search

lithnet / access-manager

Access Manager provides web-based access to local admin (LAPS) passwords, BitLocker recovery keys, and just-in-time administrative access to Windows computers in a modern, secure, and user-friendly way.
Other
238 stars 20 forks source link

HTTP 400 error when choosing computer or role: webapp logs shows 'access is denied' #186

Closed brolifen closed 1 year ago

brolifen commented 1 year ago

Describe the bug I performed an in place upgrade from v1 to v2. Changed the the LocalDB to an SQL database and changed the service account to a gMSA. I used the provided script to provision the SQL DB for the gMSA. Everything seems to be connecting fine. However, in the webapp when I choose a computer or role and choose "next" the page throws a HTTP 400 error. If I look in the webapp logs the main error is: Lithnet.Security.Authorization.AuthorizationContextException: AuthzInitializeContextFromSid failed ---> System.ComponentModel.Win32Exception (5): Access is denied.

It's obviously a permission error somewhere but I don't know where. The "Authorized users and groups" contained a group, then I added the user explicitly and now it's empty none of that helped. Also made sure the gMSA account was added to the DACL of objects with "write members" permission. I even fully removed AMS and its files and reinstalled but the error remains.

There is no entry generated in the Service logs only webapp. Full webapp logs are below.

Logs 2022-10-28 14:49:12.7303|TRACE|00-e1f3b9a4736a439bb42c15f983747713-7fe2aa3c9487ea25-00|192.168.2.10|myDomain\myAdminAccount|Lithnet.AccessManager.WebApp.Authorization.MustHaveSidHandler|The user myDomain\myAdminAccount has a SID that is required for login S-1-5-21-2164475675-4072977403-1171575601-512 2022-10-28 14:49:15.0326|TRACE|00-3a197a2e190ccc8bfcd0d3df57c4dc93-eb019291033875c7-00|192.168.2.10|myDomain\myAdminAccount|Lithnet.AccessManager.WebApp.Authorization.MustHaveSidHandler|The user myDomain\myAdminAccount has a SID that is required for login S-1-5-21-2164475675-4072977403-1171575601-512 2022-10-28 14:49:16.3660|TRACE|00-8dabd1dc0f9798e39505dd64f8eb0a2e-b694b0de7e34343f-00|192.168.2.10|myDomain\myAdminAccount|Lithnet.AccessManager.WebApp.Authorization.MustHaveSidHandler|The user myDomain\myAdminAccount has a SID that is required for login S-1-5-21-2164475675-4072977403-1171575601-512 2022-10-28 14:49:16.3835|TRACE|00-8dabd1dc0f9798e39505dd64f8eb0a2e-b694b0de7e34343f-00|192.168.2.10|myDomain\myAdminAccount|Lithnet.AccessManager.Server.Authorization.RoleAuthorizationInformationBuilder|Building authorization information for roles-S-1-5-21-2164475675-4072977403-1171575601-1103 2022-10-28 14:49:16.4047|TRACE|00-8dabd1dc0f9798e39505dd64f8eb0a2e-b694b0de7e34343f-00|192.168.2.10|myDomain\myAdminAccount|Lithnet.AccessManager.Server.Authorization.AuthorizationContextProvider|Built AuthorizationContextDomainDetails for domain mydomain.com. IsInCurrentForest:True IsRemoteOneWayTrust:False 2022-10-28 14:49:16.4047|TRACE|00-8dabd1dc0f9798e39505dd64f8eb0a2e-b694b0de7e34343f-00|192.168.2.10|myDomain\myAdminAccount|Lithnet.AccessManager.ActiveDirectory.DiscoveryServices|Local DCLocator: Finding domain controller for domain mydomain.com with flags DS_DIRECTORY_SERVICE_8_REQUIRED 2022-10-28 14:49:16.4047|TRACE|00-8dabd1dc0f9798e39505dd64f8eb0a2e-b694b0de7e34343f-00|192.168.2.10|myDomain\myAdminAccount|Lithnet.AccessManager.ActiveDirectory.DiscoveryServices|Local DCLocator: Found DC DC02.mydomain.com for domain mydomain.com, with flags DS_DIRECTORY_SERVICE_8_REQUIRED 2022-10-28 14:49:16.4047|TRACE|00-8dabd1dc0f9798e39505dd64f8eb0a2e-b694b0de7e34343f-00|192.168.2.10|myDomain\myAdminAccount|Lithnet.AccessManager.Server.Authorization.AuthorizationContextProvider|Attempting to create AuthorizationContext against server DC02.mydomain.com in domain mydomain.com for user myDomain\myAdminAccount 2022-10-28 14:49:16.4314|ERROR|00-8dabd1dc0f9798e39505dd64f8eb0a2e-b694b0de7e34343f-00|192.168.2.10|myDomain\myAdminAccount|Lithnet.AccessManager.Server.Authorization.AuthorizationContextProvider|Unable to create AuthorizationContext against server DC02.mydomain.com in domain mydomain.com Lithnet.Security.Authorization.AuthorizationContextException: AuthzInitializeContextFromSid failed ---> System.ComponentModel.Win32Exception (5): Access is denied. --- End of inner exception stack trace --- at Lithnet.Security.Authorization.AuthorizationContext.InitializeAuthorizationContextFromSid(SafeAuthzResourceManagerHandle authzRm, SecurityIdentifier sid, AuthzInitFlags flags) at Lithnet.Security.Authorization.AuthorizationContext..ctor(SecurityIdentifier principal, String server, Boolean allowLocalFallback, AuthzInitFlags flags) at Lithnet.Security.Authorization.AuthorizationContext..ctor(SecurityIdentifier principal, String server, AuthzInitFlags flags) at Lithnet.AccessManager.Server.Authorization.AuthorizationContextProvider.GetContext(IActiveDirectoryUser user, AuthorizationContextDomainDetails domainDetails, Boolean requireS4U) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Authorization\Shared\AuthorizationContextProvider.cs:line 82 2022-10-28 14:49:16.5846| WARN|00-8dabd1dc0f9798e39505dd64f8eb0a2e-b694b0de7e34343f-00|192.168.2.10|myDomain\myAdminAccount|Lithnet.AccessManager.Server.Authorization.AuthorizationContextProvider|Unable to establish authorization context for user myDomain\myAdminAccount against an appropriate target server. The authorization context will be built locally, but information about membership in domain local groups in the target domain may missed 2022-10-28 14:49:16.6305|TRACE|00-8dabd1dc0f9798e39505dd64f8eb0a2e-b694b0de7e34343f-00|192.168.2.10|myDomain\myAdminAccount|Lithnet.AccessManager.Server.Authorization.RoleAuthorizationInformationBuilder|Found 1 roles for user myDomain\myAdminAccount

