locked
Microsoft Advanced Threat Analytics Gateway not starting RRS feed

  • Question

  • Hello. I install Microsoft ATA Console and Microsoft ATA Gateway on fresh 2012R2 server with all updates preinstalled.

    Here settings


    Here errors

    Microsoft.Tri.Gateway-Resolution

    2015-10-29 02:44:56.9991 2460 5 00000000-0000-0000-0000-000000000000 Debug [NetworkNameResolver] Initialized 2015-10-29 02:44:57.0181 2460 5 00000000-0000-0000-0000-000000000000 Debug [DirectoryServicesClient] Initialized 2015-10-29 02:44:57.0341 2460 5 00000000-0000-0000-0000-000000000000 Debug [DirectoryServicesResolver] Initialized 2015-10-29 02:44:57.0511 2460 5 00000000-0000-0000-0000-000000000000 Debug [EntityResolver] Initialized 2015-10-29 02:44:58.4401 2460 5 11ab8557-9725-452e-a456-582d511db311 Debug [NetworkNameResolver] Starting 2015-10-29 02:44:58.5181 2460 5 11ab8557-9725-452e-a456-582d511db311 Debug [NetworkNameResolver] Started 2015-10-29 02:44:58.5181 2460 5 11ab8557-9725-452e-a456-582d511db311 Debug [DirectoryServicesClient] Starting 2015-10-29 02:44:58.5971 2460 5 11ab8557-9725-452e-a456-582d511db311 Error [DirectoryServicesClient] Microsoft.Tri.Infrastructure.ExtendedException: Failed to connect to domain controller [DomainControllerDnsName=dc1.domail.local] ---> System.DirectoryServices.Protocols.LdapException: Произошла локальная ошибка. в System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential) в Microsoft.Tri.Gateway.Resolution.DirectoryServicesClient.CreateLdapConnection(DomainControllerConnectionData domainControllerConnectionData, Boolean isGlobalCatalog) --- Конец трассировки внутреннего стека исключений --- в Microsoft.Tri.Gateway.Resolution.DirectoryServicesClient.CreateLdapConnection(DomainControllerConnectionData domainControllerConnectionData, Boolean isGlobalCatalog)

    в Microsoft.Tri.Gateway.Resolution.DirectoryServicesClient.TryCreateLdapConnection(DomainControllerConnectionData domainControllerConnectionData)

    Microsoft.Tri.Gateway-Errors

    2015-10-29 02:44:58.5971 2460 5 11ab8557-9725-452e-a456-582d511db311 Error [DirectoryServicesClient] Microsoft.Tri.Infrastructure.ExtendedException: Failed to connect to domain controller [DomainControllerDnsName=dc1.domain.local] ---> System.DirectoryServices.Protocols.LdapException: Произошла локальная ошибка. в System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential) в Microsoft.Tri.Gateway.Resolution.DirectoryServicesClient.CreateLdapConnection(DomainControllerConnectionData domainControllerConnectionData, Boolean isGlobalCatalog) --- Конец трассировки внутреннего стека исключений --- в Microsoft.Tri.Gateway.Resolution.DirectoryServicesClient.CreateLdapConnection(DomainControllerConnectionData domainControllerConnectionData, Boolean isGlobalCatalog) в Microsoft.Tri.Gateway.Resolution.DirectoryServicesClient.TryCreateLdapConnection(DomainControllerConnectionData domainControllerConnectionData) 2015-10-29 02:44:58.6171 2460 5 00000000-0000-0000-0000-000000000000 Error [KeyedObjectPool`2] Microsoft.Tri.Infrastructure.ContractException: Contract exception в Microsoft.Tri.Infrastructure.Utils.KeyedObjectPool`2..ctor(IReadOnlyCollection`1 keysToItems, Int32 maxSize, CancellationToken cancellationToken, Action`1 itemRemovedCallback) в Microsoft.Tri.Gateway.Resolution.DirectoryServicesClient.OnStart() в Microsoft.Tri.Infrastructure.Framework.Module.Start() в Microsoft.Tri.Infrastructure.Framework.ModuleManager.OnStart() в Microsoft.Tri.Infrastructure.Framework.Module.Start() в Microsoft.Tri.Infrastructure.Framework.Service.OnStart(String[] args)

