Apr 16 2020 06:01 AM
Hello,
after installing the ATP sensor on one of my client's domain controllers I can see in the Azure ATP portal, that the service is not starting.
I use a group managed service account which has been set up with the domain controller group as principals to read the password. On the DCs I can successfully run "Test-ADServiceaccount svc_azureatp"
The log files show some errors, I list them in the order I think can be responsible for the issue:
1. Microsoft.Tri.Sensor.Updater.log:
2020-04-16 10:20:47.2604 Warn GroupManagedServiceAccountImpersonationHelper GetGroupManagedServiceAccountAccessTokenAsync failed GMSA password could not be retrieved [errorCode=LogonTypeNotGranted AccountName=SVC_AzureATP DomainDnsName=XXXXXXX.local]
2. Microsoft.Tri.Sensor.log:
2020-04-16 10:15:46.1986 Info ImpersonationManager CreateImpersonatorAsync started [UserName=SVC_AzureATP Domain=XXXXXXX.local IsGroupManagedServiceAccount=True]
2020-04-16 10:15:46.2455 Info ImpersonationManager CreateImpersonatorAsync finished [UserName=SVC_AzureATP Domain=XXXXXXX.local IsSuccess=False]
2020-04-16 10:15:46.2455 Warn DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password. [DomainControllerDnsName=SDCV002.XXXXXXX.local Domain=XXXXXXX.local UserName=SVC_AzureATP ]
2020-04-16 10:15:46.4798 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__38 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName=SDCV002.XXXXXXX.local]
at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
at async Task<bool> Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
2020-04-16 10:15:46.4955 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers
at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDomainNetworkCredentialsManager domainNetworkCredentialsManager, IImpersonationManager impersonationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at new Microsoft.Tri.Sensor.SensorModuleManager()
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
I setup a group managed service account with the very same settings on my own lab and was able to successfully add this environment to the Azure ATP workspace of my client by installing the sensor on my lab DC.
I'd appreciate it if you could help me find out what the issue could be. I assume it has something to do with the logon type the gMSA might be missing on the DCs?
Best regards
Mario Schaupp
Apr 16 2020 07:36 AM
Hi,
I was able to resolve the issue myself. A Default Domain Controller Policy GPO had overwritten the default settings for the security policy "log on as service". „NT SERVICE\ALL SERVICES“ was missing and after adding this group, the service was able to start
Apr 19 2020 12:05 PM
@marioschaupp Just wanted to let you know that I was experiencing the same issue, and your fix worked for me as well. Reintroducing the NT SERVICE/ALL SERVICES to the list of Log In as as Service allowed the ATP Sensor to run on mine as well.
Thanks!
Jul 02 2020 02:24 PM
@marioschaupp where exactly do you modify the settings? I am having issues with some sensors on some servers and have been trying everything I find online. I am about to open a ticket, but wanted to give this a shot.
Jul 07 2020 05:32 AM
@sophiavega I can't speak for anyone else, but we had a security policy GPO that limited what user accounts could log in as a service. By adding NT SERVICE/ALL SERVICES to that list of groups/users that were allowed to log in as a service, we were able to get the ATP sensor to start up.
Sep 21 2020 02:58 PM
@cjohnston is NT SERVICE/ALL SERVICES required for 'login in as service'? Could the individual gMSA account be assigned access to 'log on as service' via group policy?
Dec 07 2020 04:13 PM
We had the same GPO setting which was stopping the ATP service from staring. Adding the Group Managed Service Account to the list of accounts allowed to logon locally fixed the issue.
It's wasn't necessary to allow all services.
Jan 06 2021 05:49 AM - edited Jan 06 2021 06:03 AM
Hello @marioschaupp ,
Please note it's not clear for me. We are unable to run the service AATPSensor.
Is it in local policy of the server or via Domain controller ?
Error 1068
Jan 21 2021 05:25 PM
Feb 27 2021 07:04 AM
May 18 2021 07:59 AM
@19873306 - The recommended configuration for the "Log On as a Service" setting is to use a Security Group containing all the DCs with Sensors hosted. This enables those machines to retrieve the gMSA account.
You can also use the individual hostname of the DC.