SOLVED

MDI - AD FS Sensor Errors

%3CLINGO-SUB%20id%3D%22lingo-sub-2790594%22%20slang%3D%22en-US%22%3EMDI%20-%20AD%20FS%20Sensor%20Errors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2790594%22%20slang%3D%22en-US%22%3E%3CP%3ESeeing%20the%20following%20error%20every%20few%20minutes%20on%20AD%20FS%20sensors%20(newer%20install)%20and%20then%20found%20it%20on%20all%20existing%20DC%20sensors.%20Followed%20the%20%22Configure%20object%20auditing%22%20documentation%20as%20carefully%20as%20possible.%20We're%20using%20a%20standard%20AD%20user%20account%20as%20service%20account.%20There%20is%20group%20policy%20set%20for%20security%20log%20access%20and%20this%20service%20account%20is%20added%20with%20%220x1%22%20read%20access%20(AccessAllowed%20(List%20Directory)).%20We've%20also%20added%20this%20account%20to%20the%20Builtin%2FEvent%20Log%20Readers%20group%20and%20restarted%20the%20DC%20and%20AD%20FS%20servers%2C%20but%20we're%20still%20seeing%20this%20error.%20Also%20tried%20uninstalling%20and%20reinstalling%20the%20sensor.%20Are%20we%20missing%20another%20location%20where%20security%20log%20permissions%20are%20set%3F%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-json%22%3E%3CCODE%3E2021-09-27%2021%3A05%3A59.1767%20Error%20WindowsEventLogReader%20RunPeriodic%20actionAsync%20failed%0AMicrosoft.Tri.Infrastructure.ExtendedException%3A%20%5BunauthorizedAccessLogNames%3DSecurity%5D%20---%26gt%3B%20System.UnauthorizedAccessException%3A%20Attempted%20to%20perform%20an%20unauthorized%20operation.%0Aat%20void%20System.Diagnostics.Eventing.Reader.EventLogException.Throw(int%20errorCode)%0Aat%20EventLogHandle%20System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle%20session%2C%20SafeWaitHandle%20signalEvent%2C%20string%20path%2C%20string%20query%2C%20EventLogHandle%20bookmark%2C%20IntPtr%20context%2C%20IntPtr%20callback%2C%20int%20flags)%0Aat%20void%20System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()%0Aat%20void%20Microsoft.Tri.Sensor.WindowsEventLogReader.EnableEventLogWatchers()%2B(KeyValuePair%3CSTRING%3E%20logNameToEventLogWatcher)%20%3D%26gt%3B%20%7B%20%7D%0A---%20End%20of%20inner%20exception%20stack%20trace%20---%0Aat%20void%20Microsoft.Tri.Sensor.WindowsEventLogReader.EnableEventLogWatchers()%0Aat%20Func%3CTASK%3E%20Microsoft.Tri.Infrastructure.ActionExtension.ToAsyncFunction(Action%20action)%2B()%20%3D%26gt%3B%20%7B%20%7D%0Aat%20async%20Task%20Microsoft.Tri.Infrastructure.Module.RunTaskAsync(Func%3CTASK%3E%20actionAsync%2C%20string%20name%2C%20SimpleTimeMetric%20timeMetric)%0Aat%20async%20void%20Microsoft.Tri.Infrastructure.Module.RegisterPeriodicTask(IMetricManager%20metricManager%2C%20Action%20action%2C%20PeriodicTaskConfiguration%20configuration)%2B(%3F)%20%3D%26gt%3B%20%7B%20%7D%0Aat%20async%20Task%20Microsoft.Tri.Infrastructure.TaskExtension.RunPeriodic(Action%20action%2C%20PeriodicTaskConfiguration%20configuration%2C%20CancellationToken%20cancellationToken)%2B(%3F)%20%3D%26gt%3B%20%7B%20%7D%3C%2FTASK%3E%3C%2FTASK%3E%3C%2FSTRING%3E%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe're%20also%20seeing%20the%20login%20fail%20for%20the%20service%20account%20on%20the%20WID%20on%20the%20AD%20FS%20sensors.%20Can%20someone%20explain%20how%20to%20set%20the%20proper%20permissions%20on%20the%20WID%3F%20The%20service%20account%20has%20a%20login%2C%20public%20role%20assigned%2C%20mapped%20to%20AdfsConfiguration%20and%20AdfsConfigurationV4%2C%20default%20schema%20of%20dbo%2C%20Grant%20permission%20to%20connect%20to%20db%20engine%2C%20login%20enabled%2C%20explicit%20permissions%20granted%20are%20Select%20and%20Connect%20(both%20with%20dbo%20grantor).%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-json%22%3E%3CCODE%3E2021-09-28%2005%3A14%3A12.1864%20Error%20SqlInternalConnectionTds%20QueryAdfsServerDnsNamesAsync%20failed%20to%20get%20ADFS%20servers%20dns%20names%20%5BadfsConfigurationDatabaseConnectionString%3DData%20Source%3Dnp%3A%5C%5C.