cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Error installing Azure ATP Sensor on DC

maple85
Occasional Contributor

‎Mar 10 2020 08:32 AM - edited ‎Mar 10 2020 08:34 AM

‎Mar 10 2020 08:32 AM - edited ‎Mar 10 2020 08:34 AM

Error installing Azure ATP Sensor on DC

We have the ATP Sensor installed on 2 DCs. Both worked till last week.

Since there just one Sensor is working. On the Other DC it stopped communicating.

When i RDP on the Server i saw the Service was stopped.

Since today i was able restart the service. But today Service restart failed also after server reboot.

I decided to uninstall and reinstall the Sensor but without any lucky.

Always stops with this error:

maple85_0-1583854092572.png

Attached the Sensor Logs

 

Server details:

Server 2019 (1809)

Installed on Hyper-V 2016

No Proxy or SSL decryption

 

Thanks, Philip

Azure ATP Sensor Setup.zip
6,635 Views
0 Likes
17 Replies
Reply
17 Replies
Eli Ofek

‎Mar 10 2020 03:05 PM

‎Mar 10 2020 03:05 PM

Re: Error installing Azure ATP Sensor on DC

@maple85 The key error in the log says

"failed two way SSL connection to service. The issue can be caused by a proxy with SSL inspection enabled. [_workspaceApplicationSensorApiEndpoint=Unspecified/constantiaindustriessensorapi.atp.azure.com:443 Thumbprint="

So most likely either you do have ssl inspection you are not aware of, os something else is in the middle breaking the TLS session. Hard to say what without having a stable repro.

0 Likes
Reply
maple85

‎Mar 12 2020 07:10 AM - edited ‎Mar 12 2020 07:11 AM

‎Mar 12 2020 07:10 AM - edited ‎Mar 12 2020 07:11 AM

Re: Error installing Azure ATP Sensor on DC

Hi,
thanks for your answer!
I saw this with SSL inspection but fact is that I installed the sensor with the same setup 2 month ago.
Also on my 2nd Domain Controller on the same Network everything is fine.

That´s why i can´t understand why it is suddenly not working.
Problem began with automatically stopped service. First restart of the service helped but on one point it doesn´t . So i decided to reinstall the sensor but with no luck.

 

edit: also auto update on this DC to new version did not work.

on 2nd DC no problem.

0 Likes
Reply
Eli Ofek

‎Mar 12 2020 09:04 AM

‎Mar 12 2020 09:04 AM

Re: Error installing Azure ATP Sensor on DC

@maple85 try to capture a network trace to see where it fails.

Tip: I saw a case earlier this week where the client had issues with CRL. could it be that this machine does not have updated crl while the other has so it fails ?

If not, a network trace should tell you more, but it has to be something environmental...

0 Likes
Reply
maple85

‎Mar 23 2020 03:06 AM

‎Mar 23 2020 03:06 AM

Re: Error installing Azure ATP Sensor on DC

@Eli Ofek

Problem solved.

I tried it again today with live log on our FW.

Found the Azure IP who was decrypted.

 

Thanks, Philip  

1 Like
Reply
Razmi Patel

‎May 13 2020 08:24 AM

‎May 13 2020 08:24 AM

Re: Error installing Azure ATP Sensor on DC

@maple85, hijacking this conversation as it mentions a CRL:-)

@Eli Ofek

 

I don't see any mention of ports required for the CRL
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/configure-proxy

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-prerequisites#ports



SSL (*.atp.azure.com) TCP 443 Azure ATP cloud service Outbound


SSL(localhost) TCP 444 localhost Both

 

Is there more detail available?

Thanks.
Razmi

0 Likes
Reply
Eli Ofek

‎May 13 2020 01:24 PM

‎May 13 2020 01:24 PM

Re: Error installing Azure ATP Sensor on DC

@Razmi Patel , you don't normally need open ports for CRLs as far as I know as long as they are updated correctly .
I am not an SME on this one, but I think those are usually updates by windows updates...
If anyone knows otherwise please feel free to correct me :)

0 Likes
Reply
Razmi Patel

‎May 18 2020 06:04 AM

‎May 18 2020 06:04 AM

Re: Error installing Azure ATP Sensor on DC

@Eli Ofek 

Thank you. I'm sure we will find out soon enough:-)

0 Likes
Reply
SathishKumarPatchaiappan

‎May 20 2020 10:42 AM

‎May 20 2020 10:42 AM

Re: Error installing Azure ATP Sensor on DC

@maple85  Did you manage to fix this issue. We are facing the same issue. 

