search

lithnet / access-manager

Access Manager provides web-based access to local admin (LAPS) passwords, BitLocker recovery keys, and just-in-time administrative access to Windows computers in a modern, secure, and user-friendly way.
Other
239 stars 20 forks source link

[HELP] Effective Access Check returns AuthzInitializeContextFromSid failed #141

Closed jperhamcatchteam closed 2 years ago

jperhamcatchteam commented 2 years ago

Hello,

I have Access Manager version 1.0.7941.0 deployed on a Windows 2016 Server VM. We are using OpenID connect for authentication through Azure AD. We run a hybrid environment with domain controllers syncing users and groups back to Azure AD.

Whenever I attempt to check the effective access of a user on the Authorization page I get the error AuthzInitializeContextFromSid failed. This just started today and I was able to check the effective access on my own user account successfully yesterday. I'm not sure what to make of this issue.

Here are the relevant log entries:

2022-02-16 15:28:17.9351|TRACE|Lithnet.AccessManager.Server.Authorization.ComputerTargetProvider|Matched INTERNAL\COMPANY-P10149$ to target OU OU=ManagedComputers,DC=internal,DC=domainname,DC=org
2022-02-16 15:28:17.9351|TRACE|Lithnet.AccessManager.Server.Authorization.ComputerTargetProvider|Matched INTERNAL\COMPANY-P10149$ to target OU OU=ManagedComputers,DC=internal,DC=domainname,DC=org
2022-02-16 15:28:17.9351|TRACE|Lithnet.AccessManager.Server.Authorization.AuthorizationContextProvider|Attempting to create AuthorizationContext against server DCVM01.internal.domainname.org in domain internal.domainname.org for user INTERNAL\user requesting access to resource in domain S-1-5-21-3557257561-1692449828-1796780711 
2022-02-16 15:28:17.9351| WARN|Lithnet.AccessManager.Server.Authorization.AuthorizationContextProvider|Unable to connect to server DCVM01.internal.domainname.org
Lithnet.Security.Authorization.AuthorizationContextException: AuthzInitializeContextFromSid failed
 ---> System.ComponentModel.Win32Exception (5): Access is denied.
   --- End of inner exception stack trace ---
   at Lithnet.Security.Authorization.AuthorizationContext.InitializeAuthorizationContextFromSid(SafeAuthzResourceManagerHandle authzRm, SecurityIdentifier sid, AuthzInitFlags flags)
   at Lithnet.Security.Authorization.AuthorizationContext..ctor(SecurityIdentifier principal, String server, Boolean allowLocalFallback, AuthzInitFlags flags)
   at Lithnet.Security.Authorization.AuthorizationContext..ctor(SecurityIdentifier principal, String server, AuthzInitFlags flags)
   at Lithnet.AccessManager.Server.Authorization.AuthorizationContextProvider.GetContext(IUser user, SecurityIdentifier resourceDomain, AuthorizationContextDomainDetails domainDetails) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Authorization\AuthorizationContextProvider.cs:line 72
2022-02-16 15:28:17.9475|TRACE|Lithnet.AccessManager.DiscoveryServices|New DC requested
2022-02-16 15:28:17.9475|TRACE|Lithnet.AccessManager.DiscoveryServices|Local DCLocator: Finding domain controller for domain internal.domainname.org with flags DS_FORCE_REDISCOVERY, DS_DIRECTORY_SERVICE_8_REQUIRED
2022-02-16 15:28:18.0539|TRACE|Lithnet.AccessManager.DiscoveryServices|Local DCLocator: Found DC DCVM01.internal.domainname.org for domain internal.domainname.org, with flags DS_FORCE_REDISCOVERY, DS_DIRECTORY_SERVICE_8_REQUIRED
2022-02-16 15:28:18.0539|TRACE|Lithnet.AccessManager.Server.Authorization.AuthorizationContextProvider|Attempting to create AuthorizationContext against server DCVM01.internal.domainname.org in domain internal.domainname.org for user INTERNAL\user requesting access to resource in domain S-1-5-21-3557257561-1692449828-1796780711 
2022-02-16 15:28:18.0652| WARN|Lithnet.AccessManager.Server.Authorization.AuthorizationContextProvider|Unable to connect to server DCVM01.internal.domainname.org
Lithnet.Security.Authorization.AuthorizationContextException: AuthzInitializeContextFromSid failed
 ---> System.ComponentModel.Win32Exception (5): Access is denied.
   --- End of inner exception stack trace ---
   at Lithnet.Security.Authorization.AuthorizationContext.InitializeAuthorizationContextFromSid(SafeAuthzResourceManagerHandle authzRm, SecurityIdentifier sid, AuthzInitFlags flags)
   at Lithnet.Security.Authorization.AuthorizationContext..ctor(SecurityIdentifier principal, String server, Boolean allowLocalFallback, AuthzInitFlags flags)
   at Lithnet.Security.Authorization.AuthorizationContext..ctor(SecurityIdentifier principal, String server, AuthzInitFlags flags)