%5Cpipe%5Cmicrosoft%23%23wid%5Ctsql%5Cquery%3BInitial%20Catalog%3DAdfsConfigurationV4%3BIntegrated%20Security%3DTrue%5D%0ASystem.Data.SqlClient.SqlException%20(0x80131904)%3A%20Login%20failed%20for%20user%20'DOMAIN%5Cserviceaccount'.%0Aat%20new%20System.Data.SqlClient.SqlInternalConnectionTds(DbConnectionPoolIdentity%20identity%2C%20SqlConnectionString%20connectionOptions%2C%20SqlCredential%20credential%2C%20object%20providerInfo%2C%20string%20newPassword%2C%20SecureString%20newSecurePassword%2C%20bool%20redirectedUserInstance%2C%20SqlConnectionString%20userConnectionOptions%2C%20SessionData%20reconnectSessionData%2C%20DbConnectionPool%20pool%2C%20string%20accessToken%2C%20bool%20applyTransientFaultHandling%2C%20SqlAuthenticationProviderManager%20sqlAuthProviderManager)%0Aat%20DbConnectionInternal%20System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions%20options%2C%20DbConnectionPoolKey%20poolKey%2C%20object%20poolGroupProviderInfo%2C%20DbConnectionPool%20pool%2C%20DbConnection%20owningConnection%2C%20DbConnectionOptions%20userOptions)%0Aat%20DbConnectionInternal%20System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnectionPool%20pool%2C%20DbConnection%20owningObject%2C%20DbConnectionOptions%20options%2C%20DbConnectionPoolKey%20poolKey%2C%20DbConnectionOptions%20userOptions)%0Aat%20DbConnectionInternal%20System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection%20owningObject%2C%20DbConnectionOptions%20userOptions%2C%20DbConnectionInternal%20oldConnection)%0Aat%20DbConnectionInternal%20System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection%20owningObject%2C%20DbConnectionOptions%20userOptions%2C%20DbConnectionInternal%20oldConnection)%0Aat%20bool%20System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection%20owningObject%2C%20uint%20waitForMultipleObjectsTimeout%2C%20bool%20allowCreate%2C%20bool%20onlyOneCheckConnection%2C%20DbConnectionOptions%20userOptions%2C%20out%20DbConnectionInternal%20connection)%0Aat%20void%20System.Data.ProviderBase.DbConnectionPool.WaitForPendingOpen()%0Aat%20async%20Task%3CIENUMERABLE%3E%3CTRESULT%3E%26gt%3B%20Microsoft.Tri.Infrastructure.SqlClient.QueryAsync%3CTRESULT%3E(string%20query%2C%20CancellationToken%20cancellationToken)%0Aat%20async%20Task%3CHASHSET%3E%3CDNSNAME%3E%26gt%3B%20Microsoft.Tri.Sensor.DirectoryServicesResolver%2B%26lt%3B%26gt%3Bc__DisplayClass126_0.%3CSYNCHRONIZEADFSSERVERDNSNAMESASYNC%3Eg__QueryAdfsServerDnsNamesAsync%7C1(%3F)%2BQueryAdfsServerDnsNamesAsync(%3F)%0AClientConnectionId%3A0577f6a3-837d-419f-8508-2c7fd6dce706%0AError%20Number%3A18456%2CState%3A1%2CClass%3A14%3C%2FSYNCHRONIZEADFSSERVERDNSNAMESASYNC%3E%3C%2FDNSNAME%3E%3C%2FHASHSET%3E%3C%2FTRESULT%3E%3C%2FTRESULT%3E%3C%2FIENUMERABLE%3E%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20any%20assistance!%3C%2FP%3E%3CP%3EDerek%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2794401%22%20slang%3D%22en-US%22%3ERe%3A%20MDI%20-%20AD%20FS%20Sensor%20Errors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2794401%22%20slang%3D%22en-US%22%3EWhich%20DACL%20did%20you%20use%20on%20with%20the%20first%20issue%3F%3CBR%20%2F%3EThis%20is%20the%20one%20you%20need%20to%20add%3A%3CBR%20%2F%3E(A%3B%3B0x1%3B%3B%3BS-1-5-80-818380073-2995186456-1411405591-3990468014-3617507088)%3CBR%20%2F%3E%3CBR%20%2F%3EAs%20for%20the%20second%20issue%2C%20you%20should%20contact%20support%20and%20they%20can%20guide%20you%20with%20a%20script%20to%20add%20proper%20permissions%20to%20WID.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2815858%22%20slang%3D%22en-US%22%3ERe%3A%20MDI%20-%20AD%20FS%20Sensor%20Errors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2815858%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20reply.