Azure ATP service not starting

%3CLINGO-SUB%20id%3D%22lingo-sub-1312644%22%20slang%3D%22en-US%22%3EAzure%20ATP%20service%20not%20starting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1312644%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eafter%20installing%20the%20ATP%20sensor%20on%20one%20of%20my%20client's%20domain%20controllers%20I%20can%20see%20in%20the%20Azure%20ATP%20portal%2C%20that%20the%20service%20is%20not%20starting.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20use%20a%20group%20managed%20service%20account%20which%20has%20been%20set%20up%20with%20the%20domain%20controller%20group%20as%20principals%20to%20read%20the%20password.%20On%20the%20DCs%20I%20can%20successfully%20run%20%22Test-ADServiceaccount%20svc_azureatp%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20log%20files%20show%20some%20errors%2C%20I%20list%20them%20in%20the%20order%20I%20think%20can%20be%20responsible%20for%20the%20issue%3A%3C%2FP%3E%3CP%3E1.%20Microsoft.Tri.Sensor.Updater.log%3A%3C%2FP%3E%3CP%3E2020-04-16%2010%3A20%3A47.2604%20Warn%20GroupManagedServiceAccountImpersonationHelper%20GetGroupManagedServiceAccountAccessTokenAsync%20failed%20GMSA%20password%20could%20not%20be%20retrieved%20%5BerrorCode%3DLogonTypeNotGranted%20AccountName%3DSVC_AzureATP%20DomainDnsName%3DXXXXXXX.local%5D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20Microsoft.Tri.Sensor.log%3A%3C%2FP%3E%3CP%3E2020-04-16%2010%3A15%3A46.1986%20Info%20ImpersonationManager%20CreateImpersonatorAsync%20started%20%5BUserName%3DSVC_AzureATP%20Domain%3DXXXXXXX.local%20IsGroupManagedServiceAccount%3DTrue%5D%3CBR%20%2F%3E2020-04-16%2010%3A15%3A46.2455%20Info%20ImpersonationManager%20CreateImpersonatorAsync%20finished%20%5BUserName%3DSVC_AzureATP%20Domain%3DXXXXXXX.local%20IsSuccess%3DFalse%5D%3CBR%20%2F%3E2020-04-16%2010%3A15%3A46.2455%20Warn%20DirectoryServicesClient%20CreateLdapConnectionAsync%20failed%20to%20retrieve%20group%20managed%20service%20account%20password.%20%5BDomainControllerDnsName%3DSDCV002.XXXXXXX.local%20Domain%3DXXXXXXX.local%20UserName%3DSVC_AzureATP%20%5D%3CBR%20%2F%3E2020-04-16%2010%3A15%3A46.4798%20Error%20DirectoryServicesClient%2B%3CCREATELDAPCONNECTIONASYNC%3Ed__38%20Microsoft.Tri.Infrastructure.ExtendedException%3A%20CreateLdapConnectionAsync%20failed%20%5BDomainControllerDnsName%3DSDCV002.XXXXXXX.local%5D%3CBR%20%2F%3Eat%20async%20Task%3CLDAPCONNECTION%3E%20Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData%20domainControllerConnectionData%2C%20bool%20isGlobalCatalog%2C%20bool%20isTraversing)%3CBR%20%2F%3Eat%20async%20Task%3CBOOL%3E%20Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData%20domainControllerConnectionData%2C%20bool%20isGlobalCatalog%2C%20bool%20isTraversing)%3CBR%20%2F%3E2020-04-16%2010%3A15%3A46.4955%20Error%20DirectoryServicesClient%20Microsoft.Tri.Infrastructure.ExtendedException%3A%20Failed%20to%20communicate%20with%20configured%20domain%20controllers%3CBR%20%2F%3Eat%20new%20Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager%20configurationManager%2C%20IDomainNetworkCredentialsManager%20domainNetworkCredentialsManager%2C%20IImpersonationManager%20impersonationManager%2C%20IMetricManager%20metricManager%2C%20IWorkspaceApplicationSensorApiJsonProxy%20workspaceApplicationSensorApiJsonProxy)%3CBR%20%2F%3Eat%20object%20lambda_method(Closure%2C%20object%5B%5D)%3CBR%20%2F%3Eat%20object%20Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()%3CBR%20%2F%3Eat%20void%20Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type%5B%5D%20moduleTypes)%3CBR%20%2F%3Eat%20new%20Microsoft.Tri.Sensor.SensorModuleManager()%3CBR%20%2F%3Eat%20ModuleManager%20Microsoft.Tri.Sensor.SensorService.CreateModuleManager()%3CBR%20%2F%3Eat%20async%20Task%20Microsoft.Tri.Infrastructure.Service.OnStartAsync()%3CBR%20%2F%3Eat%20void%20Microsoft.Tri.Infrastructure.TaskExtension.Await(Task%20task)%3CBR%20%2F%3Eat%20void%20Microsoft.Tri.Infrastructure.Service.OnStart(string%5B%5D%20args)%3C%2FBOOL%3E%3C%2FLDAPCONNECTION%3E%3C%2FCREATELDAPCONNECTIONASYNC%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20setup%20a%20group%20managed%20service%20account%20with%20the%20very%20same%20settings%20on%20my%20own%20lab%20and%20was%20able%20to%20successfully%20add%20this%20environment%20to%20the%20Azure%20ATP%20workspace%20of%20my%20client%20by%20installing%20the%20sensor%20on%20my%20lab%20DC.