Forum Discussion
Azure Advanced Thread Protection Sensor service failed to start
Hello All!
I just downloaded and installed new Sensor on my DC2. Azure Advanced Thread Protection Sensor service trying to start but never success. I changed login credentials from Local System to the special user - same like in workspace - Configurations - Directory services. It doesn't help. Rebooted few times.
Errors logged in Microsoft.Tri.Sensor-Errors.log:
2018-12-02 13:38:26.1870 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__34 Microsoft.Tri.Infrastructure.ExtendedException: Failed to connect to domain controller [DomainControllerDnsName=DC2.pansw.com ErrorCode=82] ---> System.DirectoryServices.Protocols.LdapException: A local error occurred.
at void System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, bool needSetCredential)
...
2018-12-02 13:38:26.2026 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers
at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
In System Event Viewer logged following error:
The Azure Advanced Threat Protection Sensor service terminated unexpectedly. It has done this 4070 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
Firewall is off. ESET file security - disabled. ldp.exe successfully connecting to both DCs.
Any ideas?
Probably the same reason.
Are you positive that the AD credentials you entered in the portal are correct?
Unlike ATA in AATP we have no "test" for them in the UI.
Make sure the username, domain and password are correct.
What is the OS version you are running on?
Also, the output of
nltest /DSGETDC: && nltest /DOMAIN_TRUSTS
on both forests might help, but you might want a support case to share this info with us , the forum is not ideal for this...
16 Replies
- EliOfek
Microsoft
Please restore the service credentials to the default, it must run as deployed, and never be changed.
As for the error. Any chance this is a multi forest deployment, where you either have no trust or only external trust?
If yes, this scenario is not yet supported but a preview of it is coming very soon, and if you are interested, I suggest to use the feedback email from the UI and ask to be a preview candidate.
I restored credentials back to Local System account.
I have 2 domains with Forest type trust between them. In general second domain is not involved in the deployment. It used for tests only.
I am planning to install sensor on another DC.
- EliOfek
Is the trust one way or two way?