%20I%20added%20that%20DACL%20to%20the%20GPO%20(I%20had%20previously%20used%20the%20DACL%20for%20our%20ATP%20directory%20service%20account%20instead).%20Applying%20this%20new%20DACL%20doesn't%20seem%20to%20have%20fixed%20the%20issue%20though%20as%20we%20are%20still%20seeing%20frequent%20security%20log%20access%20errors%20(on%20the%20AD%20FS%20servers%20only)%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markdown%22%3E%3CCODE%3E2021-10-06%2004%3A56%3A20.2335%20Error%20WindowsEventLogReader%20RunPeriodic%20actionAsync%20failed%0AMicrosoft.Tri.Infrastructure.ExtendedException%3A%20%5BunauthorizedAccessLogNames%3DSecurity%5D%20---%26gt%3B%20System.UnauthorizedAccessException%3A%20Attempted%20to%20perform%20an%20unauthorized%20operation.%0A%20%20%20at%20void%20System.Diagnostics.Eventing.Reader.EventLogException.Throw(int%20errorCode)%0A%20%20%20at%20EventLogHandle%20System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle%20session%2C%20SafeWaitHandle%20signalEvent%2C%20string%20path%2C%20string%20query%2C%20EventLogHandle%20bookmark%2C%20IntPtr%20context%2C%20IntPtr%20callback%2C%20int%20flags)%0A%20%20%20at%20void%20System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()%0A%20%20%20at%20void%20Microsoft.Tri.Sensor.WindowsEventLogReader.EnableEventLogWatchers()%2B(KeyValuePair%3CSTRING%3E%20logNameToEventLogWatcher)%20%3D%26gt%3B%20%7B%20%7D%0A%20%20%20---%20End%20of%20inner%20exception%20stack%20trace%20---%0A%20%20%20at%20void%20Microsoft.Tri.Sensor.WindowsEventLogReader.EnableEventLogWatchers()%0A%20%20%20at%20Func%3CTASK%3E%20Microsoft.Tri.Infrastructure.ActionExtension.ToAsyncFunction(Action%20action)%2B()%20%3D%26gt%3B%20%7B%20%7D%0A%20%20%20at%20async%20Task%20Microsoft.Tri.Infrastructure.Module.RunTaskAsync(Func%3CTASK%3E%20actionAsync%2C%20string%20name%2C%20SimpleTimeMetric%20timeMetric)%0A%20%20%20at%20async%20void%20Microsoft.Tri.Infrastructure.Module.RegisterPeriodicTask(IMetricManager%20metricManager%2C%20Action%20action%2C%20PeriodicTaskConfiguration%20configuration)%2B(%3F)%20%3D%26gt%3B%20%7B%20%7D%0A%20%20%20at%20async%20Task%20Microsoft.Tri.Infrastructure.TaskExtension.RunPeriodic(Action%20action%2C%20PeriodicTaskConfiguration%20configuration%2C%20CancellationToken%20cancellationToken)%2B(%3F)%20%3D%26gt%3B%20%7B%20%7D%3C%2FTASK%3E%3C%2FTASK%3E%3C%2FSTRING%3E%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe're%20on%20Server%202019%20if%20that%20might%20make%20a%20difference.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20somewhere%20else%20this%20permission%20should%20be%20set%3F%20I'm%20not%20seeing%20any%20new%20ACLs%20if%20I%20view%20the%20Security.evtx%20file.%3C%2FP%3E%3CP%3E%3CSTRONG%3EThis%20file%20is%20stored%20in%20a%20non-standard%20location%20on%20our%20AD%20FS%20servers%20%5BD%3A%5Clogs%5CSecurity.evtx%5D%20so%20maybe%20that%20isn't%20allowing%20necessary%20permissions%20to%20apply%3F%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERe%3A%20the%20second%20issue%2C%20I%20received%20and%20applied%20the%20script%20from%20support%3B%20still%20seeing%20the%20same%20SQL%20errors%20on%20the%20AD%20FS%20sensors.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Seeing the following error every few minutes on AD FS sensors (newer install) and then found it on all existing DC sensors. Followed the "Configure object auditing" documentation as carefully as possible. We're using a standard AD user account as service account. There is group policy set for security log access and this service account is added with "0x1" read access (AccessAllowed (List Directory)). We've also added this account to the Builtin/Event Log Readers group and restarted the DC and AD FS servers, but we're still seeing this error. Also tried uninstalling and reinstalling the sensor. Are we missing another location where security log permissions are set?

