Share via

Defender for Identity - gMSA error

karthik palani 1,036 Reputation points
2024-10-02T11:58:58.2733333+00:00

Hi All,

Need your kind advice

We are trying to configure Defender for Identity using gMSA account since its currently configured using service account and sensor working fine.

When we change to gMSA, the sensor connection fails and get below error. All ports are opened, followed and added NTservice/all service account as well. Please advice on how to fix this

https://learn.microsoft.com/en-us/defender-for-identity/deploy/create-directory-service-account-gmsa

Logs -

Object name: 'LdapConnection'.

at DirectoryResponse System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)

at async Task<IReadOnlyCollection<SearchResultEntry>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchInternalAsync(SearchRequest searchRequest, DomainControllerConnection domainControllerConnection, DirectoryServicesSearchOptions options)

--- End of inner exception stack trace ---

at async Task<IReadOnlyCollection<SearchResultEntry>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchInternalAsync(SearchRequest searchRequest, DomainControllerConnection domainControllerConnection, DirectoryServicesSearchOptions options)

at async Task<IReadOnlyCollection<DirectoryServicesSearchResult>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchAsync(SearchRequest searchRequest, DomainControllerConnection domainControllerConnection, DirectoryServicesSearchOptions options)

at async Task<IReadOnlyCollection<DirectoryServicesSearchResult>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchObjectsInternalSyncedAsync(DomainControllerConnection domainControllerConnection, DistinguishedName baseDistinguishedName, SearchScope scope, string filter, string[] attributeNames, DirectoryServicesSearchOptions options)

at void Microsoft.Tri.Infrastructure.Syncer<T, TResult>+<>c__DisplayClass1_0+<<RunAsync>g__RunFunctionAsync|0>d.MoveNext()

at async Task<IReadOnlyCollection<DirectoryServicesSearchResult>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchObjectsInternalAsync(Guid connectionKey, DistinguishedName baseDistinguishedName, SearchScope scope, string filter, string[] attributeNames, DirectoryServicesSearchOptions options)

at async Task<IReadOnlyCollection<DirectoryServicesSearchResult>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchObjectsAsync(Guid connectionKey, DistinguishedName baseDistinguishedName, SearchScope scope, string filter, string[] attributeNames, DirectoryServicesSearchOptions options)

at async Task<DirectoryServicesSearchResult> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchObjectAsync(Guid connectionKey, DistinguishedName baseDistinguishedName, SearchScope scope, string filter, string[] attributeNames, DirectoryServicesSearchOptions options)

at async Task<DomainControllerSyncData> Microsoft.Tri.Sensor.DirectoryServicesResolver.GetDomainControllerSyncDataAsync(Domain domain)

at async Task Microsoft.Tri.Sensor.DirectoryServicesResolver.UpdateDirectoryEntityChangesAsync()

at async Task Microsoft.Tri.Infrastructure.Module.RunTaskAsync(Func<Task> actionAsync, string name, SimpleTimeMetric timeMetric)

at void Microsoft.Tri.Infrastructure.Module+<>c__DisplayClass28_0+<<RegisterPeriodicTask>b__1>d.MoveNext()

at void Microsoft.Tri.Infrastructure.TaskExtension+<>c__DisplayClass22_0+<<RunPeriodic>b__0>d.MoveNext()

2024-10-02 10:28:19.2491 Error DirectoryServicesClient+<SearchInternalAsync>d__38 Microsoft.Tri.Infrastructure.ExtendedException: LDAP search failed [DomainControllerDnsName=LDA.XXXXX.net IsGlobalCatalog=False DistinguishedName=CN=Configuration,DC=XXXXX,DC=net Scope=Subtree Filter=(objectClass=nTDSDSA) AttributeCount=19] ---> System.ObjectDisposedException: Cannot access a disposed object.

Object name: 'LdapConnection'.

at DirectoryResponse System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)

at async Task<IReadOnlyCollection<SearchResultEntry>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchInternalAsync(SearchRequest searchRequest, DomainControllerConnection domainControllerConnection, DirectoryServicesSearchOptions options)

--- End of inner exception stack trace ---

at async Task<IReadOnlyCollection<SearchResultEntry>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchInternalAsync(SearchRequest searchRequest, DomainControllerConnection domainControllerConnection, DirectoryServicesSearchOptions options)

at async Task<IReadOnlyCollection<DirectoryServicesSearchResult>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchAsync(SearchRequest searchRequest, DomainControllerConnection domainControllerConnection, DirectoryServicesSearchOptions options)

at async Task<IReadOnlyCollection<DirectoryServicesSearchResult>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchObjectsInternalSyncedAsync(DomainControllerConnection domainControllerConnection, DistinguishedName baseDistinguishedName, SearchScope scope, string filter, string[] attributeNames, DirectoryServicesSearchOptions options)

at void Microsoft.Tri.Infrastructure.Syncer<T, TResult>+<>c__DisplayClass1_0+<<RunAsync>g__RunFunctionAsync|0>d.MoveNext()

at async Task<IReadOnlyCollection<DirectoryServicesSearchResult>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchObjectsInternalAsync(Guid connectionKey, DistinguishedName baseDistinguishedName, SearchScope scope, string filter, string[] attributeNames, DirectoryServicesSearchOptions options)

at async Task<IReadOnlyCollection<DirectoryServicesSearchResult>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchObjectsAsync(Guid connectionKey, DistinguishedName baseDistinguishedName, SearchScope scope, string filter, string[] attributeNames, DirectoryServicesSearchOptions options)

at async Task<IReadOnlyCollection<DirectoryServicesSearchResult>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchConfigurationObjectsAsync(Guid connectionKey, SearchScope scope, string filter, string[] attributeNames, DistinguishedName distinguishedNamePrefix, DirectoryServicesSearchOptions options)

at void Microsoft.Tri.Sensor.DirectoryServicesClient+<>c__DisplayClass25_0+<<SearchConfigurationObjectsAsync>b__1>d.MoveNext()

2024-10-02 10:28:19.2491 Error DirectoryServicesClient+<SearchInternalAsync>d__38 RunPeriodic <RegisterPeriodicTask>b__1 failed

Microsoft.Tri.Infrastructure.ExtendedException: LDAP search failed [DomainControllerDnsName=LDA.XXXXX.net IsGlobalCatalog=False DistinguishedName= Scope=Base Filter= AttributeCount=21] ---> System.ObjectDisposedException: Cannot access a disposed object.

Object name: 'LdapConnection'.

at DirectoryResponse System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)

at async Task<IReadOnlyCollection<SearchResultEntry>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchInternalAsync(SearchRequest searchRequest, DomainControllerConnection domainControllerConnection, DirectoryServicesSearchOptions options)

--- End of inner exception stack trace ---

at async Task<IReadOnlyCollection<SearchResultEntry>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchInternalAsync(SearchRequest searchRequest, DomainControllerConnection domainControllerConnection, DirectoryServicesSearchOptions options)

at async Task<IReadOnlyCollection<DirectoryServicesSearchResult>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchAsync(SearchRequest searchRequest, DomainControllerConnection domainControllerConnection, DirectoryServicesSearchOptions options)

at async Task<IReadOnlyCollection<DirectoryServicesSearchResult>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchObjectsInternalSyncedAsync(DomainControllerConnection domainControllerConnection, DistinguishedName baseDistinguishedName, SearchScope scope, string filter, string[] attributeNames, DirectoryServicesSearchOptions options)

at void Microsoft.Tri.Infrastructure.Syncer<T, TResult>+<>c__DisplayClass1_0+<<RunAsync>g__RunFunctionAsync|0>d.MoveNext()

at async Task<IReadOnlyCollection<DirectoryServicesSearchResult>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchObjectsInternalAsync(Guid connectionKey, DistinguishedName baseDistinguishedName, SearchScope scope, string filter, string[] attributeNames, DirectoryServicesSearchOptions options)

