Jan 19 2022 09:19 PM
We've replaced one of our DC's with a 2022 server. The server is a member of the group that is able to read gmsa service account. The error that is generated by the tri.sensor is that it cannot read the gmsa password. At a loss as 2019 servers configured the same way work fine. The 2022 is our first DC, the 2019 servers host adfs roles. Is 2022 not supported for Azure ATP yet?
Jan 19 2022 10:33 PM - edited Jan 19 2022 10:34 PM
Officially not supported yet, as we did not complete full testing, but effectively I can say we are not blocking the install and telemetry shows we have hundreds of sensors running on 2022 already.
Most likely the issue is coming some place else, but I can't be sure until we officially support it after testing all use cases...
Jan 20 2022 01:18 AM - edited Jan 20 2022 01:48 AM
Adding to @EliOfek's comment;
Please make sure you restarted the server after adding its computer account to the group that is allowed to retrieve the gmsa's password (as group membership is evaluated at logon), or run the following command on it:
klist -li 0x3e7 purge
If this still doesn't work, please open a support case.
Jan 20 2022 07:32 AM
Thanks. We ran Test-ADServiceAccount ourserviceaccount from the DC in question and the result was true. We reinstalled the ATP Sensor client, but downloaded a new version. The original one we started with was 2.167.14829.39882. When we reinstalled this morning we used 2.168.14865.25114. The install completed without any issues. Thanks again for your time.