locked
False positive - Broken Trust between computers and domain RRS feed

  • Question

  • Hi,

    I believe I am getting false positive reports - MATA reports that a computer (a RDS server) has a broken trust.

    i have investigated, nothing seems wrong,

    logons are working ok
    GPO's are applied,
    no issues reported in event log on the reported server and on the monitored DC's either side of the time MATA alerted on this.

    as a per caution i did the old reset-computermachinepassword cmdlet. but the issue resurfaced with an hour or so.

    So is this a false positive? How does MATA determine the relationship as only event id 4776 is being forwarded how does the gateway service determine that a relationship is broken! 

    Is there away to suppress this entry in MATA so it doesn't send me an email at silly o'clock or just linger in the time line?

    Any advice would be helpful,  

    Wayne


    Thursday, March 9, 2017 4:56 PM

All replies

  • Hello Wayne,

    When ATA sees multiple Kerberos pre-authentication failed requests for a machine in a period of time, ATA detects a broken trust relationship, which means that group policy and security settings may not be applied to the computer.

    When a computer is joined to the domain, a secure channel password is stored with the computer account on the domain controller. By default, this password is changed every 30 days. ATA may raise this alert when the secure channel password held by the computer does not match what is stored in AD. Before simply rejoining the computer to the domain, we can verify the issue remotely using the commandlet test-computersecurechannel as shown below.

    Invoke-command -computer <broken trust computer name> -scriptblock {Test-computersecurechannel}


    In addition, to suppress this alert, You can change the status of the suspicious activity to Dismissed by clicking the current status. 

    By the way, Windows event 4776 is used to further enhance ATA Pass-the-Hash detection.                                                                                                                                                            
    Best regards,
    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 10, 2017 2:05 AM
  • Hi Andy,

    Thanks for your detailed reply, really helpful.

    retested the secure channel as suggested and that returns back True indicating that all is fine. As users can login and GPO's ( even a dedicated test GPO) are being picked up and applied, so it would indicate all is well with this server except this ATA report. 

    You info about it detecting pre-authentication failures as it flagging method lead me to investigate more on 4768 events- I do seem to have lots of them when filtered and i think it been ignored here as white noise, so would these be what is flagging the server up as having a broken relationship.  Other servers have mentions in the 4768 events but aren't flagged by ATA? 

    Is this actually worth investigating further if service seems to be unaffected?

    Is it worth scheduling some downtime and dropping this RDS server off the domain and rejoining it regardless? 

    On a general note, The domain functional level is "Windows Server 2008" unsure why it's not been raised to higher level - Does domain functional level have an impact on ATA?

    The functional level, is the only stand out thing I have really noticed.  All server 2012 or higher all clients Windows 10. 

    I had previously tried both the Resolved and the Dismissed options in ATA for this broken relationship alert and it still haunts the time line, I will further dismiss it in the hope it doesn't return.

    once again thanks,
    Wayne

    Friday, March 10, 2017 1:50 PM
  • Hello Wayne,

    I don't think this is relevant with Event 4776 or domain function level.

    I would recommend to get the most recent update installed for ATA, and then keep watch on this issue to see if this occurs again.

    you can get and install the most recent updates from the following link.

    https://www.microsoft.com/en-us/download/details.aspx?id=53943

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 4, 2017 10:04 AM
  • Yes, When a computer is joined to the domain, a secure channel password is stored with the computer account on the domain controller. By default, this password is changed every 30 days. ATA may raise this alert when the secure channel password held by the computer does not match what is stored in AD.

    This is correct!!

    Farooque

    Tuesday, April 4, 2017 10:19 AM
  • In what scenarios will the password held by the computer not match what is stored in AD?

    Since the password change is ALWAYS initiated by the computer (a DC never initiates or changes it by itself), and - if I recall correctly - the computer will not change it's password until after it has received verification of successful change from the DC , the only scenario I can see for the passwords not matching is when you revert a virtual machine (or restore from a backup).


    Tom Aafloen, IT-security Consultant Onevinn AB

    Wednesday, May 31, 2017 10:39 AM