Service Config Tool Won't load - 1.0.7941 / Server 2022

[acurtis85]

Describe the bug During a fresh install of Lithnet, install seems to succeed. When attempting to launch the Service Configuration Tool, a lengthy error message gets thrown.

To Reproduce Steps to reproduce the behavior:

1. Install Fresh on Server 2022
2. Attempt to open Service Configuration Tool
3. See Error

Expected behavior Configuration Tool should Load

Screenshots

Access Manager installation

• OS: Server 2022
• Version 1.0.7941

[ryannewington]

@acurtis85 This happens when the server is not joined to an active directory domain. The bad error message is fixed in an upcoming release to something more helpful.

[acurtis85]

The server is on an AD Domain, perhaps it helps to mention we have a root and a child domain, the server is joined to the child domain.

[ryannewington]

Hmmmm that shouldn't matter. What it's failing to do is find the forest name. Is the user you are running the app with a domain or local user?

---

From: acurtis85 @.> Sent: Saturday, February 19, 2022 6:43:06 AM To: lithnet/access-manager @.> Cc: Ryan Newington @.>; Assign @.> Subject: Re: [lithnet/access-manager] Service Config Tool Won't load - 1.0.7941 / Server 2022 (Issue #142)

The server is on an AD Domain, perhaps it helps to mention we have a root and a child domain, the server is joined to the child domain.

— Reply to this email directly, view it on GitHubhttps://github.com/lithnet/access-manager/issues/142#issuecomment-1045079327, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AEDOQNJBT5V73QONPUJWHELU32OMVANCNFSM5OY34KTQ. You are receiving this because you were assigned.Message ID: @.***>

[acurtis85]

Domain user, we don't leverage local accounts for security purposes. The service account is created in the child domain, no access to the root.

[ryannewington]

Does the Get-ADForest PowerShell command return any errors?

Get-ADForest -Current LocalComputer

[acurtis85]

Get-ADForest requires RSAT tools or at least the AD Powershell cmdlets to be available on the server, I didn't install them as it wasn't a prerequisite. On a similar server with these cmdlets available, no errors are returned. Does the product leverage RSAT?

[ryannewington]

No it's not a pre-requisite. The suggestion was because AMS is trying to resolve the forest topology and failing. It is making a similar API call that Get-ADForest would be making. Hence running Get-ADForest to see if we get a similar result or a more informative error message. If you were able to run it on another server in the same domain it does seem to rule out at least some types of permission issues in the root forest.

Are there any restrictions you are aware of that would prevent read access to the forest root domain?

[acurtis85]

I don't believe a regular user in our child can read data from the root, however I did install the PowerShell cmdlet for AD and ran the Get-ADForest command, there was no errors. I'm still not sure that rules everything out though as my account has rights to the root where the service account may not as it's just a regular account right now. I could delegate read permissions to the service account if that's what it's leveraging but it seems the config tool runs under my user context, no?

[ryannewington]

Yeah the tool is running in your user context.

There is an access-manager-service.log file in the logs folder of the application directory. Does that indicate any similar issues being experienced by the service itself?

I'll have to create a debug build to get more information about what is going on. Otherwise we're just flying blind.

[acurtis85]

The app isn't creating any logs, directory is completely blank. Generally logs are the first thing I try to view since I deal with app errors frequently as part of my job. If we can get the logs to work I'd gladly attach them. I was wondering if this was an issue perhaps with Server 2022? This is a brand new server so I wasn't sure if this app supported it.

[ryannewington]

@acurtis85 can you please try this build

https://lithnet-my.sharepoint.com/:u:/g/personal/ryan_lithnet_io/ETVHXvWvkZlFuVQAxvE5lOAB7x_9kTklx5PSQ8tsBtCpRg?e=d5isxc

The Lithnet Access Manager event log should have information for us about the nature of the failure, if the access-manger-service.log or access-manager-ui.log files are not present.

[acurtis85]

This build launched without issue, did anything change? I am going to continue the config process and update here if I run into any issues.

[ryannewington]

Yes I made it bypass, but log the issue that you were experiencing. Can we see anything in the application specific event log?

[acurtis85]

Attached is the logs from the event viewer, I noticed it says invalid username or password.

Error1.txt Error2.txt access-manager-service.log

[ryannewington]

@acurtis85 Thanks for providing the logs. I tried to reproduce this in my lab with a standard child/parent domain setup, and were not able to reproduce the issue you are seeing.

Can I get you to try one more debugging build (using the same link earlier). I've included some more debugging information in the ui log that might give some more clues as to what is happening here.

[acurtis85]

Hey sorry for the delay, haven't had a chance to log on this weekend but here's the updated log from the new debug build you provided. I redacted my forest name and child but left the entries there with asterisks, but the info was right when I looked at it. So it see's the forest and the child but says some username/password is incorrect.

access-manager-ui.log

[acurtis85]

Update: I've been able to configure this version and it's working well but I do get this error once in a while in the config UI:

[ryannewington]

Hi @acurtis85

So I can see from the log sent that the service account is unable to bind to the parent domain's LDAP interface to read the root domain object in the root forest. This is quite unusual. I'd have to guess that some permission had been removed, or a DENY acl is in place somewhere.

I set up a basic child/parent domain in my lab and could not reproduce this issue. So there is either something going on with the permissions in your parent domain, or perhaps I haven't replicated the topology correctly? I created a parent domain domain.local and then a child domain child.domain.local.

The error you have shown here is probably the same root cause. Operation of the AMS server does require forest topology information, and i suspect it's failing again to obtain that.

The exact cause of that error should be in the event log or access-manager-ui log file. If you can share that I can confirm if this is the case or not.

[acurtis85]

I'm doing more digging and I think it may be a group policy restriction since we're a healthcare facility we do have some pretty robust security items in place, I noticed while attempting to elevate a powershell window to my root domain admin so I could bind the lithnet certificate for JIT access I could not elevate, with a invalid username/password despite knowing for certain the password was correct. I jumped over to my admin box and was able to elevate with no issue so there appears to be a GPO in effect that prevents something talking to the root.

[ryannewington]

Yeah that makes sense from what we can see the service trying to do and failing. I'm not sure what to advise at this stage, but I dare say if you can figure out the powershell runas issue, then AMS should start working as well.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.