Forum Discussion

Copper Contributor

May 03, 2022

Solved

can't install AzureATP sensor on DC 2022, help with logs?

setup goes through , installs and DC shows up on the azure site with correct dc name etc with serviceas stopped, two new azure services appear in windows services on the DC then it times out half wa...

admin Administrator
May 17, 2022
For anyone who finds similar errors,
opening IISCRYPTO to "server defaults template" lets everything install properly and run correctly. Using IIScrypto "best practice template" afterward installation re breaks sensor updater and causes schannel errors in event log.
still trying to work out exactly what does/doesn't work in IISCRYPTO but can confirm it is now working using only TLS 1.0,1.1 and 1.2 server/client protocols with all ciphers enabled
"best practices template" disables too much but havn't proved what exactly

admin Administrator

Copper Contributor

May 06, 2022

https://gist.github.com/gpduck/db4f984435744e7dde1d

PS C:\> Test-SslProtocols -ComputerName #############.atp.azure.com

ComputerName : ########hbschool.atp.azure.com
Port : 443
KeyLength : 2048
SignatureAlgorithm : sha384RSA
Ssl2 : False
Ssl3 : False
Tls : False
Tls11 : False
Certificate : [Subject]
CN=*.atp.azure.com, O=Microsoft Corporation, L=Redmond, S=WA, C=US

[Issuer]
CN=Microsoft Azure TLS Issuing CA 01, O=Microsoft Corporation, C=US

[Serial Number]
33003955D502CBC0B8A09DF0A10000003955D5

[Not Before]
28/04/2022 2:23:25 p.m.

[Not After]
23/04/2023 2:23:25 p.m.

[Thumbprint]
FFB8A618EA754DBD3BB88F842602A7EBFB6C6E97

Tls12 : True
Tls13 : False
can't see anything obviously wrong?

quote "Maybe run

netsh http add sslcert

slightly above my understanding I'm afraid,

netsh http show sslcert lists nothingon this server

although on a 2nd identical DC which fails installation the same

SSL Certificate bindings:
-------------------------

IP:port : 0.0.0.0:443
Certificate Hash : 69b8cf31d5320946304974a73499c8218bc5cb17
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Enabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
Disable HTTP2 : Not Set
Disable QUIC : Not Set
Disable TLS1.2 : Not Set
Disable TLS1.3 : Not Set
Disable OCSP Stapling : Not Set
Enable Token Binding : Not Set
Log Extended Events : Not Set
Disable Legacy TLS Versions : Not Set
Enable Session Ticket : Not Set
Extended Properties:
PropertyId : 0
Receive Window : 1048576
Extended Properties:
PropertyId : 1
Max Settings Per Frame : 2796202
Max Settings Per Minute : 4294967295
Extended Properties:
PropertyId : 2
Extended Properties:
PropertyId : 3
Extended Properties:
PropertyId : 4

IP:port : 0.0.0.0:5050
Certificate Hash : 61c405a3f58e5732600e8ef74c30d51ba52bdb0b
Application ID : {2f529d74-9eef-495d-9154-769834491850}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
Disable HTTP2 : Not Set
Disable QUIC : Not Set
Disable TLS1.2 : Not Set
Disable TLS1.3 : Not Set
Disable OCSP Stapling : Not Set
Enable Token Binding : Not Set
Log Extended Events : Not Set
Disable Legacy TLS Versions : Not Set
Enable Session Ticket : Not Set
Extended Properties:
PropertyId : 0
Receive Window : 1048576
Extended Properties:
PropertyId : 1
Max Settings Per Frame : 2796202
Max Settings Per Minute : 4294967295
Extended Properties:
PropertyId : 2
Extended Properties:
PropertyId : 3
Extended Properties:
PropertyId : 4

EliOfek

Microsoft

May 06, 2022

admin Administrator Can you add the output for:
netsh http show urlacl

admin Administrator
Copper Contributor
May 08, 2022
C:\WINDOWS\system32>netsh http show urlacl

URL Reservations:
-----------------

Reserved URL : http://*:5357/
User: BUILTIN\Users
Listen: Yes
Delegate: No
User: NT AUTHORITY\LOCAL SERVICE
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;BU)(A;;GX;;;LS)

Reserved URL : http://+:80/Temporary_Listen_Addresses/
User: \Everyone
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;WD)

Reserved URL : https://*:5358/
User: BUILTIN\Users
Listen: Yes
Delegate: No
User: NT AUTHORITY\LOCAL SERVICE
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;BU)(A;;GX;;;LS)

Reserved URL : https://+:443/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/
User: NT SERVICE\SstpSvc
Listen: Yes
Delegate: Yes
User: BUILTIN\Administrators
Listen: Yes
Delegate: Yes
User: NT AUTHORITY\SYSTEM
Listen: Yes
Delegate: Yes
SDDL: D:(A;;GA;;;S-1-5-80-3435701886-799518250-3791383489-3228296122-2938884314)(A;;GA;;;BA)(A;;GA;;;SY)

Reserved URL : http://+:10247/apps/
User: NT AUTHORITY\Authenticated Users
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;AU)

Reserved URL : http://*:2869/
User: NT AUTHORITY\LOCAL SERVICE
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;LS)

Reserved URL : http://+:10246/MDEServer/
User: NT AUTHORITY\Authenticated Users
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;AU)

Reserved URL : https://+:5986/wsman/
User: NT SERVICE\WinRM
Listen: Yes
Delegate: No
User: NT SERVICE\Wecsvc
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)

Reserved URL : http://+:47001/wsman/
User: NT SERVICE\WinRM
Listen: Yes
Delegate: No
User: NT SERVICE\Wecsvc
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)

Reserved URL : http://+:5985/wsman/
User: NT SERVICE\WinRM
Listen: Yes
Delegate: No
User: NT SERVICE\Wecsvc
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)

Reserved URL : https://+:10245/WMPNSSv4/
User: NT SERVICE\WMPNetworkSvc
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;S-1-5-80-2375682873-768044350-3534595160-1005545032-2873800392)

Reserved URL : http://+:10243/WMPNSSv4/
User: NT SERVICE\WMPNetworkSvc
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;S-1-5-80-2375682873-768044350-3534595160-1005545032-2873800392)

Reserved URL : https://+:3392/rdp/
User: NT SERVICE\TermService
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;S-1-5-80-446051430-1559341753-4161941529-1950928533-810483104)

Reserved URL : http://+:3387/rdp/
User: NT SERVICE\TermService
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;S-1-5-80-446051430-1559341753-4161941529-1950928533-810483104)
- EliOfek
  Microsoft
  May 08, 2022
  admin Administrator I suggest to open a support case, where support can onboard a platform engineer who might be able to add clues as to what is blocking the sensor from listening on localhost/444. Sadly the output so far did not provide me any significant clues.
  - admin Administrator
    Copper Contributor
    May 09, 2022
    Thanks for all your help