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'd%20appreciate%20it%20if%20you%20could%20help%20me%20find%20out%20what%20the%20issue%20could%20be.%20I%20assume%20it%20has%20something%20to%20do%20with%20the%20logon%20type%20the%20gMSA%20might%20be%20missing%20on%20the%20DCs%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMario%20Schaupp%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1313029%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20service%20not%20starting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1313029%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20able%20to%20resolve%20the%20issue%20myself.%20A%20Default%20Domain%20Controller%20Policy%20GPO%20had%20overwritten%20the%20default%20settings%20for%20the%20security%20policy%20%22log%20on%20as%20service%22.%20%3CSPAN%3E%E2%80%9ENT%20SERVICE%5CALL%20SERVICES%E2%80%9C%20was%20missing%20and%20after%20adding%20this%20group%2C%20the%20service%20was%20able%20to%20start%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1319786%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20service%20not%20starting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1319786%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F427957%22%20target%3D%22_blank%22%3E%40marioschaupp%3C%2FA%3E%26nbsp%3BJust%20wanted%20to%20let%20you%20know%20that%20I%20was%20experiencing%20the%20same%20issue%2C%20and%20your%20fix%20worked%20for%20me%20as%20well.%20Reintroducing%20the%20NT%20SERVICE%2FALL%20SERVICES%26nbsp%3B%20to%20the%20list%20of%20Log%20In%20as%20as%20Service%20allowed%20the%20ATP%20Sensor%20to%20run%20on%20mine%20as%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1368747%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20service%20not%20starting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1368747%22%20slang%3D%22en-US%22%3EThanks%20for%20that%2C%20worked%20like%20a%20charm!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1503355%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20service%20not%20starting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1503355%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F427957%22%20target%3D%22_blank%22%3E%40marioschaupp%3C%2FA%3E%26nbsp%3Bwhere%20exactly%20do%20you%20modify%20the%20settings%3F%26nbsp%3B%20I%20am%20having%20issues%20with%20some%20sensors%20on%20some%20servers%20and%20have%20been%20trying%20everything%20I%20find%20online.%26nbsp%3B%20I%20am%20about%20to%20open%20a%20ticket%2C%20but%20wanted%20to%20give%20this%20a%20shot.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1506162%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20service%20not%20starting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1506162%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F717315%22%20target%3D%22_blank%22%3E%40sophiavega%3C%2FA%3E%26nbsp%3BI%20can't%20speak%20for%20anyone%20else%2C%20but%20we%20had%20a%20security%20policy%20GPO%20that%20limited%20what%20user%20accounts%20could%20log%20in%20as%20a%20service.%20By%20adding%26nbsp%3B%3CSPAN%3ENT%20SERVICE%2FALL%20SERVICES%20to%20that%20list%20of%20groups%2Fusers%20that%20were%20allowed%20to%20log%20in%20as%20a%20service%2C%20we%20were%20able%20to%20get%20the%20ATP%20sensor%20to%20start%20up.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1695765%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20service%20not%20starting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1695765%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F311900%22%20target%3D%22_blank%22%3E%40cjohnston%3C%2FA%3E%26nbsp%3Bis%26nbsp%3B%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3ENT%20SERVICE%2FALL%20SERVICES%20required%20for%20'login%20in%20as%20service'%3F%26nbsp%3B%20Could%20the%20individual%20gMSA%20account%26nbsp%3Bbe%20assigned%26nbsp%3Baccess%20to%20'log%20on%20as%20service'%20via%20group%20policy%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hello,

