search

MichaelGrafnetter / DSInternals

Directory Services Internals (DSInternals) PowerShell Module and Framework
https://www.dsinternals.com
MIT License
1.62k stars 250 forks source link

Get-ADReplAccount : Exception has been thrown by the target of an invocation. #152

Closed EricDaou closed 1 year ago

EricDaou commented 1 year ago

I am trying to run Get-AdReplAccount on a windows 2019 Domain controller, it pulls 2 account's then crashes with the following error

"Get-ADReplAccount : Exception has been thrown by the target of an invocation."

FYI I have applied 95% of the STIG security baseline for server 2019 found here : https://www.stigviewer.com/stig/microsoft_windows_server_2019/

Could one of those controls have locked something down causing this issue?

MichaelGrafnetter commented 1 year ago

Hi @EricDaou , if it was caused by the STIG, you would not be able to connect at all. Could you please share the stack trace, as described here? https://github.com/MichaelGrafnetter/DSInternals/blob/master/.github/CONTRIBUTING.md#submitting-bug-reports

EricDaou commented 1 year ago

Here is the info you wanted, thanks again

PS C:\Windows\system32> Get-History

Id CommandLine

1 Get-ADReplAccount -All -Server -NamingContext "**"

PS C:\Windows\system32> $Error[0].Exception.Message Exception has been thrown by the target of an invocation.

PS C:\Windows\system32> $Error[0].Exception.StackTrace at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor) at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture) at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object[] args) at System.Security.Cryptography.MD5.Create() at DSInternals.Common.Cryptography.DirectorySecretDecryptor.ComputeMD5(Byte[] key, Byte[] salt, Int32 saltHashRounds) at DSInternals.Replication.ReplicationSecretDecryptor.DecryptSecret(Byte[] blob) at DSInternals.Common.Data.DSAccount.LoadHashes(DirectoryObject dsObject, DirectorySecretDecryptor pek) at DSInternals.Replication.DirectoryReplicationClient.d__17.MoveNext() at DSInternals.PowerShell.Commands.GetADReplAccountCommand.ReturnAllAccounts() at System.Management.Automation.CommandProcessor.ProcessRecord()

PS C:\Windows\system32> (Get-Module -Name DSInternals -ListAvailable).Version.ToString() 4.8

PS C:\Windows\system32> (Get-WmiObject -Class Win32_OperatingSystem).Caption Microsoft Windows Server 2019 Standard

MichaelGrafnetter commented 1 year ago

Ah, OK, so that IS caused by the STIG, although I do not quite understand how 2 accounts could have gone through. Maybe they did not have passwords set. Please have a look at issue #97. The only solution on my side would be to reimplement MD5, which I do not want to do. Or maybe a better error message.

EricDaou commented 1 year ago

Thank you! it was indeed FIPS.. turning it off it all run's as normal.