Using gMSA with ATP results in many 2947 events

%3CLINGO-SUB%20id%3D%22lingo-sub-3093255%22%20slang%3D%22en-US%22%3EUsing%20gMSA%20with%20ATP%20results%20in%20many%202947%20events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3093255%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20an%20ATP%20deployment%20with%20several%20domains%20and%20different%20Trusts.%20We%20have%203%20different%20credentials%20in%20use%2C%202%20x%20'ordinary'%20service%20accounts%20and%201%20x%20gMSA.%20On%20the%20DCs%20in%20the%20domain%20where%20the%20gMSA%20is%20hosted%20the%20%22Directory%20Service%22%20event%20logs%20are%20full%20of%202947%20events%20(%22An%20attempt%20to%20fetch%20the%20password%20of%20a%20group%20managed%20service%20account%20failed.%22)%20for%20the%20gMSA.%20The%20source%20computers%20for%20these%20events%20are%20computers%20in%20other%20domains%20with%20the%20ATP%20sensor%20installed.%20Is%20there%20any%20way%20of%20filtering%20which%20credentials%20are%20used%20by%20the%20sensors%20in%20a%20given%20domain%3F%20The%20deluge%20of%202947%20events%20is%20making%20it%20difficult%20to%20find%20useful%20information%20in%20the%20logs%20of%20the%20affected%20DCs.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3093255%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESensor%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3093295%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20gMSA%20with%20ATP%20results%20in%20many%202947%20events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3093295%22%20slang%3D%22en-US%22%3ENo%2C%20all%20sensors%20need%20to%20be%20able%20to%20pull%20passwords%20for%20the%20gmsa%20of%20all%20other%20domains%20where%20there%20are%20entities%20that%20might%20contact%20the%20current%20domain%20where%20the%20sensor%20is%20running.%3CBR%20%2F%3ERead%20this%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Fdirectory-service-accounts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Fdirectory-service-accounts%3C%2FA%3E%3CBR%20%2F%3EFor%20better%20understanding%20how%20to%20configure%20it%20correctly.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3392854%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20gMSA%20with%20ATP%20results%20in%20many%202947%20events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3392854%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%20We%20have%20the%20same%20issue.%20All%20is%20set%20up%20correctly.%20We%20only%20have%20gMSA%20but%20we%20have%20multiple%20forests.%20For%20every%20doamin%20we%20have%20a%20gMSA.%20This%20has%20logon-as-a-service%20on%20the%20DC%20and%20the%20gMSA%20is%20installed%20on%20the%20respective%20DC.%20Also%2C%20the%26nbsp%3BPrincipalsAllowedToRetrieveManagedPassword%20for%20the%20gMSA%20contains%20a%20universal%20group%20of%20which%20the%20DC%20is%20a%20member.%3C%2FP%3E%3CP%3EYet%2C%20we%20see%20a%20lot%20of%202947%20events.%20The%20log%20shows%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markdown%22%3E%3CCODE%3E2022-05-18%2010%3A30%3A01.8472%20Info%20RemoteImpersonationManager%20GetGroupManagedServiceAccountTokenAsync%20finished%20%5BUserName%3DgMSAxxxx%24%20Domain%3Dforest1.local%20IsSuccess%3DFalse%5D%0A2022-05-18%2010%3A30%3A01.8472%20Info%20RemoteImpersonationManager%20CreateImpersonatorInternalAsync%20finished%20%5BUserName%3DgMSAxxxx%24%20Domain%3Dforest1.local%5D%0A2022-05-18%2010%3A30%3A01.8472%20Warn%20DirectoryServicesClient%20CreateLdapConnectionAsync%20failed%20to%20retrieve%20group%20managed%20service%20account%20password.