AATPSensor Service Status: Starting

%3CLINGO-SUB%20id%3D%22lingo-sub-333257%22%20slang%3D%22en-US%22%3EAATPSensor%20Service%20Status%3A%20Starting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-333257%22%20slang%3D%22en-US%22%3E%3CP%3EOne%20of%20our%20company's%20clients%20is%20implementing%20ATP%20on%20a%20dozen%20or%20so%20domain%20controllers.%20After%20installation%2C%20all%20of%20them%20are%20running%20into%20the%20same%20problem%3A%20the%20AATPSensor%20service%20is%20stuck%20in%20%22Starting%22%20status%20and%20the%20error%20logs%20under%20C%3A%5CProgram%20Files%5CAzure%20Advanced%20Threat%20Protection%20Sensor%5C%3CVERSION%20number%3D%22%22%3E%5CLogs%20all%20throw%20the%20following%3A%3C%2FVERSION%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3E2019-02-08%2020%3A21%3A23.0620%20Error%20DirectoryServicesClient%2B%3CCREATELDAPCONNECTIONASYNC%3Ed__33%20Microsoft.Tri.Infrastructure.ExtendedException%3A%20CreateLdapConnectionAsync%20failed%20%5BDomainControllerDnsName%3D%3CSTRONG%3E%5Bredacted%20for%20client%20privacy%5D%3C%2FSTRONG%3E%5D%3C%2FCREATELDAPCONNECTIONASYNC%3E%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3Eat%20async%20Task%3CLDAPCONNECTION%3E%20Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData%20domainControllerConnectionData%2C%20bool%20isGlobalCatalog%2C%20bool%20isTraversing)%3C%2FLDAPCONNECTION%3E%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3Eat%20async%20Task%3CBOOL%3E%20Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData%20domainControllerConnectionData%2C%20bool%20isGlobalCatalog%2C%20bool%20isTraversing)%3C%2FBOOL%3E%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3E2019-02-08%2020%3A21%3A23.0620%20Error%20DirectoryServicesClient%20Microsoft.Tri.Infrastructure.ExtendedException%3A%20Failed%20to%20communicate%20with%20configured%20domain%20controllers%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3Eat%20new%20Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager%20configurationManager%2C%20IDomainNetworkCredentialsManager%20domainNetworkCredentialsManager%2C%20IMetricManager%20metricManager%2C%20IWorkspaceApplicationSensorApiJsonProxy%20workspaceApplicationSensorApiJsonProxy)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3Eat%20object%20lambda_method(Closure%2C%20object%5B%5D)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3Eat%20object%20Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3Eat%20void%20Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type%5B%5D%20moduleTypes)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3Eat%20ModuleManager%20Microsoft.Tri.Sensor.SensorService.CreateModuleManager()%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3Eat%20async%20Task%20Microsoft.Tri.Infrastructure.Service.OnStartAsync()%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3Eat%20void%20Microsoft.Tri.Infrastructure.TaskExtension.Await(Task%20task)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3Eat%20void%20Microsoft.Tri.Infrastructure.Service.OnStart(string%5B%5D%20args)%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnfortunately%2C%20I%20do%20not%20have%20direct%20access%20to%20the%20client's%20ATP%20portal%20to%20get%20in%20and%20gather%20additional%20information%2C%20but%20do%20have%20access%20to%20the%20DCs%20to%20troubleshoot.%20On%20the%20portal%20side%2C%20the%20client%20is%20seeing%20the%20following%20errors%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3ESensor%20stopped%20communicating%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3EThere%20has%20not%20been%20communication%20from%20the%20Sensor%26nbsp%3B%3CSTRONG%3E%5Bdc%20name%5D%26nbsp%3B%3C%2FSTRONG%3Efor%20a%20day.%20Last%20communication%20was%20on%26nbsp%3B%3CSTRONG%3E%5Bdate%20and%20time%20sensor%20was%20installed%5D%3C%2FSTRONG%3E%3C%2FEM%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3ERecommendations%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3E-%20Check%20that%20the%20Sensor%20service%20is%20up%20and%20running.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3E-%20Check%20the%20communications%20between%20the%20Sensor%20to%20%3CSTRONG%3E%5Bclient%20portal%20address%5D%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20encountered%20this%20before%20or%20know%20what%20may%20be%20causing%20this%3F%20Based%20on%20the%20error%2C%20it%20appears%20it%20can't%20establish%20an%20LDAP%20connection%2C%20but%20to%20my%20knowledge%20there%20shouldn't%20be%20any%20issues%20with%20ports.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20it%20possibly%20have%20something%20to%20do%20with%20the%20domain%20trusts%3F%20nltest%20%2Fdomain_trusts%20output%20is%20the%20following%3A%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CEM%3EList%20of%20domain%20trusts%3A%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3E0%3A%20%5Bclient%20domain%204%5D%20(NT%205)%20(Direct%20Outbound)%20(Direct%20Inbound)%20(%20Attr%3A%200x8%20)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3E1%3A%20%5BMSP%20domain%5D%20(NT%205)%20(Direct%20Outbound)%20(Direct%20Inbound)%20(%20Attr%3A%20quarantined%20)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3E2%3A%20%5BMSP%20domain%5D%20(NT%205)%20(Direct%20Outbound)%20(%20Attr%3A%200x8%20)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3E3%3A%20%5Bclient%20domain%203%5D%20(NT%205)%20(Direct%20Outbound)%20(%20Attr%3A%200x8%20)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3E4%3A%20%5Bclient%20domain%202%5D%20(NT%205)%20(Direct%20Outbound)%20(Direct%20Inbound)%20(%20Attr%3A%200x8%20)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3E5%3A%20%5Bclient%20domain%201%5D%20(NT%205)%20(Forest%20Tree%20Root)%20(Primary%20Domain)%20(Native)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EThe%20command%20completed%20successfully%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-333702%22%20slang%3D%22en-US%22%3ERe%3A%20AATPSensor%20Service%20Status%3A%20Starting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-333702%22%20slang%3D%22en-US%22%3E%3CP%3EHave%20you%20verified%20telneting%20and%20make%20sure%20there%20is%20connectivity%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESmells%20like%20a%20network%20issue.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-333375%22%20slang%3D%22en-US%22%3ERe%3A%20AATPSensor%20Service%20Status%3A%20Starting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-333375%22%20slang%3D%22en-US%22%3E%3CP%3ETry%20to%20grab%20a%20netmon%203.4%20trace%20on%20the%20machine%20while%20it%20fails%20to%20start%20to%20see%20why%20LDAP%20connection%20is%20failing%20and%20in%20what%20level%20of%20protocol...%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

