ATP sensor fails to start since yesterday

Copper Contributor

Hi there,


we run the ATP sensor with a gMSA account on all domain controllers. Yesterday we restarted all machines because of January patch day and now the ATP sensor will get stuck while starting.


Funny: there are more than 40 DC's. The service is still starting on exactly one (!) DC. It can be restarted on this DC without any issues. All others show this error.


Rebooting the machines will not help.


2024-01-24 16:24:50.9788 Info RemoteImpersonationManager CreateImpersonatorInternalAsync started [UserName=mdiuser$ Domain=domain.local IsGroupManagedServiceAccount=True]
2024-01-24 16:24:51.4632 Info RemoteImpersonationManager GetGroupManagedServiceAccountTokenAsync finished [UserName=mdiuser$ Domain=domain.local IsSuccess=False]
2024-01-24 16:24:51.4632 Info RemoteImpersonationManager CreateImpersonatorInternalAsync finished [UserName=mdiuser$ Domain=domain.local]
2024-01-24 16:24:51.4632 Warn DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password. [DomainControllerDnsName=dc03.domain.local Domain=domain.local UserName=mdiuser$ ]

We have not changed anything regarding sensors or the gMSA account for months, so this configuration was running without issues until yesterday.


Running Test-ADServiceAccount -Identity "mdiuser" on the affected machines gives "True", so the machine can successfully retrieve the gMSA password. 


I have checked that the mdiuser account is part of the GPO that allows logon as service on all machines. 


Now I am running out of ideas. The system tells me, it can access the gMSA password, the agent tells me it can't. Whats wrong?


Best regards, Ingo

7 Replies
Were you able to get this resolved? I have the same issue since updating to release 2.227. I created a new gMSA account, and got the sensors started using the new gMSA.

They ran fine for a couple of weeks until they update to release 2.228. Now I am seeing "failed to retrieve group managed service account password" for the new gMSA
Unfortunately not yet.

I have a support ticket open for two weeks now. The Microsoft support has asked a few things but there has been no solution yet.
Have you had any luck? We have an open support case as well but it's taking a long time.
No. I had a long support case with MS and we did not find a real solution. At the end they asked me to create yet another gMSA and it was working then for a few days. Exactly long enough to close the case.

Now a few days later some of the DC's show the same error again. I think, I'll go back to a normal account. Seems like this gMSA stuff is somehow broken.
  • @ingo-boettcher does your kds-rootkey possibly point to a demoted/deleted DC? 
there were two root keys, where one pointed to an old DC that was no longer in use for years. I have removed this old key and will see what happens.

But the key was from 2013, the old DC removed at least five years ago and the gMSA was working with ATP for some years... but we'll see!
Please let me know