Dec 02 2018
09:00 AM
- last edited on
Nov 30 2021
10:06 AM
by
TechCommunityAP
Dec 02 2018
09:00 AM
- last edited on
Nov 30 2021
10:06 AM
by
TechCommunityAP
Hello All!
I just downloaded and installed new Sensor on my DC2. Azure Advanced Thread Protection Sensor service trying to start but never success. I changed login credentials from Local System to the special user - same like in workspace - Configurations - Directory services. It doesn't help. Rebooted few times.
Errors logged in Microsoft.Tri.Sensor-Errors.log:
2018-12-02 13:38:26.1870 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__34 Microsoft.Tri.Infrastructure.ExtendedException: Failed to connect to domain controller [DomainControllerDnsName=DC2.pansw.com ErrorCode=82] ---> System.DirectoryServices.Protocols.LdapException: A local error occurred.
at void System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, bool needSetCredential)
...
2018-12-02 13:38:26.2026 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers
at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
In System Event Viewer logged following error:
The Azure Advanced Threat Protection Sensor service terminated unexpectedly. It has done this 4070 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
Firewall is off. ESET file security - disabled. ldp.exe successfully connecting to both DCs.
Any ideas?
Dec 02 2018 11:39 AM
Please restore the service credentials to the default, it must run as deployed, and never be changed.
As for the error. Any chance this is a multi forest deployment, where you either have no trust or only external trust?
If yes, this scenario is not yet supported but a preview of it is coming very soon, and if you are interested, I suggest to use the feedback email from the UI and ask to be a preview candidate.
Dec 03 2018 12:02 AM
I restored credentials back to Local System account.
I have 2 domains with Forest type trust between them. In general second domain is not involved in the deployment. It used for tests only.
I am planning to install sensor on another DC.
Dec 03 2018 12:12 AM
Is the trust one way or two way?
Dec 03 2018 12:59 AM
Dec 03 2018 04:32 AM
Are you 100% sure about the trust setup?
Currently we only support full two way trust, or full one way trust where the AATP AD account that you have set is coming from the trusted forest.
So far I have only seen this error (ErrorCode=82) in cases where the trust was not such but some other type.
Can you double check it?
Also, make sure the account details (username, password) supplied to AATP are correct.
Dec 03 2018 05:20 AM - edited Dec 03 2018 05:21 AM
Hi Eli,
Everything is inside one of the domains. ATP user is from this domain too. Second domain is not involved in the process.
Dec 05 2018 06:34 AM
I installed sensor on standalone server and got different error, but service refuse to start:
2018-12-05 14:31:50.8754 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Domain controllers are not configured
at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
Dec 05 2018 06:37 AM
When installing an integrated sensor, we auto config it by default as we know on which DC we are running.
In case of a standalone, there is no (feasible) way for us to auto detect which DCs are port mirrored to this machine, so you need to go to the sensor list in the portal configuration section, and manually tell this sensor which DCs it should monitor. once you do that , a few seconds later the service should be able to start.
Dec 05 2018 06:43 AM
Hi Eli!
I did it.
Now I am getting same error, like on DCs:
2018-12-05 14:38:33.8213 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__34 Microsoft.Tri.Infrastructure.ExtendedException: Failed to connect to domain controller [DomainControllerDnsName=juno1.pansw.com ErrorCode=82] ---> System.DirectoryServices.Protocols.LdapException: A local error occurred.
at void System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, bool needSetCredential)
at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
--- End of inner exception stack trace ---
at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
at async Task<bool> Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
2018-12-05 14:38:33.8369 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers
I already shared my AD trust configuration. Do you think it is a reason for failure?
Thank you!
Dec 05 2018 07:29 AM
SolutionProbably the same reason.
Are you positive that the AD credentials you entered in the portal are correct?
Unlike ATA in AATP we have no "test" for them in the UI.
Make sure the username, domain and password are correct.
What is the OS version you are running on?
Also, the output of
nltest /DSGETDC: && nltest /DOMAIN_TRUSTS
on both forests might help, but you might want a support case to share this info with us , the forum is not ideal for this...
Dec 09 2018 05:19 AM
Hi Eli,
You are right. It was credential issue. I provided our domain name from Azure portal. I should use our local AD domain name instead.
Thank you very much!!!
Feb 04 2020 02:58 AM
Oct 07 2020 08:44 AM
@Arkady Karasin Hi, do we need to change the credentials on services running for Azure ATP?
Under services, its currently running on local credentials.
we have many domains and this domain trusts the domain (ATP admin account domain).
do we need to change it here?
Oct 14 2020 08:04 AM
@Amin7RDR , No, please do not modify the service itself or it will break.
You need to go to the web portal, there, navigate to configuration, and then to the "Directory services" tab. on this screen you should enter the proper credentials.
Oct 04 2021 01:09 AM
Dec 05 2018 07:29 AM
SolutionProbably the same reason.
Are you positive that the AD credentials you entered in the portal are correct?
Unlike ATA in AATP we have no "test" for them in the UI.
Make sure the username, domain and password are correct.
What is the OS version you are running on?
Also, the output of
nltest /DSGETDC: && nltest /DOMAIN_TRUSTS
on both forests might help, but you might want a support case to share this info with us , the forum is not ideal for this...