May 29 2019 12:48 PM
Hi Everyone,
I'm deploying Azure ATP with a client and we have installed a standalone sensor. The Azure ATP service tries to start and then stops. We're seeing an error stating "Sequence contains no elements". Attached is a screenshot of the errors. Has anyone seen this error before? Any guidance is appreciated. Thanks!
May 29 2019 02:41 PM
@meliss0215 , you most likely missed this step in the system configuration:
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/install-atp-step2
so the sensor does not have the needed info to start properly.
May 29 2019 07:36 PM
Thanks @Eli Ofek for the advice! We did configure a username and password to connect to AD, but I will double check this again. I did see another post where you mentioned there could be either a missing or duplicate NTDS settings record for a similar error. Would this be something to look at too? I didn't see any documentation regarding this may cause an issue for Azure ATP.
May 30 2019 12:50 AM
No, NTDS setting is a different callstack.. I don't think it's related here.
How many credentials did you provide in the mentioned step? do you have coverage with these credentials to cover all the domains/forests which might not be working with full trust?
May 31 2019 04:39 AM
@Eli Ofek We only added one set of AD Credentials. I took a look at the trusts as shown in the attached file. I also included the service account we are using. I'm having my customer take a look to see that account can cover all domains/forests in the environment.
May 31 2019 04:58 AM
@meliss0215 External trust won't work with a single credential, you will need to add more credentials to cover everything.
May 31 2019 11:41 AM
@Eli Ofek Thanks for the information. My customer is looking into the external trusts. To clarify, we cannot specify a single domain, Azure ATP looks at all of the domains listed?
May 31 2019 11:43 AM
To get a good experience, you need to cover all the forest. if you have several forests, with any kind of trust, which means they can talk to each other, you will need credentials to cover all of them.
Jun 03 2019 10:00 AM
@Eli Ofek thanks for the insight. This is very helpful.
Jul 03 2019 11:40 AM
I'd like to add to this thread, I'm seeing seemingly the exact same error when deploying to production.
For context, we deployed to a test environment (each environment looks like: Two forests, primary forest has company.com and two child.company.com domains, second forest has an external trust) with only a single account in the primary child domain, and that worked fine.
However, when trying to install a standalone sensor, I get the same error as in the first screenshot here:
2019-07-03 18:30:29.2434 Error Enumerable System.InvalidOperationException: Sequence contains no elements
at TSource System.Linq.Enumerable.First<TSource>(IEnumerable<TSource> source)
at void Microsoft.Tri.Sensor.DomainNetworkCredentialsManager.UpdateConfigurations(ConfigurationCollection configurations)
at Func<Task> Microsoft.Tri.Infrastructure.ActionExtension.ToAsyncFunction(Action action)+(TItem _) => { }
at async Task Microsoft.Tri.Infrastructure.ConfigurationManager.RegisterConfigurationAsync(Func<ConfigurationCollection, Task> onConfigurationsUpdateAsync, Type[] configurationTypes)
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at new Microsoft.Tri.Sensor.DomainNetworkCredentialsManager(IConfigurationManager configurationManager)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
We have the account for both the child.testcompany.com and child.company.com domains listed in the ATP domain services config.
According to the documentation:
If I'm reading this right, we should only need two credentials per environment. One for the primary forest 'company.com' and its child domains, as well as one for the external trusted domain?
If I have all that right, I'm wondering two things:
Jul 03 2019 12:52 PM
For the standalone one, did you configure it as to which mirrored DC it is monitoring?
while integrated is auto configured, in standalone you need to manually configure.
Just wanted to make sure the basics are correct.
If you have a forest with an external trust only, and no read only account there, you can't monitor it...
But how could you anyway? I am guessing you can't install a sensor there ...
Or maybe I misunderstood what you are after?
Jul 03 2019 12:59 PM - edited Jul 03 2019 12:59 PM
Thanks for the quick reply.
We have not configured it to mirror any DCs.
1: The instructions show that step as after this step, and we are not even getting the service to start, which appears to be expected before configuring the mirroring settings.
2: This particular sensor is being installed to accept vpn accounting logs via RADIUS, not to mirror a domain controller. Is this not a supported configuration? We will be installing sensors on the DCs separately for monitoring them.
Jul 03 2019 01:52 PM
@nomeara , A standalone Gateway that monitor no DC is not a supported scenario.
it needs at least once DC to monitor, or else it will keep restarting and failing on a callstack similar to this:
2019-07-03 20:48:45.4181 5656 5 Error [DirectoryServicesClient+<OnInitializeAsync>d__14] Microsoft.Tri.Infrastructure.Utils.ExtendedException: Domain controllers are not configured at async Microsoft.Tri.Gateway.Resolution.DirectoryServices.DirectoryServicesClient.OnInitializeAsync(?) at async Microsoft.Tri.Infrastructure.Framework.Module.InitializeAsync(?) at async Microsoft.Tri.Infrastructure.Framework.ModuleManager.OnInitializeAsync(?) at async Microsoft.Tri.Infrastructure.Framework.Module.InitializeAsync(?) at async Microsoft.Tri.Infrastructure.Framework.Service.OnStartAsync(?) at Microsoft.Tri.Infrastructure.Framework.Service.OnStart(String[] args)
Although it's not the stack you have seen, so I guess you have some kind of additional issue there, but even if you go past that, you will get stuck on the above issue, so save your time and don't try it...
You options are either to route the VPN traffic to one of the integrated sensors, or monitor one of the DCs using port mirroring and a standalone sensor, those are the only supported scenarios, at least for now.