 

after installing the ATP sensor on one of my client's domain controllers I can see in the Azure ATP portal, that the service is not starting.

 

I use a group managed service account which has been set up with the domain controller group as principals to read the password. On the DCs I can successfully run "Test-ADServiceaccount svc_azureatp"

 

The log files show some errors, I list them in the order I think can be responsible for the issue:

1. Microsoft.Tri.Sensor.Updater.log:

2020-04-16 10:20:47.2604 Warn GroupManagedServiceAccountImpersonationHelper GetGroupManagedServiceAccountAccessTokenAsync failed GMSA password could not be retrieved [errorCode=LogonTypeNotGranted AccountName=SVC_AzureATP DomainDnsName=XXXXXXX.local]

 

2. Microsoft.Tri.Sensor.log:

2020-04-16 10:15:46.1986 Info ImpersonationManager CreateImpersonatorAsync started [UserName=SVC_AzureATP Domain=XXXXXXX.local IsGroupManagedServiceAccount=True]
2020-04-16 10:15:46.2455 Info ImpersonationManager CreateImpersonatorAsync finished [UserName=SVC_AzureATP Domain=XXXXXXX.local IsSuccess=False]
2020-04-16 10:15:46.2455 Warn DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password. [DomainControllerDnsName=SDCV002.XXXXXXX.local Domain=XXXXXXX.local UserName=SVC_AzureATP ]
2020-04-16 10:15:46.4798 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__38 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName=SDCV002.XXXXXXX.local]
at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
at async Task<bool> Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
2020-04-16 10:15:46.4955 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers
at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDomainNetworkCredentialsManager domainNetworkCredentialsManager, IImpersonationManager impersonationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at new Microsoft.Tri.Sensor.SensorModuleManager()
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)

 

I setup a group managed service account with the very same settings on my own lab and was able to successfully add this environment to the Azure ATP workspace of my client by installing the sensor on my lab DC.

 

I'd appreciate it if you could help me find out what the issue could be. I assume it has something to do with the logon type the gMSA might be missing on the DCs?

 

Best regards

 

Mario Schaupp

6 Replies
Highlighted

Hi,

 

I was able to resolve the issue myself. A Default Domain Controller Policy GPO had overwritten the default settings for the security policy "log on as service". „NT SERVICE\ALL SERVICES“ was missing and after adding this group, the service was able to start

 

Highlighted

@marioschaupp Just wanted to let you know that I was experiencing the same issue, and your fix worked for me as well. Reintroducing the NT SERVICE/ALL SERVICES  to the list of Log In as as Service allowed the ATP Sensor to run on mine as well.

 

Thanks!

Highlighted
Thanks for that, worked like a charm!
Highlighted

@marioschaupp where exactly do you modify the settings?  I am having issues with some sensors on some servers and have been trying everything I find online.  I am about to open a ticket, but wanted to give this a shot.

Highlighted

@sophiavega I can't speak for anyone else, but we had a security policy GPO that limited what user accounts could log in as a service. By adding NT SERVICE/ALL SERVICES to that list of groups/users that were allowed to log in as a service, we were able to get the ATP sensor to start up.

Highlighted

@cjohnston is  NT SERVICE/ALL SERVICES required for 'login in as service'?  Could the individual gMSA account be assigned access to 'log on as service' via group policy?