search

Seji64 / LAPS-WebUI

A nice and simple Web Interface for LAPS (Local Administrator Password Solution)
MIT License
29 stars 6 forks source link

Password decryption error with non-admin User #16

Closed magicvodi closed 7 months ago

magicvodi commented 1 year ago

Hi,

I've got an user, which is not an admin. I set the permissions with Set-LapsADReadPasswordPermission and set the authorized decryptors group via GPO. When I try to read the password with the user with Get-LapsADPassword -Identity COMPUTERNAME -AsPlainText it works without problems. LAPS-WebUI shows an error related to decryption, when I run the decryption script manually I get the following error:

PS C:\Users\vodi> python "C:\System Management\LAPS-WebUI-v1.5.5-win-x64\scripts\DecryptEncryptedLAPSPassword.py" --user "sbplanbau\NON-ADMIN-USER" --password "REDACTED" --data "REDACTED_BASE64"
Traceback (most recent call last):
  File "C:\System Management\LAPS-WebUI-v1.5.5-win-x64\scripts\DecryptEncryptedLAPSPassword.py", line 17, in <module>
    main()
  File "C:\System Management\LAPS-WebUI-v1.5.5-win-x64\scripts\DecryptEncryptedLAPSPassword.py", line 13, in main
    decryptedBlob = dpapi_ng.ncrypt_unprotect_secret(username=args.username, password=args.password, data=encyrptedPass)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Program Files\Python312\Lib\site-packages\dpapi_ng\_client.py", line 608, in ncrypt_unprotect_secret
    rk = _sync_get_key(
         ^^^^^^^^^^^^^^
  File "C:\Program Files\Python312\Lib\site-packages\dpapi_ng\_client.py", line 215, in _sync_get_key
    return _process_get_key_result(resp)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Program Files\Python312\Lib\site-packages\dpapi_ng\_client.py", line 131, in _process_get_key_result
    return GetKey.unpack_response(raw_resp)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Program Files\Python312\Lib\site-packages\dpapi_ng\_gkdi.py", line 132, in unpack_response
    raise ValueError(f"GetKey failed 0x{hresult:08X}")
ValueError: GetKey failed 0x80070005

Running the same python command but with the login data of an admin user shows the decrypted password.

Seji64 commented 1 year ago

If i got this right this seems a issue with dpapi_ng itself? LAPS-WebUI just wraps this python module.

My gut feeling would be that there is a connection problem. For LAPSv2 you need RPC and LDAP. Is there a firewall in between?

dataworxx commented 11 months ago

Hi Seji64,

it seems that i have exact the same Issue I setup an AD-Group LAPS-Admins with some members: Administrator, employee1, employee2, employee3 Added AD-Group LAPS-Admins to OU by Set-LapsADReadPasswordPermission Added AD-Group LAPS-Admins by GPO for authorized decryptors.

Failed to fetch LAPS Data for computer X Error: Failed to decrypt LAPSv2 Password

LAPS-WebUI is running in a docker on Synology, maybe a firewall or NAT issue with synology? I'm not that experienced with docker on Synology

Error Output is the same than magicvodi

DOMAIN\Administrator still works....

johnking89 commented 7 months ago

I had the same issue but i worked out it was due to the password history. Whilst the user is now part of the group that can decrypt the current password, the group wasnt designated as the password decryptor when previous passwords were created, the previous password decryptor was still set as the Domain Admins group.

As I'm still in the testing stage I simply cleared the msLAPS-EncryptedPasswordHistory attribute and voila no more errors.