Unable to login with certain accounts
dbaars opened this issue · 4 comments
Describe the bug
Unable to login with certain accounts. On the user side (i.e. web login) they just get re-prompted for authentication details (user/pass). In Lithnet Access Manager Service Configuration > Authorization rules > Computers, if I use the "Effective access" button to test the user account, I receive an error
The account is a member of the group given access control to the OU where the computer object is
The account is a member of the group under App Configuration / User authentication / Sign-in restrictions
The user and computer accounts are in the same directory
To Reproduce
Steps to reproduce the behavior:
Lithnet Access Manager configuration error:
- Go to: Lithnet Access Manager Service Configuration > Authorization rules > Computers
- Click on: Effective Access
- Enter username/computer
- Click Evaluate access
- See error
In access-manager-service log I see
023-09-26 12:39:38.2680|TRACE|4612||||Lithnet.AccessManager.Server.Providers.UserSearchResultProvider|Found user key in cache
2023-09-26 12:39:38.2680|TRACE|4612||||Lithnet.AccessManager.Server.Providers.ComputerSearchResultProvider|Found computer key in cache
2023-09-26 12:39:38.2680|TRACE|4612||||Lithnet.AccessManager.Server.Authorization.ComputerTargetProviderAd|Matched NIWA\NIWA-1012909$ to target OU OU=Clients,OU=Computer Accounts,DC=niwa,DC=local
2023-09-26 12:39:38.2680|TRACE|4612||||Lithnet.AccessManager.Server.Authorization.AuthorizationContextProvider|Attempting to create S4U AuthorizationContext against server <localhost> in domain niwa.local for user NIWA\t2baarsd
2023-09-26 12:39:38.2847| WARN|4612||||Lithnet.AccessManager.Server.Authorization.AuthorizationContextProvider|Unable to establish authorization context for user NIWA\t2baarsd against an appropriate target server. The authorization context will be built locally, but information about membership in domain local groups in the target domain may missed
User login:
- Browse to the lithnet access manager URL
- Prompted for user/pass
- User is re-prompted again and again. No error on screen
- If the user hits cancel on the login, they receive a 401 Unauthorized error.
In access-manager-ui log file
2023-09-26 12:39:38.3000|ERROR|Lithnet.AccessManager.Server.UI.EffectiveAccessViewModel|Unable to calculate effective permissions
StreamJsonRpc.RemoteInvocationException: AuthzInitializeContextFromSid failed
---> Lithnet.Security.Authorization.AuthorizationContextException: AuthzInitializeContextFromSid failed
---> System.ComponentModel.Win32Exception (5): Access is denied.
--- End of inner exception stack trace ---
at Lithnet.Security.Authorization.AuthorizationContext.InitializeAuthorizationContextFromSid(SafeAuthzResourceManagerHandle authzRm, SecurityIdentifier sid, AuthzInitFlags flags)
at Lithnet.Security.Authorization.AuthorizationContext..ctor(SecurityIdentifier principal, String server, Boolean allowLocalFallback, AuthzInitFlags flags)
at Lithnet.Security.Authorization.AuthorizationContext..ctor(SecurityIdentifier principal)
at Lithnet.AccessManager.Server.Authorization.AuthorizationContextProvider.GetAuthorizationContext(IActiveDirectoryUser user, AuthorizationContextDomainDetails domainDetails, Boolean allowLocalFallback) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Authorization\Shared\AuthorizationContextProvider.cs:line 66
at Lithnet.AccessManager.Server.Authorization.ComputerAuthorizationInformationBuilder.BuildAuthorizationInformationAsync(IActiveDirectoryUser user, IComputer computer, IList`1 matchedComputerTargets) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Authorization\Computers\ComputerAuthorizationInformationBuilder.cs:line 109
at Lithnet.AccessManager.Server.Providers.EffectiveAccessProvider.GetEffectiveAccessAsync(String computerKey, String userKey, IEnumerable`1 targets) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Providers\EffectiveAccessProvider.cs:line 43
--- End of inner exception stack trace ---
at StreamJsonRpc.JsonRpc.InvokeCoreAsync[TResult](RequestId id, String targetName, IReadOnlyList`1 arguments, IReadOnlyList`1 positionalArgumentDeclaredTypes, IReadOnlyDictionary`2 namedArgumentDeclaredTypes, CancellationToken cancellationToken, Boolean isParameterObject)
at Lithnet.AccessManager.Server.Rpc.RpcEffectiveAccessProvider.GetEffectiveAccessAsync(String computerKey, String userKey, IEnumerable`1 targets) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Rpc.Client\ProviderImplementations\RpcEffectiveAccessProvider.cs:line 28
at Lithnet.AccessManager.Server.UI.EffectiveAccessViewModel.CalculateEffectiveAccess() in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server.UI\ViewModels\WindowContent\EffectiveAccessViewModel.cs:line 172
RPC server exception:
Lithnet.Security.Authorization.AuthorizationContextException: AuthzInitializeContextFromSid failed
---> System.ComponentModel.Win32Exception: Access is denied.
--- End of inner exception stack trace ---
at Lithnet.Security.Authorization.AuthorizationContext.InitializeAuthorizationContextFromSid(SafeAuthzResourceManagerHandle authzRm, SecurityIdentifier sid, AuthzInitFlags flags)
at Lithnet.Security.Authorization.AuthorizationContext..ctor(SecurityIdentifier principal, String server, Boolean allowLocalFallback, AuthzInitFlags flags)
at Lithnet.Security.Authorization.AuthorizationContext..ctor(SecurityIdentifier principal)
at Lithnet.AccessManager.Server.Authorization.AuthorizationContextProvider.GetAuthorizationContext(IActiveDirectoryUser user, AuthorizationContextDomainDetails domainDetails, Boolean allowLocalFallback) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Authorization\Shared\AuthorizationContextProvider.cs:line 66
at Lithnet.AccessManager.Server.Authorization.ComputerAuthorizationInformationBuilder.BuildAuthorizationInformationAsync(IActiveDirectoryUser user, IComputer computer, IList`1 matchedComputerTargets) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Authorization\Computers\ComputerAuthorizationInformationBuilder.cs:line 109
at Lithnet.AccessManager.Server.Providers.EffectiveAccessProvider.GetEffectiveAccessAsync(String computerKey, String userKey, IEnumerable`1 targets) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Providers\EffectiveAccessProvider.cs:line 43
Expected behavior
Account can login and view LAPS passwords
Effective access check returns a result
Screenshots
Access Manager installation
- OS: Windows Server
- Version: 2022 21H2
Additional context
Add any other context about the problem here.
Logs
See above
Are the users who can log in vs not in different domains?
Have you added the AMS service account to the groups as specific in our install guide?
Hi Ryan,
thanks for the reply.
Same domain - different OU.
Yes if you mean the Access Control Assistance Operators and Windows Authorization Access Group
In the AMS Configuration tool it also has green ticks -
Dylan
Thanks for confirming Dylan
This is most likely that the default permissions have been changed on the objects in those OUs. Try adding the AMS service account with permissions to read all user and group objects in the OU that is not working, and see if that resolves the issue.
Morning Ryan,
well after a lot of testing I tracked it down to 1 group (the "role" group) being in some odd state. I didn't really investigate security permissions on it, once I had narrowed it down to that group I deleted and re-created and now everything is working. Thanks for your help!
Dylan