2021-09-27 21:05:59.1767 Error WindowsEventLogReader RunPeriodic actionAsync failed
Microsoft.Tri.Infrastructure.ExtendedException: [unauthorizedAccessLogNames=Security] ---> System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
at void System.Diagnostics.Eventing.Reader.EventLogException.Throw(int errorCode)
at EventLogHandle System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, string path, string query, EventLogHandle bookmark, IntPtr context, IntPtr callback, int flags)
at void System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
at void Microsoft.Tri.Sensor.WindowsEventLogReader.EnableEventLogWatchers()+(KeyValuePair<string, EventLogWatcher> logNameToEventLogWatcher) => { }
--- End of inner exception stack trace ---
at void Microsoft.Tri.Sensor.WindowsEventLogReader.EnableEventLogWatchers()
at Func<Task> Microsoft.Tri.Infrastructure.ActionExtension.ToAsyncFunction(Action action)+() => { }
at async Task Microsoft.Tri.Infrastructure.Module.RunTaskAsync(Func<Task> actionAsync, string name, SimpleTimeMetric timeMetric)
at async void Microsoft.Tri.Infrastructure.Module.RegisterPeriodicTask(IMetricManager metricManager, Action action, PeriodicTaskConfiguration configuration)+(?) => { }
at async Task Microsoft.Tri.Infrastructure.TaskExtension.RunPeriodic(Action action, PeriodicTaskConfiguration configuration, CancellationToken cancellationToken)+(?) => { }

