-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
xADUser error if personal Client Authentication intent certificate exists #61
Comments
@DFineNormal Hmmm. I'm not sure we want to default to basic authentication! Is this in the published module or the development release? Perhaps we can try Kerberos/NTLM and if that fails, fall back to basic? I wouldn't want to trap all exceptions, just the one that throws when personal certificates are used. If you run the DSC configuration interactively, is the exception message exposed? If so, can you paste the message in here? |
@iainbrighton If by 'run the DSC configuration interactively' you mean with -Wait then everything that's exposed is already in my initial issue post. Apologies if I misunderstand; I'm brand new to DSC and learning as I go. I altered the code to output the exception and inner exceptions:
I can confirm that this problem exists in both the published and development releases. Falling back on simple for cert auth is definitely an option. Another might be to use something similar to this article. I'm no expert but it seems like it might be a possible solution. If there's anything else I can give you to help then please let me know. |
Thanks @DFineNormal - I'll try and trap the specific error and fallback to Basic with SSL if Negotiate fails. Does that sound like logic that will solve your issue? |
No problem @iainbrighton. I'm not sure is Basic with SSL will fix the issue since I don't actually have SSL set up; the certificate is purely being used to encrypt the MOF file credentials at rest, in a DSC Push configuration. When I tried adding the explicit SSL context option along with Basic into the 3rd ValidateCredentials() param then I get the exact same error. Only Basic without SSL seems to work. If I have time this evening I'll have a play around with actually setting up an HTTPS Pull configuration and see if the current error persists. It might help narrow down the cause a bit more. |
I faced the same issue after a certificate authority was installed in our development environment. Domain Controllers will automatically enrol a Domain Controller certificate when a Microsoft CA is present. I was fortunate enough to find the following post: This describes how ContextOptions can be passed directly to ValidateCredentials which appears to resolve the problem.
|
@oliveirt @DFineNormal I can accept the 'Negotiate' context if that works? It doesn't mean explicitly dropping the security to 'Simple'. |
… Directory Certificate Services integration Adds descriptions to parameters Adds descriptions to MSFT_xADUser.schema.mof Fixes dsccommunity#61
What is the status on this? |
Any word if this is in a release? Running into the same issue -- currently using 2.14.0.0....thanks!!! |
@theJasonHelmick This change was merged in 2.13.0.0? You'll need to set the |
Thank you!! Sorry for my misunderstanding!!! Jason Helmick
|
I just stumbled onto this in my lab today. Started seeing it when ADCS is added to a DC. The
did the trick. Thanks! |
xADUser fails with the following error if a Personal certificate exists with 'Client Authentication' intent
Error occurs in latest dev and master branches.
The certificate is being used to encrypt credentials in a DSC push configuration but even if .mof files are set to contain plain text passwords the error still occurs.
Disabling the certificate in mmc -> Certificates stops error from occurring.
Software versions identical both servers:
Potential fix
After discovering an article (see below) and a lot of trial and error I appear to have been able to fix the issue by adding the 3rd optional parameter of ValidateCredentials set to [DirectoryServices.AccountManagement.ContextOptions]::SimpleBind
Article: http://forums.asp.net/t/1621077.aspx
The text was updated successfully, but these errors were encountered: