Azure ATP service not starting

Copper Contributor

Hello,

 

after installing the ATP sensor on one of my client's domain controllers I can see in the Azure ATP portal, that the service is not starting.

 

I use a group managed service account which has been set up with the domain controller group as principals to read the password. On the DCs I can successfully run "Test-ADServiceaccount svc_azureatp"

 

The log files show some errors, I list them in the order I think can be responsible for the issue:

1. Microsoft.Tri.Sensor.Updater.log:

2020-04-16 10:20:47.2604 Warn GroupManagedServiceAccountImpersonationHelper GetGroupManagedServiceAccountAccessTokenAsync failed GMSA password could not be retrieved [errorCode=LogonTypeNotGranted AccountName=SVC_AzureATP DomainDnsName=XXXXXXX.local]

 

2. Microsoft.Tri.Sensor.log:

2020-04-16 10:15:46.1986 Info ImpersonationManager CreateImpersonatorAsync started [UserName=SVC_AzureATP Domain=XXXXXXX.local IsGroupManagedServiceAccount=True]
2020-04-16 10:15:46.2455 Info ImpersonationManager CreateImpersonatorAsync finished [UserName=SVC_AzureATP Domain=XXXXXXX.local IsSuccess=False]
2020-04-16 10:15:46.2455 Warn DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password. [DomainControllerDnsName=SDCV002.XXXXXXX.local Domain=XXXXXXX.local UserName=SVC_AzureATP ]
2020-04-16 10:15:46.4798 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__38 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName=SDCV002.XXXXXXX.local]
at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
at async Task<bool> Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
2020-04-16 10:15:46.4955 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers
at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDomainNetworkCredentialsManager domainNetworkCredentialsManager, IImpersonationManager impersonationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at new Microsoft.Tri.Sensor.SensorModuleManager()
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)

 

I setup a group managed service account with the very same settings on my own lab and was able to successfully add this environment to the Azure ATP workspace of my client by installing the sensor on my lab DC.

 

I'd appreciate it if you could help me find out what the issue could be. I assume it has something to do with the logon type the gMSA might be missing on the DCs?

 

Best regards

 

Mario Schaupp

11 Replies

Hi,

 

I was able to resolve the issue myself. A Default Domain Controller Policy GPO had overwritten the default settings for the security policy "log on as service". „NT SERVICE\ALL SERVICES“ was missing and after adding this group, the service was able to start

 

@marioschaupp Just wanted to let you know that I was experiencing the same issue, and your fix worked for me as well. Reintroducing the NT SERVICE/ALL SERVICES  to the list of Log In as as Service allowed the ATP Sensor to run on mine as well.

 

Thanks!

Thanks for that, worked like a charm!

@marioschaupp where exactly do you modify the settings?  I am having issues with some sensors on some servers and have been trying everything I find online.  I am about to open a ticket, but wanted to give this a shot.

@sophiavega I can't speak for anyone else, but we had a security policy GPO that limited what user accounts could log in as a service. By adding NT SERVICE/ALL SERVICES to that list of groups/users that were allowed to log in as a service, we were able to get the ATP sensor to start up.

@cjohnston is  NT SERVICE/ALL SERVICES required for 'login in as service'?  Could the individual gMSA account be assigned access to 'log on as service' via group policy?

 

We had the same GPO setting which was stopping the ATP service from staring. Adding the Group Managed Service Account to the list of accounts allowed to logon locally fixed the issue.
It's wasn't necessary to allow all services.

Hello @marioschaupp , 

 

Please note it's not clear for me. We are unable to run the service AATPSensor. 

 

Is it in local policy of the server or via Domain controller ?

 

Error 1068

Same issue here. Can't start the sensor service on DCs. the gMSA account has Log in Locally rights on domain controller GPO. Hope someone can post authoritative information on this.
Hello

I disable the service and now able to restart the same.

Issue I get is due to Firewall policy on internet restriction.

@19873306 - The recommended configuration for the "Log On as a Service" setting is to use a Security Group containing all the DCs with Sensors hosted. This enables those machines to retrieve the gMSA account. 

You can also use the individual hostname of the DC.