locked
Microsoft Advanced Threat Analytics Center service terminated unexpectedly RRS feed

  • Question

  • Hello,

    I am trying to setup ATA and the server that we are installing the ATA Center on has a system log filled with these messages:

    "The Microsoft Advanced Threat Analytics Center service terminated unexpectedly.  It has done this 274 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service."

    There does not seem to be anything else in the event logs that indicate why this is happening.  This is a Windows Server 2012 R2 machine that was freshly installed.

    Any thoughts on what I can do to troubleshoot this?

    Thanks,

    Matt

    Thursday, September 24, 2015 5:13 PM

All replies

  • I noticed that there is a Logs folder: C:\Program Files\Microsoft Advanced Threat Analytics\Center\Logs and in that folder is a file called Microsoft.Tri.Center-Errors.  In that file I see a bunch of the messages below.

    This may be a separate issue but on the ATA Center configuration page there is a drop down for a Certificate but the field is empty and if I click on the arrow it doesn't display anything (as in I cannot select anything because there is nothing to select).

      at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
       at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
       at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
       at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
       at Microsoft.Tri.Infrastructure.Utils.SecurityProvider.DecryptPrivateAsymmetric(Byte[] encryptedData, X509Certificate2 certificate)
       at Microsoft.Tri.Infrastructure.Framework.SecretManager.OnStart()
       at Microsoft.Tri.Infrastructure.Framework.Module.Start()
       at Microsoft.Tri.Infrastructure.Framework.ModuleManager.OnStart()
       at Microsoft.Tri.Infrastructure.Framework.Module.Start()
       at Microsoft.Tri.Infrastructure.Framework.Service.OnStart(String[] args)
    2015-09-24 17:38:53.9944 2784 5   00000000-0000-0000-0000-000000000000 Error [Utils] System.Security.Cryptography.CryptographicException: Invalid provider type specified.

    Thursday, September 24, 2015 5:42 PM
  • Hi Matt,

    What is the certificate you choose during the deployment?
    If you don't remember can you please uninstall and install again and this time take a note of the certificate you are choosing and make sure it is a valid certificate (I am assuming you won't mind uninstalling since the center is not working at the moment).

    Waiting to hear from you.

    The ATA Team.

    Thursday, October 1, 2015 2:29 PM
  • Hello,

    I uninstalled the product, removing all settings and databases.  I then reinstalled it twice - choosing a different certificate each time (that makes a total of three different certificates I tried with the install).  I selected the same certificate for both of the certificate prompts.    The services would not start.  These certificates are pushed through our on-premise Windows 2012 R2 CA.

    I then performed the install a fourth time choosing the Self Signed certificates boxes for both certificates.  The services started.

    Is there some documentation on the requirements for the certificates?  I do not see any on Technet.  There must be something about these certs that the service does not like.

    Thank you,

    Matt


    • Edited by MB2009 Monday, October 5, 2015 8:58 PM
    Monday, October 5, 2015 8:34 PM
  • Hi Matt,

    When you uninstall the center, did you choose the option "Delete all data..." ?

    Also - anything special about your CA (Like being old) ?

    ATA Team

    Wednesday, October 7, 2015 12:42 PM
  • Hello,

    Yes - I chose to delete all data.

    - Is there documentation on the certificate requirements?
    - What Purposes (Server Authentication? Data Encryption? Etc?) are required on the certificates?
    - Are there any other attributes that are required?
    - What Subject Name is required on the certificate?  Are any Subject Alternative names required?

    There is obviously something about the certificates that I am trying to use that the services do not like but without documentation I cannot verify if my certificates meet those needs.

    Thank you,

    Matt


    Thursday, October 15, 2015 2:33 PM
  • Hi Matt,

    The certificate should be for client & server authentication purposes with no special attributes required.
    Only the management/ATA Console certificate should have the have the FQDN of the center.

    Could you share with us public part of the certificates that cause this issue so that we could examine them?

    Thanks,

    The ATA Team.

    Sunday, October 18, 2015 6:29 AM
  • Hi Matt,

    The certificate should be for client & server authentication purposes with no special attributes required.
    Only the management/ATA Console certificate should have the have the FQDN of the center.

    Could you share with us public part of the certificates that cause this issue so that we could examine them?

    Thanks,

    The ATA Team.

    I have the same issue.  My certs are from an outside vendor, sha256, 2048 in length, valid for "Server Authentication (1.3.6.1.5.5.7.3.1)
    Client Authentication (1.3.6.1.5.5.7.3.2)".  I even exported the certs to put them in the machine store of both the gateways and the "Center."   ... but after reinstall with self-signed, I still get the errors and cannot install the gateways.  
    Tuesday, March 8, 2016 5:20 PM
  • Can you please share your logs with ATAEval at microsoft.com?
    Sunday, March 13, 2016 8:16 PM