Occasional Contributor

I get the following error when I try to install a Light Gateway on a new Domain Controller:

[11B4:0ACC][2018-11-26T11:47:17]i000: 2018-11-26 11:47:17.0800 4532 5 Debug [\[]DeploymentModel[\]] [\[]DeploymentAction=Install[\]]
[11B4:0ACC][2018-11-26T11:47:17]i000: 2018-11-26 11:47:17.2377 4532 5 Debug [\[]DeploymentModel[\]] [\[]IsAfterRestartAndConfigured=False[\]]
[11B4:0F30][2018-11-26T11:49:02]i000: 2018-11-26 11:49:02.5491 4532 11 Error [\[]TaskAwaiter[\]] System.Threading.Tasks.TaskCanceledException: A task was canceled.
at async Microsoft.Tri.Infrastructure.Extensions.HttpClientExtension.GetAsync[\[][\]](?)
at async Microsoft.Tri.Common.Management.ManagementClient.<>c__DisplayClass9_0.<GetStatusAsync>b__0(?)
at async Microsoft.Tri.Infrastructure.Extensions.HttpClientExtension.RequestAsync[\[][\]](?)
at async Microsoft.Tri.Common.Management.ManagementClient.GetStatusAsync(?)
[11B4:0F30][2018-11-26T11:49:02]i000: 2018-11-26 11:49:02.5491 4532 11 Error [\[]DeploymentModel[\]] Failed management authentication [\[]CurrentlyLoggedOnUser=mydomain\myuseridStatus=Failed Exception=System.Threading.Tasks.TaskCanceledException: A task was canceled.
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Tri.Infrastructure.Extensions.HttpClientExtension.<GetAsync>d__0`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Tri.Common.Management.ManagementClient.<>c__DisplayClass9_0.<<GetStatusAsync>b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Tri.Infrastructure.Extensions.HttpClientExtension.<RequestAsync>d__4`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Tri.Common.Management.ManagementClient.<GetStatusAsync>d__9.MoveNext()[\]]
[11B4:0ACC][2018-11-26T11:49:02]i000: 2018-11-26 11:49:02.5491 4532 5 Debug [\[]GatewayBootstrapperApplication[\]] Engine.Quit [\[]deploymentResultStatus=1602 isRestartRequired=False[\]]
[11B4:16F4][2018-11-26T11:49:02]i500: Shutting down, exit code: 0x642

My setup is:

  1. Center server (v1.9.7312.32791) configured using 3rd Party certificate
  2. 2x Domain Controllers
  3. Group Policy containing the 3rd Party certificate public key + certificate chain, attached to the Domain Controllers

I had 2 Domain Controllers with the LGateway on for a year, and I've recently replaced one of the DCs with a new one. On the new one, I can't get the LGateway install to complete, I get the above error. They are both in the standard "Domain Controllers" OU, and have the same GPOs applied. The DCs have persisted through a few Center upgrades a few months ago from v1.8 to the latest v1.9.

 

I can reach the Center console from my new DC, and I can see all the config and timeline etc. To run the LGateway install, I have some Powershell that downloads it straight from the Center server to ensure I always get the latest version:

$dlfile = "https://${app_url}/api/management/softwareUpdates/gateways/deploymentPackage"
$creds = Get-Credential -Credential $env:USERNAME
$wc = New-Object System.Net.Webclient
$wc.Credentials = New-Object System.Net.NetworkCredential($env:USERNAME, $creds.Password)
$wc.DownloadFile($dlfile,$destfile)
Unblock-File -Path $destfile

This downloads the Gateway Setup zip file just fine, proving connectivity. My domain admin user ID is in the "Microsoft Advanced Threat Analytics Administrators" group on the Center server, and this is the same ID that I'm logged onto the DC with. If I don't provide credentials, I get a HTTP 401 as expected.

 

If I remove the GPO containing the 3rd Party cert from the new DC, I get the "Failed to validate certificate" error in the install log (and it lists my Center cert details).

 

I've checked the Troubleshooting page and that indicates that the ATA Lightweight Gateway could not successfully authenticate against the ATA Center, but there's no advice for what to do if you can access the Center console from the DC you're installing on. My existing DC is working perfectly with the Center server and is listed in the "Gateways" page as it has always been. I've checked the 3rd Party certificate installed in the GPO and the thumbprint, and the thumbprints in all the chain, match between the Center server, the working DC, and the non-working DC.

 

I'm wondering if the working DC has some remnants of the previous Gateway config installed which is causing it to work, because I know the cert requirements and processes have changed from our initial install of 1.7 last year to the current install. It might be that just installing the public Center cert + chain isn't enough?

 

What else can I check?

We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE