Apr 16 2020 06:01 AM
Apr 16 2020 06:01 AM
after installing the ATP sensor on one of my client's domain controllers I can see in the Azure ATP portal, that the service is not starting.
I use a group managed service account which has been set up with the domain controller group as principals to read the password. On the DCs I can successfully run "Test-ADServiceaccount svc_azureatp"
The log files show some errors, I list them in the order I think can be responsible for the issue:
2020-04-16 10:20:47.2604 Warn GroupManagedServiceAccountImpersonationHelper GetGroupManagedServiceAccountAccessTokenAsync failed GMSA password could not be retrieved [errorCode=LogonTypeNotGranted AccountName=SVC_AzureATP DomainDnsName=XXXXXXX.local]
2020-04-16 10:15:46.1986 Info ImpersonationManager CreateImpersonatorAsync started [UserName=SVC_AzureATP Domain=XXXXXXX.local IsGroupManagedServiceAccount=True]
2020-04-16 10:15:46.2455 Info ImpersonationManager CreateImpersonatorAsync finished [UserName=SVC_AzureATP Domain=XXXXXXX.local IsSuccess=False]
2020-04-16 10:15:46.2455 Warn DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password. [DomainControllerDnsName=SDCV002.XXXXXXX.local Domain=XXXXXXX.local UserName=SVC_AzureATP ]
2020-04-16 10:15:46.4798 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__38 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName=SDCV002.XXXXXXX.local]
at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
at async Task<bool> Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
2020-04-16 10:15:46.4955 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers
at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDomainNetworkCredentialsManager domainNetworkCredentialsManager, IImpersonationManager impersonationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object)
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type moduleTypes)
at new Microsoft.Tri.Sensor.SensorModuleManager()
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string args)
I setup a group managed service account with the very same settings on my own lab and was able to successfully add this environment to the Azure ATP workspace of my client by installing the sensor on my lab DC.
I'd appreciate it if you could help me find out what the issue could be. I assume it has something to do with the logon type the gMSA might be missing on the DCs?
Apr 16 2020 07:36 AM
I was able to resolve the issue myself. A Default Domain Controller Policy GPO had overwritten the default settings for the security policy "log on as service". „NT SERVICE\ALL SERVICES“ was missing and after adding this group, the service was able to start
Apr 19 2020 12:05 PM
@marioschaupp Just wanted to let you know that I was experiencing the same issue, and your fix worked for me as well. Reintroducing the NT SERVICE/ALL SERVICES to the list of Log In as as Service allowed the ATP Sensor to run on mine as well.
Jul 07 2020 05:32 AM
@sophiavega I can't speak for anyone else, but we had a security policy GPO that limited what user accounts could log in as a service. By adding NT SERVICE/ALL SERVICES to that list of groups/users that were allowed to log in as a service, we were able to get the ATP sensor to start up.
Dec 07 2020 04:13 PM
We had the same GPO setting which was stopping the ATP service from staring. Adding the Group Managed Service Account to the list of accounts allowed to logon locally fixed the issue.
It's wasn't necessary to allow all services.
Jan 21 2021 05:25 PM
Feb 27 2021 07:04 AM