%20%5BDomainControllerDnsName%3Dunix.local%20Domain%3Dforest1.local%20UserName%3DgMSAxxxx%24%20%5D%0A2022-05-18%2010%3A30%3A01.8472%20Info%20RemoteImpersonationManager%20CreateImpersonatorInternalAsync%20started%20%5BUserName%3DgMSAxxxx%24%20Domain%3Dforest2chld.local%20IsGroupManagedServiceAccount%3DTrue%5D%0A2022-05-18%2010%3A30%3A02.5503%20Info%20RemoteImpersonationManager%20GetGroupManagedServiceAccountTokenAsync%20finished%20%5BUserName%3DgMSAxxxx%24%20Domain%3Dforest2chld.local%20IsSuccess%3DFalse%5D%0A2022-05-18%2010%3A30%3A02.5503%20Info%20RemoteImpersonationManager%20CreateImpersonatorInternalAsync%20finished%20%5BUserName%3DGMSY000001%24%20Domain%3Dforest2chld.local%5D%0A2022-05-18%2010%3A30%3A02.5503%20Warn%20DirectoryServicesClient%20CreateLdapConnectionAsync%20failed%20to%20retrieve%20group%20managed%20service%20account%20password.%20%5BDomainControllerDnsName%3Dunix.local%20Domain%3Dforest2chld.local%20UserName%3DgMSAxxxx%24%20%5D%0A2022-05-18%2010%3A30%3A02.5503%20Info%20RemoteImpersonationManager%20CreateImpersonatorInternalAsync%20started%20%5BUserName%3DgMSAxxxx%24%20Domain%3Dforest2.root%20IsGroupManagedServiceAccount%3DTrue%5D%0A2022-05-18%2010%3A30%3A03.3316%20Info%20RemoteImpersonationManager%20GetGroupManagedServiceAccountTokenAsync%20finished%20%5BUserName%3DgMSAxxxx%24%20Domain%3Dforest2.root%20IsSuccess%3DFalse%5D%0A2022-05-18%2010%3A30%3A03.3316%20Info%20RemoteImpersonationManager%20CreateImpersonatorInternalAsync%20finished%20%5BUserName%3DgMSAxxxx%24%20Domain%3Dforest2.root%5D%0A2022-05-18%2010%3A30%3A03.3316%20Warn%20DirectoryServicesClient%20CreateLdapConnectionAsync%20failed%20to%20retrieve%20group%20managed%20service%20account%20password.%20%5BDomainControllerDnsName%3Dunix.local%20Domain%3Dforest2.root%20UserName%3DgMSAxxxx%24%20%5D%0A2022-05-18%2010%3A30%3A03.3316%20Info%20DirectoryServicesClient%20TryCreateLdapConnectionAsync%20failed%20%5Bexception%3DMicrosoft.Tri.Infrastructure.ExtendedException%3A%20CreateLdapConnectionAsync%20failed%20%5BDomainControllerDnsName%3Dunix.local%5D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3BThis%20is%20on%20a%20DC%20in%20a%20forest%20forest3.local%20(not%20present%20in%20the%20log%20above).%20It%20seems%20that%20it%20tries%20to%20find%20an%20account%20for%20the%20unix.local%20'domain'%20(it%20is%20a%20Unix%20based%20LDAP%2C%20there%20is%20a%20trust%20between%20forest2chld.local%20and%20unix.local%20as%20wel%20as%20a%20two-way%20trust%20between%20forest2.root%20and%20forest3.local).%20It%20will%20never%20succeed.%3C%2FP%3E%3CP%3EIMHO%20it%20may%20try%20this%20one%20time%2C%20log%20a%20message%20and%20give%20up.%20But%20is%20it%20very%20agressive%20and%20floods%20the%20log...%3C%2FP%3E%3CP%3EPlease%20Microsoft%20-%20there%20is%20more%20in%20the%20world%20than%20Windows%2FActive%20Directory.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3392895%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20gMSA%20with%20ATP%20results%20in%20many%202947%20events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3392895%22%20slang%3D%22en-US%22%3EInteresting%20feedback%20on%20this%20scenario.%20can%20you%20share%20this%20feedback%20via%20email%3F%3CBR%20%2F%3EAatpFeedback%20at%20microsoft%20com.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3394568%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20gMSA%20with%20ATP%20results%20in%20many%202947%20events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3394568%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%20e-mail%20sent.%20I%20am%20happy%20to%20provide%20more%20information%20if%20required.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

We have an ATP deployment with several domains and different Trusts. We have 3 different credentials in use, 2 x 'ordinary' service accounts and 1 x gMSA. On the DCs in the domain where the gMSA is hosted the "Directory Service" event logs are full of 2947 events ("An attempt to fetch the password of a group managed service account failed.") for the gMSA. The source computers for these events are computers in other domains with the ATP sensor installed. Is there any way of filtering which credentials are used by the sensors in a given domain? The deluge of 2947 events is making it difficult to find useful information in the logs of the affected DCs.