    Microsoft.Tri.Gateway

    2015-10-29 02:44:55.5171 2460 5   00000000-0000-0000-0000-000000000000 Debug [GatewayService] Starting 
    2015-10-29 02:44:55.6181 2460 5   00000000-0000-0000-0000-000000000000 Debug [GatewayModuleManager] Initialized 
    2015-10-29 02:44:55.8321 2460 5   00000000-0000-0000-0000-000000000000 Debug [SecretManager] Initialized 
    2015-10-29 02:44:55.8481 2460 5   00000000-0000-0000-0000-000000000000 Debug [GatewayConfigurationManager] Initialized 
    2015-10-29 02:44:56.9091 2460 5   00000000-0000-0000-0000-000000000000 Debug [GatewayAppDomainManager] Initialized 
    2015-10-29 02:44:56.9172 2460 5   00000000-0000-0000-0000-000000000000 Debug [GatewayMonitoringEngine] Initialized 
    2015-10-29 02:44:56.9451 2460 5   00000000-0000-0000-0000-000000000000 Debug [EntitySender] Initialized 
    2015-10-29 02:44:56.9991 2460 5   00000000-0000-0000-0000-000000000000 Debug [NetworkNameResolver] Initialized 
    2015-10-29 02:44:57.0181 2460 5   00000000-0000-0000-0000-000000000000 Debug [DirectoryServicesClient] Initialized 
    2015-10-29 02:44:57.0341 2460 5   00000000-0000-0000-0000-000000000000 Debug [DirectoryServicesResolver] Initialized 
    2015-10-29 02:44:57.0511 2460 5   00000000-0000-0000-0000-000000000000 Debug [EntityResolver] Initialized 
    2015-10-29 02:44:57.0711 2460 5   00000000-0000-0000-0000-000000000000 Debug [EventActivityTranslator] Initialized 
    2015-10-29 02:44:57.0801 2460 5   00000000-0000-0000-0000-000000000000 Debug [EventListener] Initialized 
    2015-10-29 02:44:57.0881 2460 5   00000000-0000-0000-0000-000000000000 Debug [WindowsEventLogReader] Initialized 
    2015-10-29 02:44:57.0981 2460 5   00000000-0000-0000-0000-000000000000 Debug [NetworkActivityTranslator] Initialized 
    2015-10-29 02:44:57.1071 2460 5   00000000-0000-0000-0000-000000000000 Debug [NetworkListener] Initialized 
    2015-10-29 02:44:57.1151 2460 5   00000000-0000-0000-0000-000000000000 Debug [GatewayTelemetryManager] Initialized 
    2015-10-29 02:44:57.1231 2460 5   00000000-0000-0000-0000-000000000000 Debug [PerformanceCounterManager] Initialized 
    2015-10-29 02:44:57.1291 2460 5   00000000-0000-0000-0000-000000000000 Debug [GatewayModuleManager] Starting 
    2015-10-29 02:44:57.1372 2460 5   11ab8557-9725-452e-a456-582d511db311 Debug [SecretManager] Starting 
    2015-10-29 02:44:57.1591 2460 5   11ab8557-9725-452e-a456-582d511db311 Debug [SecretManager] Started 
    2015-10-29 02:44:57.1591 2460 5   11ab8557-9725-452e-a456-582d511db311 Debug [GatewayConfigurationManager] Starting 
    2015-10-29 02:44:58.3111 2460 5   11ab8557-9725-452e-a456-582d511db311 Debug [GatewayConfigurationManager] Started 
    2015-10-29 02:44:58.3111 2460 5   11ab8557-9725-452e-a456-582d511db311 Debug [GatewayAppDomainManager] Starting 
    2015-10-29 02:44:58.3201 2460 5   11ab8557-9725-452e-a456-582d511db311 Debug [GatewayAppDomainManager] Started 
    2015-10-29 02:44:58.3201 2460 5   11ab8557-9725-452e-a456-582d511db311 Debug [GatewayMonitoringEngine] Starting 
    2015-10-29 02:44:58.3281 2460 5   11ab8557-9725-452e-a456-582d511db311 Debug [GatewayMonitoringEngine] Started 
    2015-10-29 02:44:58.3281 2460 5   11ab8557-9725-452e-a456-582d511db311 Debug [EntitySender] Starting 
    2015-10-29 02:44:58.4401 2460 5   11ab8557-9725-452e-a456-582d511db311 Debug [EntitySender] Started 
    2015-10-29 02:44:58.4401 2460 5   11ab8557-9725-452e-a456-582d511db311 Debug [NetworkNameResolver] Starting 
    2015-10-29 02:44:58.5181 2460 5   11ab8557-9725-452e-a456-582d511db311 Debug [NetworkNameResolver] Started 
    2015-10-29 02:44:58.5181 2460 5   11ab8557-9725-452e-a456-582d511db311 Debug [DirectoryServicesClient] Starting 
    2015-10-29 02:44:58.5971 2460 5   11ab8557-9725-452e-a456-582d511db311 Error [DirectoryServicesClient] Microsoft.Tri.Infrastructure.ExtendedException: Failed to connect to domain controller [DomainControllerDnsName=dc1.domain.local] ---> System.DirectoryServices.Protocols.LdapException: Произошла локальная ошибка.
       в System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential)
       в Microsoft.Tri.Gateway.Resolution.DirectoryServicesClient.CreateLdapConnection(DomainControllerConnectionData domainControllerConnectionData, Boolean isGlobalCatalog)
       --- Конец трассировки внутреннего стека исключений ---
       в Microsoft.Tri.Gateway.Resolution.DirectoryServicesClient.CreateLdapConnection(DomainControllerConnectionData domainControllerConnectionData, Boolean isGlobalCatalog)
       в Microsoft.Tri.Gateway.Resolution.DirectoryServicesClient.TryCreateLdapConnection(DomainControllerConnectionData domainControllerConnectionData) 
    2015-10-29 02:44:58.6171 2460 5   00000000-0000-0000-0000-000000000000 Error [KeyedObjectPool`2] Microsoft.Tri.Infrastructure.ContractException: Contract exception
       в Microsoft.Tri.Infrastructure.Utils.KeyedObjectPool`2..ctor(IReadOnlyCollection`1 keysToItems, Int32 maxSize, CancellationToken cancellationToken, Action`1 itemRemovedCallback)
       в Microsoft.Tri.Gateway.Resolution.DirectoryServicesClient.OnStart()
       в Microsoft.Tri.Infrastructure.Framework.Module.Start()
       в Microsoft.Tri.Infrastructure.Framework.ModuleManager.OnStart()
       в Microsoft.Tri.Infrastructure.Framework.Module.Start()
       в Microsoft.Tri.Infrastructure.Framework.Service.OnStart(String[] args) 
    2015-10-29 02:45:04.2956 2332 5   00000000-0000-0000-0000-000000000000 Debug [GatewayService] Starting 
    2015-10-29 02:45:04.3755 2332 5   00000000-0000-0000-0000-000000000000 Debug [GatewayModuleManager] Initialized 

    i use as account with low access rights, as account of domain admin in MATA settings, it not help.

    ping and dns resolution of dc1.domain.local is ok.

    ATA sertificate is red in browser, but console work fine. It is critical?

    ATA gateway not joined to domain.




    • Edited by a_Savage_ Thursday, October 29, 2015 2:54 AM
    Thursday, October 29, 2015 2:53 AM

All replies

  • Hi,

    a normal Domain User has enough rights to sync the entities from the AD.

    BTW i saw in your first Log: Failed to connect to domain controller [DomainControllerDnsName=dc1.domail.local]

    > domai[l] instead of domai[n]

    It can be possible that you have type something wrong within the installation.

    The certificate is red because it is an self-signed certificate. So this is normal and ok for internal connections.

    For testing you can install the RSAT for your server version and try "Get-ADUser -Filter *" to see if your server is able to connect to the DC. You can also use "Get-ADUser -Filter * -Credential (Get-Credential)" to use it with the user which should be used in MATA.

    Regards

    Thursday, October 29, 2015 6:52 AM
  • Hi a_Savage,

    The exception "A local error occurred" usually mean that from some reason, the ATA gateway failed to bind to the DC using Kerberos (ATA Gateway will always try to authenticate with the DC using Kerberos, even if the GW machine is not domain joined).

    Since you are not getting credentials error, it seems the credentials are correct.

    Some things that you can check:

    1. Validate the time on the ATA Gateway and make sure it is correct. If the time is wrong, this may cause Kerberos authentication to fail.

    2. Check the DNS settings on the ATA Gateway and make sure it is pointing to a domain DNS (Kerberos sometimes rely on DNS to work).

    You can also check the following on elevated command prompt after the ATA Service starts to check the kerberos KDC binding cache:

    KLIST query_bind

    If ATA Gateway can successfully communicate with the DC using Kerberos, you should get something like:

    Current LogonId is 0:0x1004b
    The kerberos KDC binding cache has been queried successfully.
    
    KDC binding cache entries: (1)
    
    #0>     RealmName: ophirp.local
            KDC Address: 192.168.222.1
            KDC Name: DC.ophirp.local
            Flags: 0
            DC Flags: 0xe000f1fc -> GC LDAP DS KDC TIMESERV CLOSEST_SITE WRITABLE FU
    LL_SECRET WS DS_8 PING DNS_DC DNS_DOMAIN DNS_FOREST
            Cache Flags: 0

    If you do not get similar output, this may also be indication the Kerberos between ATA GW and DC does not work as expected.

    Hope this helps.

     Microsoft ATA Team.

    Thursday, October 29, 2015 12:05 PM