0

Defender For Identity Sensor Service Fails To Start on AD FS – Sequence Contains No Elements

After installing Defender for Identity sensor onto AD FS, you may experience an issue where the service does not enter the running state.

In the Microsoft Defender for Identity portal the sensor is reported as “Not Configured”

Lab Starting Reference Point

Since the AD FS sensor is new (January 2021), you initially installed sensors onto all of your AD Domain Controllers.

The below indicates that all of sensors installed to the DCs are healthy and running.

Defender for Identity Shows all Domain Controller Sensors As Healthy

Installing Sensor Onto First AD FS Server

Then we install the sensor onto the first AD FS server.  The install completes with no issues as we met all of the prerequisites (they were done in a prior change window to enable AD FS auditing).

Once the AD FS sensor contacts Defender, then the picture is less rosy.  Note that the status is stuck at “starting” and it is marked as “Not Configured”

Defender for Identity AD FS Sensor Not Configured

What the AD FS Server Saw

Locally on the AD FS server, the Azure Advanced Threat Protection Sensor Service is stuck in a starting status.

Defender For Identidy Sensor on AD FS Azure Advanced Threat Protection Sensor Service Stuck In Starting Status

Eventually the service terminates.

In the Windows System Event Log, you will note that the service fails to start and is being constantly restarted.  This is the generic EventID 7031 from Service Control Manager.

The Azure Advanced Threat Protection Sensor service terminated unexpectedly. It has done this 13 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

Even after rebooting the server, the service fails to start.

Defender For Identity Error Log

You look in the sensor’s local log file on the AD FS server

%programfiles%\Azure Advanced Threat Protection Sensor\<version>\Logs\

The following is logged multiple times:

2021-02-09 00:39:47.6405 Error Enumerable System.InvalidOperationException: Sequence contains no elements
at TSource System.Linq.Enumerable.First<TSource>(IEnumerable<TSource> source)
at void Microsoft.Tri.Sensor.DomainNetworkCredentialsManager.UpdateConfigurations(ConfigurationCollection configurations)

The “contains no elements”  error is cryptic, but the answer is actually in the second image in this post.

Resolution

Note that in the below copy of the image from above a couple of sections have been highlighted.  Of note, the Domain Controller element is empty.  It has no elements….

Holy Empty Element Batman!

If we click on the AD FS server’s entry, the below window pops up.  This allows us to configure the DCs.

Adding Domain Controllers to the AD FS Sensor Configuration

We add the relevant DCs to the configuration, then click save.

Adding Domain Controllers to the AD FS Sensor Configuration

After a couple of minutes, the sensor will update its configuration and the service will start is reported as healthy.

Defender For Identity Sensor Now Healthy on AD FS

Now you can install sensors onto the other AD FS servers and get the job done!

Cheers,

Rhoderick

Rhoderick Milne [MSFT]

Leave a Reply

Your email address will not be published. Required fields are marked *