Tuesday 7 August 2018

Errors reinstalling MS Advanced Threat Analytics

When our MS ATA server was set up, we had to choose a certificate to use for the encrypted communications between domain controllers and the ATA server. So we picked the default computer cert issued by our internal PKI which was valid for another year.

What we forgot was this certificate expires and self renews. This error would have been recoverable had it been noticed before the server was rebooted, but it wasn't. So because the old cert was gone, we couldn't start the ATA services and the domain controllers were no longer talking to the ATA server. We rebuilt the ATA server and tried to reinstall the agents on the DC's. Perhaps there is an easier way....

This is where the problems started on our server-core DC's. Sometimes the agent would uninstall and sometimes not. It wouldn't upgrade however.

So, in order of things I tried to remove the agent:

With the new agent install executable in the current directory, try
"Microsoft ATA Gateway Setup.exe" /quiet /uninstall
If that didn't work, start a PowerShell and use the WMI:
$app = Get-WmiObject -Class Win32_Product -Filter "Name = 'Microsoft Advanced Threat Analytics Gateway'"
$app.uninstall()

If it's still installed, there are some log files (Microsoft Advanced Threat Analytics Gateway_yyyymmddtime.log)for each installation attempt of the agent in your %temp% (or one directory up like C:\Users\al\AppData\Local\Temp) that make for some reading like:

 .....
[0410:0C24][2018-08-07T14:10:58]i000: 2018-08-07 02:10:58.6626 1040 5   Debug [\[]DeploymentModel[\]] [\[]DeploymentAction=Upgrade[\]]
[0410:0C24][2018-08-07T14:10:59]i000: 2018-08-07 02:10:59.1313 1040 5   Error [\[]GatewayBootstrapperApplication[\]] Failed to create deployment manager [\[]exception=System.ArgumentNullException: Value cannot be null.
Parameter name: path1
   at System.IO.Path.Combine(String path1, String path2)
   at Microsoft.Tri.Gateway.Deployment.Bundle.UI.Application.GatewayUpgradeDeploymentConfiguration.GetMandatoryConfiguration(String installationPath)
   at Microsoft.Tri.Gateway.Deployment.Bundle.UI.Application.GatewayUpgradeDeploymentConfiguration..ctor(Engine engine, String installationPath)
   at Microsoft.Tri.Gateway.Deployment.Bundle.UI.Application.GatewayDeploymentModel.CreateDeploymentConfiguration(Engine engine)
   at Microsoft.Tri.Deployment.Bundle.UI.Application.DeploymentModel..ctor(BootstrapperApplication bootstrapperApplication, ProductComponent productComponent, String productFullShortName, String productFullLongName, String productFullLongDisplayName)
   at Microsoft.Tri.Gateway.Deployment.Bundle.UI.Application.GatewayDeploymentModel..ctor(BootstrapperApplication bootstrapperApplication)
   at Microsoft.Tri.Gateway.Deployment.Bundle.UI.Application.GatewayBootstrapperApplication.CreateDeploymentModel()
   at Microsoft.Tri.Deployment.Bundle.UI.Application.BootstrapperApplication`1.Run()[\]]
.....


This one was fixed by going to "C:\ProgramData\Package Cache" and searching for *.exe (dir *.exe /s). You'll see some GUID's and file names like "Microsoft ATA Gateway Setup.exe" then run the uninstall command with the path including the GUID
"C:\ProgramData\Package Cache\{GUID}\Microsoft ATA Gateway Setup.exe /uninstall"
Repeat for each version of that EXE you find under that directory. That should do it.

Finally, go and delete the contents of "C:\Program Files\Microsoft Advanced Threat Analytics\Gateway" then remove the directories "Gateway" and "Microsoft Advanced Threat Analytics" otherwise you get errors in that log like:

[13BC:1244][2018-08-07T14:15:33]i000: 2018-08-07 02:15:33.5655 5052 5   Debug [\[]DeploymentModel[\]] [\[]DeploymentAction=Install[\]]
[13BC:1244][2018-08-07T14:15:33]i000: 2018-08-07 02:15:33.8155 5052 5   Debug [\[]DeploymentModel[\]] [\[]IsAfterRestartAndConfigured=False[\]]
[13BC:1244][2018-08-07T14:15:37]i000: 2018-08-07 02:15:37.1749 5052 5   Error [\[]DeploymentManager[\]] InstallationPath is invalid [\[]directoryState=NotEmpty[\]]
[13BC:1244][2018-08-07T14:15:37]i000: 2018-08-07 02:15:37.1905 5052 5   Debug [\[]GatewayBootstrapperApplication[\]] Engine.Quit [\[]deploymentResultStatus=1602 isRestartRequired=False[\]]


You are then free to reinstall the agent with:
"Microsoft ATA Gateway Setup.exe" /quiet NetFrameworkCommandLineArguments="/q"

Thursday 22 February 2018

Error 2150858882 with Event Log Fowarding

After setting up a GPO for the event log forwarding service to use https instead of http to talk to our collector, with the recommended settings of server, refresh and issuerCA, I kept getting this 105 error in the Eventlog-FowardingPlugin log on my workstations:

The forwarder is having a problem communicating with subscription manager at address https://mycollector.alsheppard.com:5986/wsman/SubscriptionManager/WEC.  Error code is 2150858882 and Error Message is .
That's it, no error message. Frustrating. However, removing the IssuerCA, leaving the server and refresh values from the GPO's SubscriptionManager line seems to have resulted in a happy event forwarding service.

I would also check Kerberos is set up on the listening server, or at least the SPN exists.