Azure ATP - AD gMSA services accounts to sensor affinity or lack of?

Occasional Contributor

Hi

We have multiple domains and using gMSA. MS advises there is a limitation of sharing gMSA across domains. As  a result each domain's sensor will use it's owns domains gMSA acct. We have 5 domains so we created 5 gMSAs. We have seen in the DC  logs where a sensor from a different domain is unable to retrieve the gMSA password of any account from a different domain that is expected as it is not in the gMSA group . These events are registered on the DCs event log and can flood the logs.

Is there a way tell each sensor to use a particular gMSA instead of cycling through the list of 5 and generate unecessary events on the DC?

 

 

4 Replies

@aaaaaaaanonymous , If all the 5  domains have full trust, you can use a single gmsa account for all domains, you just need to give all the relevant DCs permissions to get the gmsa password, it should work, will be easier to manage and you won't see those failures.

Sadly there is no way to lock down a sensor to specific credentials manually,

a sensor will lock itself down once it's running to a set of working credentials automatically.

@Eli Ofek  Thanks for your reply. Yes Full trust exist 1 root and 4 child. So are you saying If I add my sensor DCs from various domains into one group  that is PrincipalsAllowedToRetrieveManagedPassword ,  for 1 gMSA then it should work?  

my testing of multiple DC sensor servers from different domains into one group using 1 gMSA. When running Install-ADServiceAccount or Test-ADServiceAccount : results in errors.  is this the fault of the above 2 commands where it only sends request to it's own domain controllers but ATP sensor is smart enough to seek beyond its domain?

 

 

 

@aaaaaaaanonymous 
Indeed in  our lab, Test-ADServiceAccount will also only work on the same domain, but the sensor still works across the forest if permissions were set correctly, I suggest to try.

@Eli Ofek Thank you so much. 

Was able to run off one single gMSA. Works well.

So good to have someone from the R&D team here to help answer questions.