did you configure it as to which mirrored DC it is monitoring?

    while integrated is auto configured, in standalone you need to manually configure.

    Just wanted to make sure the basics are correct.

     

    If you have a forest with an external trust only, and no read only account there,  you can't monitor it...

    But how could you anyway? I am guessing you can't install a sensor there ...

    Or maybe I misunderstood what you are after?

    • nomeara's avatar
      nomeara
      Copper Contributor
      Jul 03, 2019

      EliOfek 

       

      Thanks for the quick reply.

       

      We have not configured it to mirror any DCs.

       

      1: The instructions show that step as after this step, and we are not even getting the service to start, which appears to be expected before configuring the mirroring settings.

      2: This particular sensor is being installed to accept vpn accounting logs via RADIUS, not to mirror a domain controller.  Is this not a supported configuration?   We will be installing sensors on the DCs separately for monitoring them.

      • EliOfek's avatar
        EliOfek
        Icon for Microsoft rankMicrosoft
        Jul 03, 2019

        nomeara , A standalone Gateway that monitor no DC is not a supported scenario.

        it needs at least once DC to monitor, or else it will keep restarting and failing on a callstack similar to this:

         

        2019-07-03 20:48:45.4181 5656 5   Error [DirectoryServicesClient+<OnInitializeAsync>d__14] Microsoft.Tri.Infrastructure.Utils.ExtendedException: Domain controllers are not configured
   at async Microsoft.Tri.Gateway.Resolution.DirectoryServices.DirectoryServicesClient.OnInitializeAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.InitializeAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.ModuleManager.OnInitializeAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.InitializeAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Service.OnStartAsync(?)
   at Microsoft.Tri.Infrastructure.Framework.Service.OnStart(String[] args)

        Although it's not the stack you have seen, so I guess you have some kind of additional issue there, but even if you go past that, you will get stuck on the above issue, so save your time and don't try it...

         

        You options are either to route the VPN traffic to one of the integrated sensors, or monitor one of the DCs using port mirroring and a standalone sensor, those are the only supported scenarios, at least for now.

Resources