We have 4 DCs on Azure infrastructure . 3 DCs worked successfully but in 1 DC we are facing issues

We have the same network configuration , OS , patches on all DC.  

Kindly share suggestionsn pls

0 Likes
Reply
Eli Ofek

‎May 20 2020 12:40 PM

‎May 20 2020 12:40 PM

Re: Error installing Azure ATP Sensor on DC

@SathishKumarPatchaiappan , are you sure it's the same issue?

the error code in the UI is very basic and can "split" to many root causes.

in order to know for sure you need to collect the deployment logs...

0 Likes
Reply
SathishKumarPatchaiappan

‎May 20 2020 12:44 PM

‎May 20 2020 12:44 PM

Re: Error installing Azure ATP Sensor on DC

@Eli Ofekbelow is what we see in the log 

 

Property(S): INSTALLLEVEL = 1
MSI (s) (A4:C4) [20:55:25:640]: Note: 1: 1708
MSI (s) (A4:C4) [20:55:25:640]: Note: 1: 2205 2: 3: Error
MSI (s) (A4:C4) [20:55:25:640]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1708
MSI (s) (A4:C4) [20:55:25:640]: Note: 1: 2205 2: 3: Error
MSI (s) (A4:C4) [20:55:25:640]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709
MSI (s) (A4:C4) [20:55:25:640]: Product: Azure Advanced Threat Protection Sensor -- Installation failed.
0 Likes
Reply
Eli Ofek

‎May 20 2020 02:46 PM

‎May 20 2020 02:46 PM

Re: Error installing Azure ATP Sensor on DC

@SathishKumarPatchaiappan I need the full set of logs as described here:

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/troubleshooting-atp-using-logs#azu...

 

you can share them using a private message or open a support case where you get a support engineer with a secured workspace...

0 Likes
Reply
JTUKTECH

‎Jul 02 2020 01:54 AM

‎Jul 02 2020 01:54 AM

Re: Error installing Azure ATP Sensor on DC

@maple85 I had similar problems.  Logs indicated that the updater service wasn't starting.  If this is what's happening during your install, open services and keep bashing refresh.  If you see the "Azure Advanced Threat Protection Sensor Updater" starting and then stopping repeatedly then it's probably this.

 

Bear in mind also that this is running as local system, so your proxy settings may not be correct.  You can correct/set proxy settings for this user using: bitsadmin /util /setieproxy localsystem  - help available under: bitsadmin /util /?

 

I was able to amend the proxy settings during the service start attempts and the service went on to install.  Don't be too surprised if you break windows update if you change this setting if you aren't using WSUS.

0 Likes
Reply
JTUKTECH

‎Jul 02 2020 02:24 AM

‎Jul 02 2020 02:24 AM

Re: Error installing Azure ATP Sensor on DC

@JTUKTECH and just for my own notes, this also requires seperately setting: bitsadmin /util /setieproxy localservice for the main sensor service

0 Likes
Reply
best response confirmed by Ricky Simpson (Microsoft)
SathishKumarPatchaiappan

‎Jul 02 2020 07:29 AM

‎Jul 02 2020 07:29 AM

Solution

Re: Error installing Azure ATP Sensor on DC

@JTUKTECH Proxy was the issue. 

I followed these steps https://docs.microsoft.com/en-us/azure-advanced-threat-protection/configure-proxy#configure-the-prox...  and finally it fixed couple of weeks back.

 

 

0 Likes
Reply
Razmi Patel

‎Jul 02 2020 08:15 AM

‎Jul 02 2020 08:15 AM

Re: Error installing Azure ATP Sensor on DC

bitsadmin isn't available on Server Core so best to use the /ProxyUrl parameter
0 Likes
Reply
aexlz

‎Jun 16 2022 08:01 AM

‎Jun 16 2022 08:01 AM

Re: Error installing Azure ATP Sensor on DC

Is SSL Inspection explicitly forbidden?
0 Likes
Reply
Eli Ofek

‎Jun 17 2022 12:45 PM

‎Jun 17 2022 12:45 PM

Re: Error installing Azure ATP Sensor on DC

Yes, SSL Inspection is not supported due to mutual authentication.
1 Like
Reply