Forum Discussion
The Sensor fails to start
We are implementing Windows Defender for Identity. As our domain controllers are not allowed to communicate with the internet, we have setup a dedicated member server for the sensor. The operati...
- What happened is that the deployment found the adfssrv service running on the machine, thus assuming it has the ADFS role, instead of what I think you expected to be "Standalone sensor" role to remotely monitor the DC via port mirroring and event forwarding.
For some reason, even though adfssrv is there, the ADFS Cmdlets that we use to learn data on ADFS are not.
If you want a standalone sensor, the machine should not run any other role. it should be a plain windows server.
Note that standalones are generally a poor choice. less than 2% of sensors WW are standalone.
You get much less detections, and it is much harder to setup correctly.
Why not use a limited authenticated internet proxy so the machine does not have direcet access to the internet.
The sensor supports "private proxy" which means you give it the proxy details during deployment, and only the sensor processes can use this proxy, and no other process.
Also, the proxy can limit access only to MDI's endpoints in azure.
EliOfek
Microsoft
MicrosoftThe issue should appear in Microsoft.Tri.Sensor.Deployment.Deployer_20230920082542.log.
Share the data from it.
Share the data from it.
2023-09-20 13:52:34.3007 Info Program Main Deployer started [arguments=iEgYX6Z1ahtUzF/mpsUN9Q==]
2023-09-20 13:52:34.4569 Debug InstallActionGroup Apply started
2023-09-20 13:52:34.4569 Debug CreateCertificateAction Apply started [suppressFailure=False]
2023-09-20 13:52:38.8944 Debug CreateCertificateAction Apply finished
2023-09-20 13:52:38.8944 Debug CreateSensorAction Apply started [suppressFailure=False]
2023-09-20 13:52:39.4413 Info CreateSensorAction ApplyInternal Adfs installation research log [adfsCommandOutput=Get-Command : The term 'Get-AdfsProperties' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:2
+ (Get-Command Get-AdfsProperties).Source
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-AdfsProperties:String) [Get-Command], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException,Microsoft.PowerShell.Commands.GetCommandCommand
adfssrv state=null user=Contoso\Administrator]
2023-09-20 13:52:39.8442 Debug CreateSensorAction Apply finished
2023-09-20 13:52:39.8442 Debug TestCertificateAndProxyAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.0630 Debug TestCertificateAndProxyAction Apply finished
2023-09-20 13:52:40.0630 Debug SaveSensorMandatoryConfigurationAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.0942 Debug SaveSensorMandatoryConfigurationAction Apply finished
2023-09-20 13:52:40.0942 Debug CreateServicesActionGroup Apply started
2023-09-20 13:52:40.0942 Debug CreateServiceAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.0942 Debug CreateServiceAction Apply finished
2023-09-20 13:52:40.0942 Debug SetServiceDescriptionAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1098 Debug SetServiceDescriptionAction Apply finished
2023-09-20 13:52:40.1098 Debug ConfigureServiceAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1098 Debug ConfigureServiceAction Apply finished
2023-09-20 13:52:40.1098 Debug SetServicePreshutdownTimeoutAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1255 Debug SetServicePreshutdownTimeoutAction Apply finished
2023-09-20 13:52:40.1255 Debug CreateServiceAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1255 Debug CreateServiceAction Apply finished
2023-09-20 13:52:40.1255 Debug SetServiceDescriptionAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1255 Debug SetServiceDescriptionAction Apply finished
2023-09-20 13:52:40.1255 Debug ConfigureServiceAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1411 Debug ConfigureServiceAction Apply finished
2023-09-20 13:52:40.1411 Debug SetServicePreshutdownTimeoutAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1411 Debug SetServicePreshutdownTimeoutAction Apply finished
2023-09-20 13:52:40.1411 Debug CreateServicesActionGroup Apply finished
2023-09-20 13:52:40.1411 Debug ConfigureVirtualServiceAccountAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1723 Debug ConfigureVirtualServiceAccountAction Apply finished
2023-09-20 13:52:40.1723 Debug RegisterCrashDumpsAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1723 Debug RegisterCrashDumpsAction Apply finished
2023-09-20 13:52:40.1723 Debug EnableTls12Action Apply started [suppressFailure=False]
2023-09-20 13:52:40.1723 Debug EnableTls12Action Apply finished
2023-09-20 13:52:40.1723 Debug CopyServiceLogsOnRevertAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1723 Debug CopyServiceLogsOnRevertAction Apply finished
2023-09-20 13:52:40.1723 Debug StartServiceAction Apply started [suppressFailure=False]
2023-09-20 13:52:46.2365 Debug StartServiceAction Apply finished
2023-09-20 13:52:46.2365 Debug InstallActionGroup Apply finished
2023-09-20 13:52:46.2365 Info Program Main Deployer finished
2023-09-20 13:52:34.4569 Debug InstallActionGroup Apply started
