Sep 14 2020 04:53 PM - last edited on Nov 30 2021 01:54 PM by Allen
We have ATP sensors set up on our domain controllers. A group managed service account (gMSA) is being used. There are a few read only domain controllers that can't seem to read the password, even though the servers are in the group that can read the GMSA user password. The GMSA account is set with permissions for 'log in as service'. Any suggestions on what to look for?
Errors from the sensor log:
2020-09-14 22:02:11.7896 Debug DirectoryServicesClient SetState Creating
2020-09-14 22:02:11.8346 Info ImpersonationManager CreateImpersonatorAsync started [UserName=<MSA-ACCOUNT> IsGroupManagedServiceAccount=True]
2020-09-14 22:02:11.8846 Info ImpersonationManager CreateImpersonatorAsync finished [UserName=<MSA-ACCOUNT> IsSuccess=False]
2020-09-14 22:02:11.8846 Warn DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password. [DomainControllerDnsName=servername.domain.corp Domain=domain.corp UserName=<MSA-ACCOUUNT> ]
2020-09-14 22:02:12.0846 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__38 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName=<serverwhereATPfailing.domain.corp]
at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
at async Task<bool> Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
2020-09-14 22:02:12.0946 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers
at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDomainNetworkCredentialsManager domainNetworkCredentialsManager, IImpersonationManager impersonationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at new Microsoft.Tri.Sensor.SensorModuleManager()
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
Sep 14 2020 04:59 PM
@19873306 what OS version are those RODCs running?
Sep 14 2020 05:15 PM
@EliOfek Server 2019. I saw the patch for 2012, but it doesn't apply here.
Sep 15 2020 12:44 AM
@19873306 Then I suggest opening a support case for this one so they can go over with you on the settings to make sure nothing was missed. in some environments this can be a bit tricky to set up.
Sep 15 2020 08:43 AM
@EliOfek Thank you. Should this support request be opened through Azure portal?
Sep 16 2020 06:09 PM
@EliOfek Case 120091525000664 created. The technician is indicating that there are issues with npcap or winpcap. We have other servers in our environment which are running ATP sensor without either NPCAP or WINPCAP.Are either required for AZURE ATP sensor? I do not see them listed in the pre-requisites here https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-prerequisites
Sep 17 2020 03:22 PM
@19873306 , if you don't have npcap installed before you install the sensor,
the sensor deployment will auto install a "local" winpcap install. you won't see it in "add\remove" programs, but you can see the driver service running with this command:
sc qc npf
Sep 17 2020 03:29 PM
Sep 17 2020 04:03 PM
@19873306 Make sure you are running elevated when running this.
If you still can't find npf driver, check also
sc qc npcap
If you don't have this one as well, then you have no capturing driver installed, which means the sensor cannot work.
I would try to uninstall and reinstall. if the same problem returns, it means you have something that is somehow blocking or reversing the driver installation.
Most likely a 3rd party security software, so try to disable during before deployment to see if it makes things work.
Sep 18 2020 04:01 PM
@EliOfek I uninstalled the sensor, rebooted, then reinstalled.
I now have
C:\WINDOWS\system32>sc qc npf
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: npf
TYPE : 1 KERNEL_DRIVER
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : \??\C:\WINDOWS\system32\drivers\npf.sys
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NetGroup Packet Filter Driver
DEPENDENCIES :
SERVICE_START_NAME :
C:\WINDOWS\system32>
However, the sensor still will not start
Partial error message:
2020-09-18 22:55:35.0283 Warn DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password.
The referenced group managed service account is installed on the server, ands tests true from powershell.
Partial event log message in directory services indicate the password is fetched successfully:
A caller successfully fetched the password of a group managed service account.
Group Managed Service Account Object:
CN=Microsoft Azure ATP Sensor,OU=ATP,OU=Azure
Sep 19 2020 05:22 AM
@19873306
So it seems you are over the initial issue.
As for the Gmsa issue, it's a bit more tricky.
Check errors and warnings in both the sensor logs and the updater logs around this time span to see if you get new insights about what went wrong, or else I suggest opening a support case as it might be tricky.
Sep 17 2021 12:37 AM
Sep 18 2021 01:54 PM
Dec 06 2023 05:54 PM
Dec 07 2023 03:21 AM