Jun 29 2020 06:10 AM
Hi, I am able to successfully install the ATP's sensors on my DC's, but cannot get the Service to Start. I have created a gMSA account and opened up the firewall, but am getting Events 7000, 7031, and 7038.
The AATPSensor service was unable to log on as xxxxxxxxxx\gMSAcct01$ with the currently configured password due to the following error:
The user name or password is incorrect.
To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Jun 29 2020 06:36 AM
@Seth Holek , you should find the clues in the sensor's own logs folder, not in the windows event log.
Just to be clear, the gmsa account was configured in the portal right? you didn't change the actual windows service, did you ? the sensor should run with it's pre configured virtual account (which inherits local service)
Jun 29 2020 07:28 AM
Yes, I added the gmsa account to the Directory Services credentials in the Portal, and I did change the service from Local Service to the gmsa account.
Here are errors from the ATP logs:
2020-06-29 14:20:40.9680 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__38 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName=SIT-DC12.xxxxxxxx.local]
at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
at async Task<bool> Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
2020-06-29 14:20:39.8430 Warn DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password. [DomainControllerDnsName=SIT-DC12.xxxxxxx.local Domain=xxxxxxxx.local UserName=gMSAcct01$ ]
2020-06-29 14:20:40.9680 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__38 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName=SIT-DC12.xxxxxxxx.local]
at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
at async Task<bool> Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
2020-06-29 14:20:41.0305 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers
at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDomainNetworkCredentialsManager domainNetworkCredentialsManager, IImpersonationManager impersonationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at new Microsoft.Tri.Sensor.SensorModuleManager()
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
Jun 29 2020 07:31 AM
Solution@Seth Holek uninstall and reinstall to make sure the service is deployed correctly, this is broken because you changed the services logon... it is unable to retrieve the gmsa password this way,
the gmsa should only be configured on the portal, the system takes care of all the rest...
Jun 29 2020 12:04 PM
@Eli Ofek Thanks. I reinstalled the Sensor on both my DC's, and was able to get it work on the DC in Azure, but I still cannot get it to work on my local DC. I did the same install process for both DC's, but am still getting the same errors I listed below. Is there a particular port on the firewall that needs to be opened up, or am I off base with that?
Jun 29 2020 01:45 PM
@Seth Holek Are you sure you got the EXACT same error again that says "failed to retrieve group managed service account password." ?
I am asking because there might be several similar errors, but different causes.
If it's the exact same error, then the problem is that this machine account does not have permissions to get the password, and you need to fix permissions.
IF not, it's likely a FW issue. note the ports table in the docs, especially LDAP ports that need to be open.
Jun 29 2020 02:02 PM - edited Jun 29 2020 07:36 PM
@Eli Ofek LOL. Sounds like you've done this before. You are once again correct, and that error is different. I am thinking that it has to be FW-related.
Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__38 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName=SIT-DC12.xxxxxxx.local]
at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
at async Task<bool> Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
2020-06-29 18:52:52.6305 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers
at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDomainNetworkCredentialsManager domainNetworkCredentialsManager, IImpersonationManager impersonationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at new Microsoft.Tri.Sensor.SensorModuleManager()
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
Dec 24 2020 06:29 PM
I think this is because the proper "PrincipalsAllowedToRetrieveManagedPassword" is not set for gMSA.
Why not set it in "Domain Controllers"?
I don't know any principals with less authority than "Domain Controllers", so please let me know.
Mar 11 2021 10:40 PM
Mar 11 2021 10:44 PM
Mar 11 2021 10:53 PM
I don't know what Group_MSA-atp is.
For example, the command I ran is:
New-ADServiceAccount -Name gMSAAccount -DNSHostName gMSAAccount.<Domain> -KerberosEncryptionType AES256 -ManagedPasswordIntervalInDays 90 -PrincipalsAllowedToRetrieveManagedPassword "Domain Controllers"
But I don't guarantee its command is correct.
Mar 12 2021 02:49 AM
Mar 14 2021 01:42 AM
Jun 29 2020 07:31 AM
Solution@Seth Holek uninstall and reinstall to make sure the service is deployed correctly, this is broken because you changed the services logon... it is unable to retrieve the gmsa password this way,
the gmsa should only be configured on the portal, the system takes care of all the rest...