Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Azure Advanced Thread Protection Sensor service failed to start

Copper Contributor

Hello All!

I just downloaded and installed new Sensor on my DC2. Azure Advanced Thread Protection Sensor service trying to start but never success. I changed login credentials from Local System to the special user - same like in workspace - Configurations - Directory services. It doesn't help. Rebooted few times.

Errors logged in Microsoft.Tri.Sensor-Errors.log:

2018-12-02 13:38:26.1870 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__34 Microsoft.Tri.Infrastructure.ExtendedException: Failed to connect to domain controller [DomainControllerDnsName=DC2.pansw.com ErrorCode=82] ---> System.DirectoryServices.Protocols.LdapException: A local error occurred.
at void System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, bool needSetCredential)

...

2018-12-02 13:38:26.2026 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers
at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)

 

In System Event Viewer logged following error:

The Azure Advanced Threat Protection Sensor service terminated unexpectedly.  It has done this 4070 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.

 

Firewall is off. ESET file security - disabled. ldp.exe successfully connecting to both DCs.

 

Any ideas?

 

 

16 Replies

Please restore the service credentials to the default, it must run as deployed, and never be changed.

As for the error. Any chance this is a multi forest deployment, where you either have no trust or only external trust?

If yes, this scenario is not yet supported but a preview of it is coming very soon, and if you are interested, I suggest to use the feedback email from the UI and ask to be a preview candidate.

I restored credentials back to Local System account.

I have 2 domains with Forest type trust between them. In general second domain is not involved in the deployment. It used for tests only.

I am planning to install sensor on another DC.

Is the trust one way or two way?

Installed on the second DC. Same error.
What I am missing?

Are you 100% sure about the trust setup?

Currently we only support full two way trust, or full one way trust where the  AATP AD account that you have set is coming from the trusted forest.

So far I have only seen this error (ErrorCode=82) in cases where the trust was not such but some other type.

Can you double check it?

Also, make sure the account details (username, password) supplied to AATP are correct.

Hi Eli,

Everything is inside one of the domains. ATP user is from this domain too. Second domain is not involved in the process.

 

trust.png

I installed sensor on standalone server and got different error, but service refuse to start:

 

2018-12-05 14:31:50.8754 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Domain controllers are not configured
at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
 

When installing an integrated sensor, we auto config it by default as we know on which DC we are running.

In case of a standalone, there is no (feasible) way for us to auto detect which DCs are port mirrored to this machine, so  you need to go to the sensor list in the portal configuration section, and manually tell this sensor which DCs it should monitor. once you do that , a few seconds later the service should be able to start.

Hi Eli!

I did it.

Now I am getting same error, like on DCs:

 

2018-12-05 14:38:33.8213 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__34 Microsoft.Tri.Infrastructure.ExtendedException: Failed to connect to domain controller [DomainControllerDnsName=juno1.pansw.com ErrorCode=82] ---> System.DirectoryServices.Protocols.LdapException: A local error occurred.
at void System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, bool needSetCredential)
at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
--- End of inner exception stack trace ---
at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
at async Task<bool> Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
2018-12-05 14:38:33.8369 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers

 

I already shared my AD trust configuration. Do you think it is a reason for failure?

 

Thank you!

best response confirmed by Arkady Karasin (Copper Contributor)
Solution

Probably the same reason.

Are you positive that the AD credentials you entered in the portal are correct?

Unlike ATA in AATP we have no "test" for them in the UI.

Make sure the username, domain and password are correct.

 

What is the OS version you are running on?

Also, the output of

nltest /DSGETDC: && nltest /DOMAIN_TRUSTS

on both forests might help, but you might want a support case to share this info with us , the forum is not ideal for this...

 

 

 

Hi Eli,

You are right. It was credential issue. I provided our domain name from Azure portal. I should use our local AD domain name instead.

Thank you very much!!!

I had a similar issue and changed the Directory Services Credentials to reference the on-prem domain name rather than the primary email suffix and this resolved the issue for us, thanks for the pointer.

@Arkady Karasin Hi, do we need to change the credentials on services running for Azure ATP?

 

Under services, its currently running on local credentials.

we have many domains and this domain trusts the domain (ATP admin account domain).

do we need to change it here?

 

Amin7RDR_0-1602085466689.png

 

@Amin7RDR , No, please do not modify the service itself or it will break.

You need to go to the web portal, there, navigate to configuration, and then to the "Directory services" tab. on this screen you should enter the proper credentials.

we created service account for each domain and registered it on portal. after which it was able to work properly.
1 best response

Accepted Solutions
best response confirmed by Arkady Karasin (Copper Contributor)
Solution

Probably the same reason.

Are you positive that the AD credentials you entered in the portal are correct?

Unlike ATA in AATP we have no "test" for them in the UI.

Make sure the username, domain and password are correct.

 

What is the OS version you are running on?

Also, the output of

nltest /DSGETDC: && nltest /DOMAIN_TRUSTS

on both forests might help, but you might want a support case to share this info with us , the forum is not ideal for this...

 

 

 

View solution in original post