Microsoft Advanced Threat Analytics Center service terminated - expired certificate RRS feed

  • Question

  • Hi,

    I'm running MS ATA 1.9.7312.32791 and haven't had any issues for close to two years.

    I noticed yesterday that I didn't receive my daily emails from MS ATA so this morning I checked the ATA server and my event log is full of this message:

    The Microsoft Advanced Threat Analytics Center service terminated unexpectedly.  It has done this 14 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.

    I went and checked the log files and in the Errors log file I see this message logged over and over:

    Error [CertificateExtension] Microsoft.Tri.Infrastructure.Utils.ExtendedException: There are no matching certificates [StoreLocation=LocalMachine StoreName=My thumbprint=660CXXXXXX]

    So I checked the certificates on the server and I can't find a certificate with the thumbprint of 660CXXXXXX.

    If I look in MMC I do see the certificate for the server and it has shows that it was recently renewed (probably automatically thru Active directory)

    I can't access the ATA website on the server to specify the new certificate.

    How can I fix this?  Do I need to re-install ATA.  If I re-install will I lose all the information that has already been collected?

    Thanks in advance,


    Thursday, December 6, 2018 5:56 PM

All replies

  • Sadly a complete reinstall is in order,

    ATA doe snot support cert renewal, only replacement, which should happen using ATA's UI BEFORE the previous cert expired, because we encrypt data with this cert, and once it changes, we can't decrypt the data any more.

    Thursday, December 6, 2018 10:29 PM
  • Ok thanks.

    I guess I need to pay more attention to the cert renewal date going forward.

    Do I need to un-install the current version of ATA first?  And what about the ATA gateways?



    Thursday, December 6, 2018 10:48 PM
  • Yes, uninstall Center & GWs and start from scratch
    Thursday, December 6, 2018 11:04 PM
  • Uggh ok.  Wish I had documented my configuration as I'll have to re setup everything again.


    Thursday, December 6, 2018 11:15 PM
  • Look in the center deployment folder for a "Bakcup" folder, it should have a json export of all your settings.

    You can't really import it to the new deployment if the cert expired, but it might be a good hint as to which configurations were in use.

    Thursday, December 6, 2018 11:19 PM