Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Cannot get ATP sensors to Start

Copper Contributor

Hi, I am able to successfully install the ATP's sensors on my DC's, but cannot get the Service to Start.  I have created a gMSA account and opened up the firewall, but am getting Events 7000, 7031, and 7038.

 

The AATPSensor service was unable to log on as xxxxxxxxxx\gMSAcct01$ with the currently configured password due to the following error:
The user name or password is incorrect.

To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

 
- <System>
  <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
  <EventID Qualifiers="49152">7031</EventID>
  <Version>0</Version>
  <Level>2</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8080000000000000</Keywords>
  <TimeCreated SystemTime="2020-06-26T15:20:20.638070000Z" />
  <EventRecordID>4069362</EventRecordID>
  <Correlation />
  <Execution ProcessID="796" ThreadID="6264" />
  <Channel>System</Channel>
  <Computer>SIT-DC12.xxxxxxxxxxxxx</Computer>
  <Security />
  </System>
- <EventData>
  <Data Name="param1">Azure Advanced Threat Protection Sensor</Data>
  <Data Name="param2">909523</Data>
  <Data Name="param3">5000</Data>
  <Data Name="param4">1</Data>
  <Data Name="param5">Restart the service</Data>
  <Binary>4100410054005000530065006E0073006F0072000000</Binary>
  </EventData>
  </Event>
12 Replies

@Seth Holek , you should find the clues in the sensor's own logs folder, not in the  windows event log.

Just to be clear, the gmsa account was configured in the portal right? you didn't change the actual windows service, did you ? the sensor should run with it's pre configured virtual account (which inherits local service)

@Eli Ofek 

Yes, I added the gmsa account to the Directory Services credentials in the Portal, and I did change the service from Local Service to the gmsa account.

 

Here are errors from the ATP logs:

2020-06-29 14:20:40.9680 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__38 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName=SIT-DC12.xxxxxxxx.local]
at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
at async Task<bool> Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)

 

2020-06-29 14:20:39.8430 Warn DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password. [DomainControllerDnsName=SIT-DC12.xxxxxxx.local Domain=xxxxxxxx.local UserName=gMSAcct01$ ]
2020-06-29 14:20:40.9680 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__38 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName=SIT-DC12.xxxxxxxx.local]
at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
at async Task<bool> Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
2020-06-29 14:20:41.0305 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers
at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDomainNetworkCredentialsManager domainNetworkCredentialsManager, IImpersonationManager impersonationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at new Microsoft.Tri.Sensor.SensorModuleManager()
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)

best response confirmed by Seth Holek (Copper Contributor)
Solution

@Seth Holek  uninstall and reinstall to make sure the service is deployed correctly, this is broken because you changed the services logon... it is unable to retrieve the gmsa password this way,

the gmsa should only be configured on  the portal, the system takes care of all the rest...

@Eli Ofek Thanks.  I reinstalled the Sensor on both my DC's, and was able to get it work on the DC in Azure, but I still cannot get it to work on my local DC.  I did the same install process for both DC's, but am still getting the same errors I listed below.  Is there a particular port on the firewall that needs to be opened up, or am I off base with that?

@Seth Holek Are  you sure you got the EXACT same error again that says "failed to retrieve group managed service account password." ?

I am asking because there might be several similar errors, but different causes.

If it's the exact same error, then the problem is that this machine account does not have permissions to get the password, and you need to fix permissions.

IF not, it's likely a FW issue. note the ports table in the docs, especially LDAP ports  that need to be open.

@Eli Ofek LOL.  Sounds like you've done this before.  You are once again correct, and that error is different.  I am thinking that it has to be FW-related.

 

Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__38 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName=SIT-DC12.xxxxxxx.local]
at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
at async Task<bool> Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
2020-06-29 18:52:52.6305 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers
at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDomainNetworkCredentialsManager domainNetworkCredentialsManager, IImpersonationManager impersonationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at new Microsoft.Tri.Sensor.SensorModuleManager()
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)

 

@Seth Holek 

I think this is because the proper "PrincipalsAllowedToRetrieveManagedPassword" is not set for gMSA.
Why not set it in "Domain Controllers"?

I don't know any principals with less authority than "Domain Controllers", so please let me know.

I have two questions.
1. Do we need to open port 389 UDP & TCP as well from DC to Azure (atp portal)?
2. What permission do we need to set for machine account (I mean DC hostname?).
We have run the below cmd is it correct?

New-ADServiceAccount -Name MSA-atp –ManagedPasswordIntervalInDays 80 –SamAccountName MSA-atp -PrincipalsAllowedToRetrieveManagedPassword Group_MSA-atp

@pugazhendhi 

I don't know what Group_MSA-atp is.

 

For example, the command I ran is:

New-ADServiceAccount -Name gMSAAccount -DNSHostName gMSAAccount.<Domain> -KerberosEncryptionType AES256 -ManagedPasswordIntervalInDays 90 -PrincipalsAllowedToRetrieveManagedPassword "Domain Controllers"

 

But I don't guarantee its command is correct.

Its a group name "Group_MSA-atp", we actually added DC hostname in this group.
No need to open 389 to Azure. the only port you need to azure is the standard 443.
1 best response

Accepted Solutions
best response confirmed by Seth Holek (Copper Contributor)
Solution

@Seth Holek  uninstall and reinstall to make sure the service is deployed correctly, this is broken because you changed the services logon... it is unable to retrieve the gmsa password this way,

the gmsa should only be configured on  the portal, the system takes care of all the rest...

View solution in original post