Being Prompted When Running Source DomainLDAP

[ShawhanA]

I am trying to run Invoke-Testimo -Sources DomainLDAP from a Windows 2022 standard server. We normally use smart card to connect to servers, however when I RDP, I tried with credentials however whenever I try to run DomainLDAP in PowerShell I am being prompted for smart card via Windows Security. If I try this with the same user account on my local Windows 10 laptop, it works without an issue. Anyone else had this problem?

[PrzemyslawKlys]

That's pretty strange. If you run Test-LDAP -Forest $ForestName -IncludeDomains $Domain -SkipRODC:$SkipRODC -WarningAction SilentlyContinue -VerifyCertificate manually do you get prompted as well?

[ShawhanA]

I tried running a plain Test-LDAP and received a prompt along with running your command above. Running either of those on my local laptop, I receive the output with no prompts. I am wondering if it has something to do with RSAT tools. I have RSAT for Win 10 installed on my laptop, so on the server I did install the RSAT Tools as well (although not every option is checked) under add roles and features.

[wbedard]

I think I encountered a similar issue today. In my case, my Domain Admin account requires smart card for login but I was running Testimo from a Win11 workstation dedicated for DC administration (DomAdmin login only...). I was logged in (using RDP) with my smart card and Testimo was accessing the DCs via Kerberos authentication. However, unless I exclude DomainLDAP and DCLDAP sources, I would get the same prompts for smartcards described by the OP. While I have several smartcards connected to the RDP session, including the one used to login to the Win11 workstation, the prompt indicated that none of them were appropriate for what triggered the prompt.

[PrzemyslawKlys]

OK i think i know where it's coming from:

https://github.com/EvotecIT/ADEssentials/blob/446c57b0cc55e1c0a2ed3337bf270d13d2b50753/Private/Test-LDAPPorts.ps1#L40-L52

or

https://github.com/EvotecIT/ADEssentials/blob/446c57b0cc55e1c0a2ed3337bf270d13d2b50753/Private/Test-LDAPPorts.ps1#L73-L79

Since you're not providing Credential it would seem that doing [ADSI]($LDAP) causes the issue. I've recently added an option to follow with identity checks but maybe somehow it affects smart card prompts. Maybe you could confirm it with breakpoints?

[ShawhanA]

Thanks for looking into this PrzemyslawKlys, as we mentioned above even a regular Test-LDAP causes the smart card prompt. I can run that along with Invoke-Testimo with no issues on me local laptop.