 

We're also seeing the login fail for the service account on the WID on the AD FS sensors. Can someone explain how to set the proper permissions on the WID? The service account has a login, public role assigned, mapped to AdfsConfiguration and AdfsConfigurationV4, default schema of dbo, Grant permission to connect to db engine, login enabled, explicit permissions granted are Select and Connect (both with dbo grantor).

2021-09-28 05:14:12.1864 Error SqlInternalConnectionTds QueryAdfsServerDnsNamesAsync failed to get ADFS servers dns names [adfsConfigurationDatabaseConnectionString=Data Source=np:\\.\pipe\microsoft##wid\tsql\query;Initial Catalog=AdfsConfigurationV4;Integrated Security=True]
System.Data.SqlClient.SqlException (0x80131904): Login failed for user 'DOMAIN\serviceaccount'.
at new System.Data.SqlClient.SqlInternalConnectionTds(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, object providerInfo, string newPassword, SecureString newSecurePassword, bool redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData, DbConnectionPool pool, string accessToken, bool applyTransientFaultHandling, SqlAuthenticationProviderManager sqlAuthProviderManager)
at DbConnectionInternal System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions)
at DbConnectionInternal System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnectionPool pool, DbConnection owningObject, DbConnectionOptions options, DbConnectionPoolKey poolKey, DbConnectionOptions userOptions)
at DbConnectionInternal System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection)
at DbConnectionInternal System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection)
at bool System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, uint waitForMultipleObjectsTimeout, bool allowCreate, bool onlyOneCheckConnection, DbConnectionOptions userOptions, out DbConnectionInternal connection)
at void System.Data.ProviderBase.DbConnectionPool.WaitForPendingOpen()
at async Task<IEnumerable<TResult>> Microsoft.Tri.Infrastructure.SqlClient.QueryAsync<TResult>(string query, CancellationToken cancellationToken)
at async Task<HashSet<DnsName>> Microsoft.Tri.Sensor.DirectoryServicesResolver+<>c__DisplayClass126_0.<SynchronizeAdfsServerDnsNamesAsync>g__QueryAdfsServerDnsNamesAsync|1(?)+QueryAdfsServerDnsNamesAsync(?)
ClientConnectionId:0577f6a3-837d-419f-8508-2c7fd6dce706
Error Number:18456,State:1,Class:14

 

Thanks for any assistance!

Derek

3 Replies
best response confirmed by dcoffrin (New Contributor)
Solution
Which DACL did you use on with the first issue?
This is the one you need to add:
(A;;0x1;;;S-1-5-80-818380073-2995186456-1411405591-3990468014-3617507088)

As for the second issue, you should contact support and they can guide you with a script to add proper permissions to WID.

@Eli Ofek 

 

Thanks for the reply. I added that DACL to the GPO (I had previously used the DACL for our ATP directory service account instead). Applying this new DACL doesn't seem to have fixed the issue though as we are still seeing frequent security log access errors (on the AD FS servers only):

 

2021-10-06 04:56:20.2335 Error WindowsEventLogReader RunPeriodic actionAsync failed
Microsoft.Tri.Infrastructure.ExtendedException: [unauthorizedAccessLogNames=Security] ---> System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at void System.Diagnostics.Eventing.Reader.EventLogException.Throw(int errorCode)
   at EventLogHandle System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, string path, string query, EventLogHandle bookmark, IntPtr context, IntPtr callback, int flags)
   at void System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
   at void Microsoft.Tri.Sensor.WindowsEventLogReader.EnableEventLogWatchers()+(KeyValuePair<string, EventLogWatcher> logNameToEventLogWatcher) => { }
   --- End of inner exception stack trace ---
   at void Microsoft.Tri.Sensor.WindowsEventLogReader.EnableEventLogWatchers()
   at Func<Task> Microsoft.Tri.Infrastructure.ActionExtension.ToAsyncFunction(Action action)+() => { }
   at async Task Microsoft.Tri.Infrastructure.Module.RunTaskAsync(Func<Task> actionAsync, string name, SimpleTimeMetric timeMetric)
   at async void Microsoft.Tri.Infrastructure.Module.RegisterPeriodicTask(IMetricManager metricManager, Action action, PeriodicTaskConfiguration configuration)+(?) => { }
   at async Task Microsoft.Tri.Infrastructure.TaskExtension.RunPeriodic(Action action, PeriodicTaskConfiguration configuration, CancellationToken cancellationToken)+(?) => { }

 

We're on Server 2019 if that might make a difference.

 

Is there somewhere else this permission should be set? I'm not seeing any new ACLs if I view the Security.evtx file.

This file is stored in a non-standard location on our AD FS servers [D:\logs\Security.evtx] so maybe that isn't allowing necessary permissions to apply?

 

Re: the second issue, I received and applied the script from support; still seeing the same SQL errors on the AD FS sensors.

Did you make sure the added dacl was still persisted some time after you added it ?
I had cases before where there was a gpo that overwritten it once a while.
I never tested a scenario where there log store is in a non standard path, I guess it could have impact if the path does not have the same permissions as the standard one, so I would try to make sure it does first.
If it still fails, ask MDI support to collaborate with platform support to check why the permissions are still broken..

As for ADFS WID, that sounds weird, maybe the script failed? or maybe the WID was hardened to a point where the script is not doing enough ?( the script assumes default WID permissions).