Tag: Microsoft Defender for Identity

Defender for Identity: NTLM Warning Troubleshoot

Hi everyone hope you guys are enjoying your weekend, today is actually the day where Malaysian votes for their new leader (Prime Minister).

Prove that I have voted! This year voting allocation for special needs and old folks was really convenient.



Anyway, let’s start the topic of today!

Microsoft recently alerts tenant’s Defender for Identity admin portal due to new requirements require to implement on the domain controller’s GPO.

The warning should look like this in your Defender for Identity Admin portal:

There is a link of recommendations that it should guide you to how to resolve this issue. However, I realize the article by Microsoft did not CLEARLY wrote the steps on how to locate the Group Policy. This feedback had been raised to the authors and they had already attended to it.

In your domain controller’s Event viewer logs you should receive an event ID showing 8004.

It would affect to those domain controllers that does not have this policy enabled. To enable the policy, you should follow the steps below.

Resolution Steps:

  1. Login to a writable domain controller with the right permission that can modify the GPO
  2. Go to Start > Search and Launch Group Policy Management
  3. Select Group Policy Objects > Find Default Domain Controllers Policy > Right click and edit Default Domain Controllers Policy
  4. Expand Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
  5. Select “Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers” > Choose Audit all > OK
  6. Select “Network security: Restrict NTLM: Audit NTLM authentication in this domain” > Choose Enable all > OK
  7. Select “Network security: Restrict NTLM: Audit Incoming NTLM Traffic” > Choose Enable auditing for all accounts > OK
  8. Go to Start > Search and launch Command Prompt > Run this command “gpupdate /force“. (For immediate apply, do this to all the available Domain controllers with the sensor agent too)

References:

  1. https://learn.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection#event-id-8004

Active Directory and Microsoft Defender for Identity: Defender for Identity agent failed to communicate with domain controller

Hi guys hope you guys are having a nice day today. Today I would like to bring to you about an experience that I had met involving the defender for identity and domain controller.

The problem was the defender for identity stop working all of the sudden and same goes to the group policy. This environment has more than 1 domain controllers running and only 1 of them having issue. There was no one to keep track of what was being done previously.

There was no proper error code to be found in the event logs, on the affected domain controller mentioning what was the reason. There was list of Kerberos error code and intermittent sync on the DNS, DFS replication and directory sync.

Hence, I have collected the event logs on the affected domain controller and the defender for identify logs from C:\Program Files\Azure Advanced Threat Protection Sensor\version number\Logs. Based on my findings, that the affect domain controller’s computer object was not in the default domain controller organizational unit.

These was what in the defender for identity logs shows:

A task was canceled. Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers

Warn GroupManagedServiceAccountImpersonationHelperGetGroupManagedServiceAccountAccessTokenAsync started. Error Service Controller Extension ChangeServiceStatus failed to change service status [name=AATPSensor status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed. at System.ServiceProcess.ServiceController. WaitForStatus(ServiceControllerStatus desiredStatus,TimeSpam timeout]

Resolution

  1. Schedule a downtime if required
  2. Analyze the affected domain controller’s computer object location
  3. Move the affected domain controller into the default domain controller Organizational Unit
  4. On impacted domain controller, run the command sc triggerinfo kdssvc start/networkon.  By doing this, we are changing the trigger for the Microsoft Key Distribution Service (KdsSvc) to start the service as soon as the network is available
  5. Then restart the affected domain controller

References

  1. https://docs.microsoft.com/en-us/defender-for-identity/troubleshooting-using-logs