Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

mdi sensor can't connect to domain

Copper Contributor

I set up mdi and am getting the following error in the logs:

2022-08-03 07:00:49.2776 Debug DirectoryServicesClient SetState Creating
2022-08-03 07:00:49.3401 Info  RemoteImpersonationManager CreateImpersonatorInternalAsync started [UserName=GA-MDI-READ$ Domain=tbh.local IsGroupManagedServiceAccount=True]
2022-08-03 07:00:49.4026 Info  RemoteImpersonationManager GetGroupManagedServiceAccountTokenAsync finished [UserName=GA-MDI-READ$ Domain=tbh.local IsSuccess=True]
2022-08-03 07:00:49.4026 Info  RemoteImpersonationManager CreateImpersonatorInternalAsync finished [UserName=GA-MDI-READ$ Domain=tbh.local]
2022-08-03 07:00:49.4182 Info  DirectoryServicesClient CreateLdapConnectionAsync failed to connect [DomainControllerDnsName=p-adc-v-01.tbh.local Domain=tbh.local UserName=GA-MDI-READ$ ResultCode=82]
2022-08-03 07:00:49.7149 Error DirectoryServicesClient+d__43 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName=p-adc-v-01.tbh.local]
   at async Task Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
   at async Task Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
2022-08-03 07:00:49.7306 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers [ _domainControllerConnectionDatas=p-adc-v-01.tbh.local]
   at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDirectoryServicesDomainNetworkCredentialsManager domainNetworkCredentialsManager, IRemoteImpersonationManager remoteImpersonationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
   at object lambda_method(Closure, object[])
   at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
   at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
   at new Microsoft.Tri.Sensor.SensorModuleManager()
   at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
   at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
   at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
   at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)

I already ruled out a few things:

  • the dc, mdi is running on can access the gMSA
  • mdi can access/impersonate the gMSA (according to it's logs)
  • the gMSA can log in as service on the DC

Anyone know any more things to check for? Any help would be really apreciated!

Lars

2 Replies

I found a solution: adding the gMSA Account to the "Domain Users" Group seems to have fixed it!

@larsuhartmann 

We are seeing the same error 

 

2022-09-07 16:16:35.2886 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__47 RunPeriodic <RegisterPeriodicTask>b__1 failed
Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName=OURDC.COM]

 and can also verify that we are using a gMSA which has access to the DC - From the logs

2022-09-07 16:16:34.0854 Info  DirectoryServicesClient CreateLdapConnectionAsync connected successfully [DomainControllerDnsName=ourdc.domain.com Domain=Ourdomain UserName=OurgMSA ]
2022-09-07 16:16:34.1635 Info  LocalImpersonationManager CreateImpersonatorInternalAsync started [UserName=OurgMSA Domain=Ourdomain IsGroupManagedServiceAccount=True]
2022-09-07 16:16:34.1948 Info  LocalImpersonationManager GetGroupManagedServiceAccountTokenAsync finished [UserName=OurgMSA Domain=Ourdomain IsSuccess=True]
2022-09-07 16:16:34.1948 Info  LocalImpersonationManager CreateImpersonatorInternalAsync finished [UserName=OurgMSA Domain=Ourdomain]
2022-09-07 16:16:34.1948 Debug GroupPolicyHelper GetKerberosPolicy started [domainDnsName=Ourdomain.org]
2022-09-07 16:16:34.2104 Debug GroupPolicyHelper GetKerberosPolicy finished [domainDnsName=Ourdomain.org MaxTicketAge=10 MaxRenewAge=7]
2022-09-07 16:16:34.2104 Info  DirectoryServicesClient CreateLdapConnectionAsync connected successfully [DomainControllerDnsName=ourdc.domain.com Domain=Ourdomain UserName=OurgMSA ]
2022-09-07 16:16:34.3510 Info  DirectoryServicesResolver CreateDomainAsync created domain DC=Ourdomain,DC=org
2022-09-07 16:16:34.3667 Info  DirectoryServicesClient CreateLdapConnectionAsync connected successfully [DomainControllerDnsName=ourdc.domain.com Domain=Ourdomain UserName=OurgMSA ]


We're going to try adding the gMSA to the Domain Users group, but wanted to get confirmation that this isn't a security issue