at async Task<IReadOnlyCollection<DirectoryServicesSearchResult>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchObjectsAsync(Guid connectionKey, DistinguishedName baseDistinguishedName, SearchScope scope, string filter, string[] attributeNames, DirectoryServicesSearchOptions options)

at async Task<DirectoryServicesSearchResult> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchObjectAsync(Guid connectionKey, DistinguishedName baseDistinguishedName, SearchScope scope, string filter, string[] attributeNames, DirectoryServicesSearchOptions options)

at async Task<DomainControllerSyncData> Microsoft.Tri.Sensor.DirectoryServicesResolver.GetDomainControllerSyncDataAsync(Domain domain)

at async Task Microsoft.Tri.Sensor.DirectoryServicesResolver.UpdateDomainControllerIpAddressesAsync()

at async Task Microsoft.Tri.Infrastructure.Module.RunTaskAsync(Func<Task> actionAsync, string name, SimpleTimeMetric timeMetric)

at void Microsoft.Tri.Infrastructure.Module+<>c__DisplayClass28_0+<<RegisterPeriodicTask>b__1>d.MoveNext()

at void Microsoft.Tri.Infrastructure.TaskExtension+<>c__DisplayClass22_0+<<RunPeriodic>b__0>d.MoveNext()

2024-10-02 10:29:28.6751 Error ConcurrentDictionary`2 System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.

at TValue System.Collections.Concurrent.ConcurrentDictionary<TKey, TValue>.get_Item(TKey key)

at void Microsoft.Tri.Sensor.DomainControllerConnectionPool.Return(CacheEntry<Guid, DomainControllerConnection> entry)+(Guid key) => { }

at bool System.Linq.Enumerable+WhereSelectListIterator<TSource, TResult>.MoveNext()

at bool System.Linq.Enumerable+WhereEnumerableIterator<TSource>.MoveNext()

at new System.Collections.Generic.List<T>(IEnumerable<T> collection)

at List<TSource> System.Linq.Enumerable.ToList<TSource>(IEnumerable<TSource> source)

at void Microsoft.Tri.Sensor.DomainControllerConnectionPool.Return(CacheEntry<Guid, DomainControllerConnection> entry)

at async Task<IReadOnlyCollection<DirectoryServicesSearchResult>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchObjectsInternalAsync(Guid connectionKey, DistinguishedName baseDistinguishedName, SearchScope scope, string filter, string[] attributeNames, DirectoryServicesSearchOptions options)

at async Task<IReadOnlyCollection<DirectoryServicesSearchResult>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchObjectsAsync(Guid connectionKey, DistinguishedName baseDistinguishedName, SearchScope scope, string filter, string[] attributeNames, DirectoryServicesSearchOptions options)

at async Task<IReadOnlyCollection<DirectoryServicesSearchResult>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchConfigurationObjectsAsync(Guid connectionKey, SearchScope scope, string filter, string[] attributeNames, DistinguishedName distinguishedNamePrefix, DirectoryServicesSearchOptions options)

at void Microsoft.Tri.Sensor.DirectoryServicesClient+<>c__DisplayClass25_0+<<SearchConfigurationObjectsAsync>b__1>d.MoveNext()

2024-10-02 10:29:52.6869 Error GroupPolicyHelper GetKerberosPolicy failed [domainDnsName=XXXXX.net defaultDomainPolicyIniFilePath=\XXXXX.net\SYSVOL\XXXXX.net\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf]

2024-10-02 10:30:04.2192 Error GroupPolicyHelper GetKerberosPolicy failed [domainDnsName=XXXXX.net defaultDomainPolicyIniFilePath=\XXXXX.net\SYSVOL\XXXXX.net\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf]

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,850 questions
Microsoft Defender for Identity
Microsoft Defender for Identity
A Microsoft service that helps protect enterprise hybrid environments from multiple types of advanced, targeted cyberattacks and insider threats.
210 questions

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.