2023-09-20 13:52:34.4569 Debug CreateCertificateAction Apply started [suppressFailure=False]
2023-09-20 13:52:38.8944 Debug CreateCertificateAction Apply finished
2023-09-20 13:52:38.8944 Debug CreateSensorAction Apply started [suppressFailure=False]
2023-09-20 13:52:39.4413 Info CreateSensorAction ApplyInternal Adfs installation research log [adfsCommandOutput=Get-Command : The term 'Get-AdfsProperties' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:2
+ (Get-Command Get-AdfsProperties).Source
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-AdfsProperties:String) [Get-Command], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException,Microsoft.PowerShell.Commands.GetCommandCommand
adfssrv state=null user=Contoso\Administrator]
2023-09-20 13:52:39.8442 Debug CreateSensorAction Apply finished
2023-09-20 13:52:39.8442 Debug TestCertificateAndProxyAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.0630 Debug TestCertificateAndProxyAction Apply finished
2023-09-20 13:52:40.0630 Debug SaveSensorMandatoryConfigurationAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.0942 Debug SaveSensorMandatoryConfigurationAction Apply finished
2023-09-20 13:52:40.0942 Debug CreateServicesActionGroup Apply started
2023-09-20 13:52:40.0942 Debug CreateServiceAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.0942 Debug CreateServiceAction Apply finished
2023-09-20 13:52:40.0942 Debug SetServiceDescriptionAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1098 Debug SetServiceDescriptionAction Apply finished
2023-09-20 13:52:40.1098 Debug ConfigureServiceAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1098 Debug ConfigureServiceAction Apply finished
2023-09-20 13:52:40.1098 Debug SetServicePreshutdownTimeoutAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1255 Debug SetServicePreshutdownTimeoutAction Apply finished
2023-09-20 13:52:40.1255 Debug CreateServiceAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1255 Debug CreateServiceAction Apply finished
2023-09-20 13:52:40.1255 Debug SetServiceDescriptionAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1255 Debug SetServiceDescriptionAction Apply finished
2023-09-20 13:52:40.1255 Debug ConfigureServiceAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1411 Debug ConfigureServiceAction Apply finished
2023-09-20 13:52:40.1411 Debug SetServicePreshutdownTimeoutAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1411 Debug SetServicePreshutdownTimeoutAction Apply finished
2023-09-20 13:52:40.1411 Debug CreateServicesActionGroup Apply finished
2023-09-20 13:52:40.1411 Debug ConfigureVirtualServiceAccountAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1723 Debug ConfigureVirtualServiceAccountAction Apply finished
2023-09-20 13:52:40.1723 Debug RegisterCrashDumpsAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1723 Debug RegisterCrashDumpsAction Apply finished
2023-09-20 13:52:40.1723 Debug EnableTls12Action Apply started [suppressFailure=False]
2023-09-20 13:52:40.1723 Debug EnableTls12Action Apply finished
2023-09-20 13:52:40.1723 Debug CopyServiceLogsOnRevertAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1723 Debug CopyServiceLogsOnRevertAction Apply finished
2023-09-20 13:52:40.1723 Debug StartServiceAction Apply started [suppressFailure=False]
2023-09-20 13:52:46.2365 Debug StartServiceAction Apply finished
2023-09-20 13:52:46.2365 Debug InstallActionGroup Apply finished
2023-09-20 13:52:46.2365 Info Program Main Deployer finished
- EliOfekWhat happened is that the deployment found the adfssrv service running on the machine, thus assuming it has the ADFS role, instead of what I think you expected to be "Standalone sensor" role to remotely monitor the DC via port mirroring and event forwarding.
For some reason, even though adfssrv is there, the ADFS Cmdlets that we use to learn data on ADFS are not.
If you want a standalone sensor, the machine should not run any other role. it should be a plain windows server.
Note that standalones are generally a poor choice. less than 2% of sensors WW are standalone.
You get much less detections, and it is much harder to setup correctly.
Why not use a limited authenticated internet proxy so the machine does not have direcet access to the internet.
The sensor supports "private proxy" which means you give it the proxy details during deployment, and only the sensor processes can use this proxy, and no other process.
Also, the proxy can limit access only to MDI's endpoints in azure.- I saw that one in the LOGs as well, but the ADFS role was not installed on the server.
The only other role which is installed on the server is an OCSP, which is probably causing the curl pit..
The Sensor already uses a private proxy, wherefore we implemented the Reg_Binary proxy settings in the registry. I will have to discuss this with the stakeholders. Thanks for the response!- EliOfekOCSP causes adfssrv to run?
I strongly recommend the built in sensor proxy, it's more secured compared to the registry option, as it limits access to only the sensor processes and not an entire windows profile.