   at Lithnet.AccessManager.Server.Authorization.AuthorizationContextProvider.GetContext(IUser user, SecurityIdentifier resourceDomain, AuthorizationContextDomainDetails domainDetails) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Authorization\AuthorizationContextProvider.cs:line 72
2022-02-16 15:28:18.0652|TRACE|Lithnet.AccessManager.DiscoveryServices|New DC requested
2022-02-16 15:28:18.0652|TRACE|Lithnet.AccessManager.DiscoveryServices|Local DCLocator: Finding domain controller for domain internal.domainname.org with flags DS_FORCE_REDISCOVERY, DS_DIRECTORY_SERVICE_8_REQUIRED
2022-02-16 15:28:18.1735|TRACE|Lithnet.AccessManager.DiscoveryServices|Local DCLocator: Found DC DCVM01.internal.domainname.org for domain internal.domainname.org, with flags DS_FORCE_REDISCOVERY, DS_DIRECTORY_SERVICE_8_REQUIRED
2022-02-16 15:28:18.1735|ERROR|Lithnet.AccessManager.Server.UI.EffectiveAccessViewModel|Unable to calculate effective permissions
Lithnet.Security.Authorization.AuthorizationContextException: AuthzInitializeContextFromSid failed
 ---> System.ComponentModel.Win32Exception (5): Access is denied.
   --- End of inner exception stack trace ---
   at Lithnet.AccessManager.Server.Authorization.AuthorizationContextProvider.GetContext(IUser user, SecurityIdentifier resourceDomain, AuthorizationContextDomainDetails domainDetails) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Authorization\AuthorizationContextProvider.cs:line 88
   at Lithnet.AccessManager.Server.Authorization.AuthorizationContextProvider.GetAuthorizationContext(IUser user, SecurityIdentifier resourceDomain) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Authorization\AuthorizationContextProvider.cs:line 41
   at Lithnet.AccessManager.Server.Authorization.AuthorizationInformationBuilder.BuildAuthorizationInformation(IUser user, IComputer computer, IList`1 matchedComputerTargets) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Authorization\AuthorizationInformationBuilder.cs:line 81
   at Lithnet.AccessManager.Server.UI.EffectiveAccessViewModel.<>c__DisplayClass64_1.<CalculateEffectiveAccess>b__1() in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager.Server.UI\ViewModels\EffectiveAccessViewModel.cs:line 111
   at System.Threading.Tasks.Task`1.InnerInvoke()
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location where exception was thrown ---
   at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
--- End of stack trace from previous location where exception was thrown ---
   at Lithnet.AccessManager.Server.UI.EffectiveAccessViewModel.<>c__DisplayClass64_0.<<CalculateEffectiveAccess>b__0>d.MoveNext() in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager.Server.UI\ViewModels\EffectiveAccessViewModel.cs:line 111
--- End of stack trace from previous location where exception was thrown ---
   at Lithnet.AccessManager.Server.UI.EffectiveAccessViewModel.CalculateEffectiveAccess() in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager.Server.UI\ViewModels\EffectiveAccessViewModel.cs:line 94

Additionally I noticed this log entry which occurred one time in the logs:

2022-02-16 15:24:02.1995|TRACE|Lithnet.AccessManager.CertificateProvider|TryGetCertificateFromDirectory failed
System.DirectoryServices.DirectoryServicesCOMException (0x80072030): There is no such object on the server.
   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.PropertyCollection.Contains(String propertyName)
   at Lithnet.AccessManager.DirectoryExtensions.GetPropertyBytes(DirectoryEntry result, String propertyName) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager\DirectoryExtensions.cs:line 386
   at Lithnet.AccessManager.CertificateProvider.GetCertificateFromDirectory(String dnsDomain) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager\CertificateProvider.cs:line 141
   at Lithnet.AccessManager.CertificateProvider.TryGetCertificateFromDirectory(X509Certificate2& cert, String dnsDomain) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager\CertificateProvider.cs:line 168

Thank you for your time.!

ryannewington commented 2 years ago

Hi @jperhamcatchteam

You'll need to make sure your user account (not just the AMS service account) is a member of the "Windows Authorisation Access Group" as well as the "Access control assistance operators group" in the domains where the users and computers reside for the effective access tool to work correctly.

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.