One of our company's clients is implementing ATP on a dozen or so domain controllers. After installation, all of them are running into the same problem: the AATPSensor service is stuck in "Starting" status and the error logs under C:\Program Files\Azure Advanced Threat Protection Sensor\<version number>\Logs all throw the following:

 

2019-02-08 20:21:23.0620 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__33 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName=[redacted for client privacy]]
at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
at async Task<bool> Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
2019-02-08 20:21:23.0620 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers
at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDomainNetworkCredentialsManager domainNetworkCredentialsManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)

 

Unfortunately, I do not have direct access to the client's ATP portal to get in and gather additional information, but do have access to the DCs to troubleshoot. On the portal side, the client is seeing the following errors:

 

Sensor stopped communicating

There has not been communication from the Sensor [dc name] for a day. Last communication was on [date and time sensor was installed] 

Recommendations

- Check that the Sensor service is up and running.

- Check the communications between the Sensor to [client portal address]

 

Has anyone encountered this before or know what may be causing this? Based on the error, it appears it can't establish an LDAP connection, but to my knowledge there shouldn't be any issues with ports.

 

Could it possibly have something to do with the domain trusts? nltest /domain_trusts output is the following:


List of domain trusts:
0: [client domain 4] (NT 5) (Direct Outbound) (Direct Inbound) ( Attr: 0x8 )
1: [MSP domain] (NT 5) (Direct Outbound) (Direct Inbound) ( Attr: quarantined )
2: [MSP domain] (NT 5) (Direct Outbound) ( Attr: 0x8 )
3: [client domain 3] (NT 5) (Direct Outbound) ( Attr: 0x8 )
4: [client domain 2] (NT 5) (Direct Outbound) (Direct Inbound) ( Attr: 0x8 )
5: [client domain 1] (NT 5) (Forest Tree Root) (Primary Domain) (Native)
The command completed successfully

2 Replies
Highlighted

Try to grab a netmon 3.4 trace on the machine while it fails to start to see why LDAP connection is failing and in what level of protocol...

Have you verified telneting and make sure there is connectivity?

 

Smells like a network issue.