Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

xADUser error if personal Client Authentication intent certificate exists #61

Closed
pkathro opened this issue Jan 31, 2016 · 12 comments
Closed

Comments

@pkathro
Copy link

pkathro commented Jan 31, 2016

xADUser fails with the following error if a Personal certificate exists with 'Client Authentication' intent

PowerShell DSC resource MSFT_xADUser  failed to execute Test-TargetResource functionality with error message: Exception calling "ValidateCredentials" with "2" argument(s): "The server cannot handle directory requests."

Error occurs in latest dev and master branches.

The certificate is being used to encrypt credentials in a DSC push configuration but even if .mof files are set to contain plain text passwords the error still occurs.
Disabling the certificate in mmc -> Certificates stops error from occurring.

Software versions identical both servers:

  • OS Windows Server 2012 R2
  • PSVersion 5.0.10514.6
  • WSManStackVersion 3.0
  • SerializationVersion 1.1.0.1
  • CLRVersion 4.0.30319.42000
  • BuildVersion 10.0.10514.6
  • PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
  • PSRemotingProtocolVersion 2.3

Potential fix
After discovering an article (see below) and a lot of trial and error I appear to have been able to fix the issue by adding the 3rd optional parameter of ValidateCredentials set to [DirectoryServices.AccountManagement.ContextOptions]::SimpleBind

$result = $prnContext.ValidateCredentials($UserName, $Password.GetNetworkCredential().Password, [DirectoryServices.AccountManagement.ContextOptions]::SimpleBind)

Article: http://forums.asp.net/t/1621077.aspx

@iainbrighton
Copy link
Contributor

@DFineNormal Hmmm. I'm not sure we want to default to basic authentication! Is this in the published module or the development release?

Perhaps we can try Kerberos/NTLM and if that fails, fall back to basic? I wouldn't want to trap all exceptions, just the one that throws when personal certificates are used.

If you run the DSC configuration interactively, is the exception message exposed? If so, can you paste the message in here?

@pkathro
Copy link
Author

pkathro commented Feb 2, 2016

@iainbrighton If by 'run the DSC configuration interactively' you mean with -Wait then everything that's exposed is already in my initial issue post. Apologies if I misunderstand; I'm brand new to DSC and learning as I go.

I altered the code to output the exception and inner exceptions:

ErrorRecord                 : Exception calling "ValidateCredentials" with "3" argument(s): "The server cannot handle 
                              directory requests."
StackTrace                  :    at System.Management.Automation.ExceptionHandlingOps.ConvertToMethodInvocationException
                              (Exception exception, Type typeToThrow, String methodName, Int32 numArgs, MemberInfo 
                              memberInfo)
                                 at CallSite.Target(Closure , CallSite , Object , String , Object , Object )
                                 at System.Dynamic.UpdateDelegates.UpdateAndExecute4[T0,T1,T2,T3,TRet](CallSite site, 
                              T0 arg0, T1 arg1, T2 arg2, T3 arg3)
                                 at System.Management.Automation.Interpreter.DynamicInstruction`5.Run(InterpretedFrame 
                              frame)
                                 at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(Interpr
                              etedFrame frame)
WasThrownFromThrowStatement : False
Message                     : Exception calling "ValidateCredentials" with "3" argument(s): "The server cannot handle 
                              directory requests."
Data                        : {System.Management.Automation.Interpreter.InterpretedFrameInfo}
InnerException              : System.DirectoryServices.Protocols.DirectoryOperationException: The server cannot handle 
                              directory requests.
                                 at System.DirectoryServices.Protocols.ErrorChecking.CheckAndSetLdapError(Int32 error)
                                 at System.DirectoryServices.Protocols.LdapSessionOptions.FastConcurrentBind()
                                 at 
                              System.DirectoryServices.AccountManagement.CredentialValidator.BindLdap(NetworkCredential 
                              creds, ContextOptions contextOptions)
                                 at System.DirectoryServices.AccountManagement.CredentialValidator.Validate(String 
                              userName, String password, ContextOptions connectionMethod)
                                 at 
                              System.DirectoryServices.AccountManagement.PrincipalContext.ValidateCredentials(String 
                              userName, String password, ContextOptions options)
                                 at CallSite.Target(Closure , CallSite , Object , String , Object , Object )
TargetSite                  : Void CheckActionPreference(System.Management.Automation.Language.FunctionContext, 
                              System.Exception)
HelpLink                    : 
Source                      : System.Management.Automation
HResult                     : -2146233087
Response       : 
Message        : The server cannot handle directory requests.
Data           : {}
InnerException : 
TargetSite     : Void CheckAndSetLdapError(Int32)
StackTrace     :    at System.DirectoryServices.Protocols.ErrorChecking.CheckAndSetLdapError(Int32 error)
                    at System.DirectoryServices.Protocols.LdapSessionOptions.FastConcurrentBind()
                    at System.DirectoryServices.AccountManagement.CredentialValidator.BindLdap(NetworkCredential creds, 
                 ContextOptions contextOptions)
                    at System.DirectoryServices.AccountManagement.CredentialValidator.Validate(String userName, String 
                 password, ContextOptions connectionMethod)
                    at System.DirectoryServices.AccountManagement.PrincipalContext.ValidateCredentials(String userName, 
                 String password, ContextOptions options)
                    at CallSite.Target(Closure , CallSite , Object , String , Object , Object )
HelpLink       : 
Source         : System.DirectoryServices.Protocols
HResult        : -2146233088

I can confirm that this problem exists in both the published and development releases.

Falling back on simple for cert auth is definitely an option. Another might be to use something similar to this article. I'm no expert but it seems like it might be a possible solution.
http://blog.evanmc.com/?p=9

If there's anything else I can give you to help then please let me know.

@iainbrighton
Copy link
Contributor

Thanks @DFineNormal - I'll try and trap the specific error and fallback to Basic with SSL if Negotiate fails. Does that sound like logic that will solve your issue?

@pkathro
Copy link
Author

pkathro commented Feb 4, 2016

No problem @iainbrighton.

I'm not sure is Basic with SSL will fix the issue since I don't actually have SSL set up; the certificate is purely being used to encrypt the MOF file credentials at rest, in a DSC Push configuration.

When I tried adding the explicit SSL context option along with Basic into the 3rd ValidateCredentials() param then I get the exact same error. Only Basic without SSL seems to work.

If I have time this evening I'll have a play around with actually setting up an HTTPS Pull configuration and see if the current error persists. It might help narrow down the cause a bit more.

@oliveirt
Copy link
Contributor

oliveirt commented May 7, 2016

I faced the same issue after a certificate authority was installed in our development environment. Domain Controllers will automatically enrol a Domain Controller certificate when a Microsoft CA is present. I was fortunate enough to find the following post:

http://stackoverflow.com/questions/2538064/active-directory-services-principalcontext-what-is-the-dn-of-a-container-o

This describes how ContextOptions can be passed directly to ValidateCredentials which appears to resolve the problem.

return $principalContext.ValidateCredentials($UserName, $Password.GetNetworkCredential().Password,[System.DirectoryServices.AccountManagement.ContextOptions]::Negotiate);

@iainbrighton
Copy link
Contributor

@oliveirt @DFineNormal I can accept the 'Negotiate' context if that works? It doesn't mean explicitly dropping the security to 'Simple'.

iainbrighton added a commit to iainbrighton/xActiveDirectory that referenced this issue May 19, 2016
iainbrighton added a commit to iainbrighton/xActiveDirectory that referenced this issue May 23, 2016
… Directory Certificate Services integration

Adds descriptions to parameters
Adds descriptions to MSFT_xADUser.schema.mof
Fixes dsccommunity#61
@Sjark
Copy link

Sjark commented Jul 5, 2016

What is the status on this?

@iainbrighton
Copy link
Contributor

@Sjark There is #97 in the works. I was just waiting for #100 to be merged as that fixed the PSSA v1.6.0 errors that were flagged in the build process.

@theJasonHelmick
Copy link

Any word if this is in a release? Running into the same issue -- currently using 2.14.0.0....thanks!!!

@iainbrighton
Copy link
Contributor

@theJasonHelmick This change was merged in 2.13.0.0? You'll need to set the xADUser's PasswordAuthentication property to Negotiate.

@theJasonHelmick
Copy link

Thank you!! Sorry for my misunderstanding!!!


Jason Helmick
Author/Evangelist | Pluralsight
www.pluralsight.com http://www.pluralsight.com/

On Nov 13, 2016, at 7:08 AM, Iain Brighton [email protected] wrote:

@theJasonHelmick https://github.com/theJasonHelmick This change was merged in 2.13.0.0? You'll need to set the xADUser's PasswordAuthentication property to Negotiate.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub #61 (comment), or mute the thread https://github.com/notifications/unsubscribe-auth/AME2Blzec4eyBWn_eY4jfqr4r_xZC63uks5q9xn1gaJpZM4HQHK2.

@GoateePFE
Copy link
Contributor

GoateePFE commented Mar 26, 2018

I just stumbled onto this in my lab today. Started seeing it when ADCS is added to a DC. The

PasswordAuthentication = 'Negotiate'

did the trick. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants