Jan 24 2024 08:41 AM
Hi there,
we run the ATP sensor with a gMSA account on all domain controllers. Yesterday we restarted all machines because of January patch day and now the ATP sensor will get stuck while starting.
Funny: there are more than 40 DC's. The service is still starting on exactly one (!) DC. It can be restarted on this DC without any issues. All others show this error.
Rebooting the machines will not help.
2024-01-24 16:24:50.9788 Info RemoteImpersonationManager CreateImpersonatorInternalAsync started [UserName=mdiuser$ Domain=domain.local IsGroupManagedServiceAccount=True]
2024-01-24 16:24:51.4632 Info RemoteImpersonationManager GetGroupManagedServiceAccountTokenAsync finished [UserName=mdiuser$ Domain=domain.local IsSuccess=False]
2024-01-24 16:24:51.4632 Info RemoteImpersonationManager CreateImpersonatorInternalAsync finished [UserName=mdiuser$ Domain=domain.local]
2024-01-24 16:24:51.4632 Warn DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password. [DomainControllerDnsName=dc03.domain.local Domain=domain.local UserName=mdiuser$ ]
We have not changed anything regarding sensors or the gMSA account for months, so this configuration was running without issues until yesterday.
Running Test-ADServiceAccount -Identity "mdiuser" on the affected machines gives "True", so the machine can successfully retrieve the gMSA password.
I have checked that the mdiuser account is part of the GPO that allows logon as service on all machines.
Now I am running out of ideas. The system tells me, it can access the gMSA password, the agent tells me it can't. Whats wrong?
Best regards, Ingo
Feb 13 2024 01:50 PM
Feb 14 2024 12:39 AM
Apr 04 2024 08:29 PM
Apr 05 2024 12:50 AM
Apr 05 2024 12:54 AM
Apr 05 2024 01:05 AM
Aug 15 2024 10:08 PM
Aug 28 2024 06:44 PM
So in the end, our issue turned out to be in relation to the awful Secure Time Seeding service, which caused a domain controller to jump into the future by two months and back again. During that interval, it seems that our GMSA did a password reset, and now the "lastlogondate" and "passwordlastset" dates are still in the future, so now none of the DCs (other than the one where the time jump occurred) can retrieve the password.
These are the selected date properties for the account - note the password/lastlogon dates are still a month from now.
Get-ADServiceAccount -Identity [SVC_ACCOUNT] -Properties *
... badPasswordTime : 133693679012898018 badPwdCount : 28 LastBadPasswordAttempt : 29/08/2024 11:18:21 AM lastLogon : 133690172347063244 LastLogonDate : 17/09/2024 1:27:15 PM lastLogonTimestamp : 133710172352439465 PasswordLastSet : 17/09/2024 1:27:15 PM pwdLastSet : 133710172352439465
In a domain environment, where your DCs are syncing with a good NTP source, you MUST disable this STS garbage, which is enabled by default. Windows feature that resets system clocks based on random data is wreaking havoc | Ars Technica
The only fix for us now, according to Microsoft Support, is to create a new GMSA ...or wait another month until it starts working.
Aug 29 2024 06:49 AM
Aug 30 2024 05:07 AM