Azure ATP Service Fails to Start

meliss0215 · ‎May 29 2019

Hi Everyone,

I'm deploying Azure ATP with a client and we have installed a standalone sensor. The Azure ATP service tries to start and then stops. We're seeing an error stating "Sequence contains no elements". Attached is a screenshot of the errors. Has anyone seen this error before? Any guidance is appreciated. Thanks!

Eli Ofek · ‎May 29 2019

@meliss0215 , you most likely missed this step in the system configuration:

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/install-atp-step2

so the sensor does not have the needed info to start properly.

meliss0215 · ‎May 29 2019

Thanks @Eli Ofek for the advice! We did configure a username and password to connect to AD, but I will double check this again. I did see another post where you mentioned there could be either a missing or duplicate NTDS settings record for a similar error. Would this be something to look at too? I didn't see any documentation regarding this may cause an issue for Azure ATP.

Eli Ofek · ‎May 30 2019

@meliss0215

No, NTDS setting is a different callstack.. I don't think it's related here.

How many credentials did you provide in the mentioned step? do you have coverage with these credentials to cover all the domains/forests which might not be working with full trust?

meliss0215 · ‎May 31 2019

@Eli Ofek We only added one set of AD Credentials. I took a look at the trusts as shown in the attached file. I also included the service account we are using. I'm having my customer take a look to see that account can cover all domains/forests in the environment.

Eli Ofek · ‎May 31 2019

@meliss0215 External trust won't work with a single credential, you will need to add more credentials to cover everything.

meliss0215 · ‎May 31 2019

@Eli Ofek Thanks for the information. My customer is looking into the external trusts. To clarify, we cannot specify a single domain, Azure ATP looks at all of the domains listed?

Eli Ofek · ‎May 31 2019

To get a good experience, you need to cover all the forest. if you have several forests, with any kind of trust, which means they can talk to each other, you will need credentials to cover all of them.

meliss0215 · ‎Jun 03 2019

@Eli Ofek thanks for the insight. This is very helpful.

nomeara · ‎Jul 03 2019

@Eli Ofek

I'd like to add to this thread, I'm seeing seemingly the exact same error when deploying to production.

For context, we deployed to a test environment (each environment looks like: Two forests, primary forest has company.com and two child.company.com domains, second forest has an external trust) with only a single account in the primary child domain, and that worked fine.

However, when trying to install a standalone sensor, I get the same error as in the first screenshot here:

2019-07-03 18:30:29.2434 Error Enumerable System.InvalidOperationException: Sequence contains no elements
at TSource System.Linq.Enumerable.First<TSource>(IEnumerable<TSource> source)
at void Microsoft.Tri.Sensor.DomainNetworkCredentialsManager.UpdateConfigurations(ConfigurationCollection configurations)
at Func<Task> Microsoft.Tri.Infrastructure.ActionExtension.ToAsyncFunction(Action action)+(TItem _) => { }
at async Task Microsoft.Tri.Infrastructure.ConfigurationManager.RegisterConfigurationAsync(Func<ConfigurationCollection, Task> onConfigurationsUpdateAsync, Type[] configurationTypes)
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at new Microsoft.Tri.Sensor.DomainNetworkCredentialsManager(IConfigurationManager configurationManager)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)

We have the account for both the child.testcompany.com and child.company.com domains listed in the ATP domain services config.

According to the documentation:

Add credentials on the Directory services page for all forests in your environment.
- One credential is required per forest with two-way trust.
- Additional credentials are required for each forest with non-Kerberos trust or no trust.

If I'm reading this right, we should only need two credentials per environment. One for the primary forest 'company.com' and its child domains, as well as one for the external trusted domain?

If I have all that right, I'm wondering two things:

Why this worked in test?
1. The only difference is that we started with the Domain controller sensors in test, but in prod we are installing a standalone sensor to start with. We do not have a standalone sensor in test.
How are you supposed to configure this if you have external trusts to forests you don't have any control over, and can't create an account in?

Eli Ofek · ‎Jul 03 2019

@nomeara

For the standalone one, did you configure it as to which mirrored DC it is monitoring?

while integrated is auto configured, in standalone you need to manually configure.

Just wanted to make sure the basics are correct.

If you have a forest with an external trust only, and no read only account there, you can't monitor it...

But how could you anyway? I am guessing you can't install a sensor there ...

Or maybe I misunderstood what you are after?

nomeara · ‎Jul 03 2019

@Eli Ofek

Thanks for the quick reply.

We have not configured it to mirror any DCs.

1: The instructions show that step as after this step, and we are not even getting the service to start, which appears to be expected before configuring the mirroring settings.

2: This particular sensor is being installed to accept vpn accounting logs via RADIUS, not to mirror a domain controller. Is this not a supported configuration? We will be installing sensors on the DCs separately for monitoring them.

Eli Ofek · ‎Jul 03 2019

@nomeara , A standalone Gateway that monitor no DC is not a supported scenario.

it needs at least once DC to monitor, or else it will keep restarting and failing on a callstack similar to this:

2019-07-03 20:48:45.4181 5656 5   Error [DirectoryServicesClient+<OnInitializeAsync>d__14] Microsoft.Tri.Infrastructure.Utils.ExtendedException: Domain controllers are not configured
   at async Microsoft.Tri.Gateway.Resolution.DirectoryServices.DirectoryServicesClient.OnInitializeAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.InitializeAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.ModuleManager.OnInitializeAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.InitializeAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Service.OnStartAsync(?)
   at Microsoft.Tri.Infrastructure.Framework.Service.OnStart(String[] args)

Although it's not the stack you have seen, so I guess you have some kind of additional issue there, but even if you go past that, you will get stuck on the above issue, so save your time and don't try it...

You options are either to route the VPN traffic to one of the integrated sensors, or monitor one of the DCs using port mirroring and a standalone sensor, those are the only supported scenarios, at least for now.

Azure ATP Service Fails to Start

Azure ATP Service Fails to Start

Re: Azure ATP Service Fails to Start

Re: Azure ATP Service Fails to Start

Re: Azure ATP Service Fails to Start

Re: Azure ATP Service Fails to Start

Re: Azure ATP Service Fails to Start

Re: Azure ATP Service Fails to Start

Re: Azure ATP Service Fails to Start

Re: Azure ATP Service Fails to Start

Re: Azure ATP Service Fails to Start

Re: Azure ATP Service Fails to Start

Re: Azure ATP Service Fails to Start

Re: Azure ATP Service Fails to Start

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Azure ATP Service Fails to Start