Get/Add/Set-CertificateTemplateAcl not working

[bencoremans]

$NewTemplateName = "Tenant14OCSPResponseSigning" $ACLs = Get-CertificateTemplate -Name $NewTemplateName | Get-CertificateTemplateAcl # <- Path missing in Returned Object $Test = Add-CertificateTemplateAcl -InputObject $ACLs -Identity "WindowsServerAdmin" -AccessType Allow -AccessMask Read, Enroll $Return= Set-CertificateTemplateAcl -InputObject $Test

Returned object: Path : Owner : DOMAIN\sa Group : Access : {SysadminsLV.PKI.Security.AccessControl.CertTemplateAccessRule, SysadminsLV.PKI.Security.AccessC ontrol.CertTemplateAccessRule, SysadminsLV.PKI.Security.AccessControl.CertTemplateAccessRule, Sy sadminsLV.PKI.Security.AccessControl.CertTemplateAccessRule...} Sddl : O:S-1-5-21-214951723-759394271-1631113771-1162D:(A;;WP;;;AU)(A;;WPDT;;;DA)(A;;WPDT;;;S-1-5-21-21 4951723-759394271-1631113771-519)(A;;0x4000020;;;S-1-5-21-214951723-759394271-1631113771-1161)(A ;;0x4000020;;;S-1-5-21-214951723-759394271-1631113771-1179)(A;;WPDT;;;S-1-5-21-214951723-7593942 71-1631113771-1608) AccessToString : NT AUTHORITY\Authenticated Users Allow
DOMAIN\Domain Admins Allow
DOMAIN\Enterprise Admins Allow
DOMAIN\WindowsServerAdmin Allow
DOMAIN\TmplOCSP Allow
DOMAIN\CaTemplMgr Allow
AuditToString : DisplayName : Tenant 14 OCSP Response Signing AccessRightType : SysadminsLV.PKI.Security.AccessControl.CertTemplateRights AccessRuleType : SysadminsLV.PKI.Security.AccessControl.CertTemplateAccessRule AuditRuleType : SysadminsLV.PKI.Security.AccessControl.CertTemplateAuditRule AreAccessRulesProtected : False AreAuditRulesProtected : False AreAccessRulesCanonical : True AreAuditRulesCanonical : True

It looks like the Identity is added to the template without error, but when checking the permissions on the template they were not set. What I notice is that the Path parameter is not filled. Could that be the problem?

[Crypt32]

I need to check this.

What I notice is that the Path parameter is not filled. Could that be the problem?

that's expected. Path is used for applicable PS drive provider. There is no applicable PS drive provider for certificate templates and it is expected to be empty.

[Crypt32]

I've tried to repro the issue and the function seems to work as expected. However, there is one thing that can be missing: once you open Certificate Templates MMC snap-in, it caches all data and do not track for changes done outside this instance. You may need to refresh the MMC or re-open MMC to reload data from AD.

[bencoremans]

In our environment it’s not working and acl is not set with pspki 372. Even when I re-open mmc. For now we use an older version 3.4 of pspki which work as aspected for the acl aspect, but then I introduce other problems.

Verzonden vanuit Outlook voor iOShttps://aka.ms/o0ukef

---

Van: Vadims Podans @.> Verzonden: Friday, October 14, 2022 10:43:16 AM Aan: PKISolutions/PSPKI @.> CC: Ben Coremans @.>; Author @.> Onderwerp: Re: [PKISolutions/PSPKI] Get/Add/Set-CertificateTemplateAcl not working (Issue #176)

I've tried to repro the issue and the function seems to work as expected. However, there is one thing that can be missing: once you open Certificate Templates MMC snap-in, it caches all data and do not track for changes done outside this instance. You may need to refresh the MMC or re-open MMC to reload data from AD.

— Reply to this email directly, view it on GitHubhttps://github.com/PKISolutions/PSPKI/issues/176#issuecomment-1278685801, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AJJOBFK2PAMYNB6NRMW2PS3WDEMKJANCNFSM56ZXR6WQ. You are receiving this because you authored the thread.Message ID: @.***>

[Crypt32]

I'm sorry, seems like I tested against wrong version. Wouldn't you mind to replace SysadminsLV.PKI.dll file in PSPKI installtion Library folder from this attachment: https://github.com/PKISolutions/PSPKI/issues/129#issuecomment-722561086?

[bencoremans]

When will this solution be implemented in a new PSPKI version?

[Crypt32]

When will this solution be implemented in a new PSPKI version?

Hopefully this or next week. Currently, I'm running compatibility tests because of massive PKI library overhaul.

[bencoremans]

Looking forward to it

[Crypt32]

PSPKI v4.0.0-preview is released: https://github.com/PKISolutions/PSPKI/releases/tag/v4.0.0 Please read release notes as it contains information about breaking changes.

[bencoremans]

Hi Vadims,

I hope this message finds you well. Currently, in our environment, we are utilizing version 3.7.2 of the PSPKI module, which includes a replaced version of SysadminsLV.PKI.dll (specifically, version 3.7.2.5). This replacement was sourced from the GitHub issue #129.

I wanted to inquire if it would be possible for you to upload a new package of PSPKI, labeled as version 3.7.2.5, which incorporates the updated DLL, either to the PowerShell Gallery or within the PKISolutions space specifically for the enterprise version?

In our environment, we rely on the nupkg file to facilitate the import process into our internal gallery.

Please note that we plan to implement version 4 of PSPKI at a later stage, once we have completed the necessary testing.

Thank you for your assistance.

Kind regards, Ben