4 Replies
No, all sensors need to be able to pull passwords for the gmsa of all other domains where there are entities that might contact the current domain where the sensor is running.
Read this:
https://docs.microsoft.com/en-us/defender-for-identity/directory-service-accounts
For better understanding how to configure it correctly.

@Eli Ofek  We have the same issue. All is set up correctly. We only have gMSA but we have multiple forests. For every doamin we have a gMSA. This has logon-as-a-service on the DC and the gMSA is installed on the respective DC. Also, the PrincipalsAllowedToRetrieveManagedPassword for the gMSA contains a universal group of which the DC is a member.

Yet, we see a lot of 2947 events. The log shows 

2022-05-18 10:30:01.8472 Info RemoteImpersonationManager GetGroupManagedServiceAccountTokenAsync finished [UserName=gMSAxxxx$ Domain=forest1.local IsSuccess=False]
2022-05-18 10:30:01.8472 Info RemoteImpersonationManager CreateImpersonatorInternalAsync finished [UserName=gMSAxxxx$ Domain=forest1.local]
2022-05-18 10:30:01.8472 Warn DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password. [DomainControllerDnsName=unix.local Domain=forest1.local UserName=gMSAxxxx$ ]
2022-05-18 10:30:01.8472 Info RemoteImpersonationManager CreateImpersonatorInternalAsync started [UserName=gMSAxxxx$ Domain=forest2chld.local IsGroupManagedServiceAccount=True]
2022-05-18 10:30:02.5503 Info RemoteImpersonationManager GetGroupManagedServiceAccountTokenAsync finished [UserName=gMSAxxxx$ Domain=forest2chld.local IsSuccess=False]
2022-05-18 10:30:02.5503 Info RemoteImpersonationManager CreateImpersonatorInternalAsync finished [UserName=GMSY000001$ Domain=forest2chld.local]
2022-05-18 10:30:02.5503 Warn DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password. [DomainControllerDnsName=unix.local Domain=forest2chld.local UserName=gMSAxxxx$ ]
2022-05-18 10:30:02.5503 Info RemoteImpersonationManager CreateImpersonatorInternalAsync started [UserName=gMSAxxxx$ Domain=forest2.root IsGroupManagedServiceAccount=True]
2022-05-18 10:30:03.3316 Info RemoteImpersonationManager GetGroupManagedServiceAccountTokenAsync finished [UserName=gMSAxxxx$ Domain=forest2.root IsSuccess=False]
2022-05-18 10:30:03.3316 Info RemoteImpersonationManager CreateImpersonatorInternalAsync finished [UserName=gMSAxxxx$ Domain=forest2.root]
2022-05-18 10:30:03.3316 Warn DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password. [DomainControllerDnsName=unix.local Domain=forest2.root UserName=gMSAxxxx$ ]
2022-05-18 10:30:03.3316 Info DirectoryServicesClient TryCreateLdapConnectionAsync failed [exception=Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName=unix.local]

 This is on a DC in a forest forest3.local (not present in the log above). It seems that it tries to find an account for the unix.local 'domain' (it is a Unix based LDAP, there is a trust between forest2chld.local and unix.local as wel as a two-way trust between forest2.root and forest3.local). It will never succeed.

IMHO it may try this one time, log a message and give up. But is it very agressive and floods the log...

Please Microsoft - there is more in the world than Windows/Active Directory.

Interesting feedback on this scenario. can you share this feedback via email?
AatpFeedback at microsoft com.

@Eli Ofek  e-mail sent. I am happy to provide more information if required.