ryannewington commented 1 year ago

@brolifen

That error is usually because the gmsa is not a member of the Access Control Assistance Operators and Windows Authorization Access Group groups in the domain.

However, I'm not sure that's the cause of the error you are seeing. When we can't resolve the group membership against the DC, we fall back to asking the local machine to do it which is what happened here.

Are there any other errors appearing later in the log?

Ryan

brolifen commented 1 year ago

Ah thank you I overlooked adding the gMSA to those groups. However, I added it now and restarted the server. There is no more access denied error now but sadly the HTTP 400 error remains. When I clear all the logs and click "next" this is the only log that is generated in access-manager-webapp.log:

2022-10-29 00:00:07.2788|ERROR|00-5b76ecf7a4a178b72a1c0cd962cf63b6-bb0b505801e3d430-00|192.168.2.10||Lithnet.AccessManager.Enterprise.AmsLicenseManager|The license has expired and is currently in a grace period. All features will be disabled once the grace period expires 7 days from the original license expiry date 2022-10-29 00:00:07.3725|TRACE|00-da290065bb4ab6fbfb8b62073a137217-5eafda8c83011e29-00|192.168.2.10||Lithnet.AccessManager.ActiveDirectory.DiscoveryServices|Local DCLocator: Finding domain controller for domain mydomain.com with flags 0 2022-10-29 00:00:07.3725|TRACE|00-da290065bb4ab6fbfb8b62073a137217-5eafda8c83011e29-00|192.168.2.10||Lithnet.AccessManager.ActiveDirectory.DiscoveryServices|Local DCLocator: Found DC DC01.mydomain.com for domain mydomain.com, with flags 0 2022-10-29 00:00:07.4312|TRACE|00-da290065bb4ab6fbfb8b62073a137217-5eafda8c83011e29-00|192.168.2.10|myDomain\myAdminAccount|Lithnet.AccessManager.Server.Authorization.RoleAuthorizationInformationBuilder|Building authorization information for roles-S-1-5-21-2164475675-4072977403-1171575601-1103 2022-10-29 00:00:07.4597|TRACE|00-da290065bb4ab6fbfb8b62073a137217-5eafda8c83011e29-00|192.168.2.10|myDomain\myAdminAccount|Lithnet.AccessManager.Server.Authorization.AuthorizationContextProvider|Built AuthorizationContextDomainDetails for domain mydomain.com. IsInCurrentForest:True IsRemoteOneWayTrust:False 2022-10-29 00:00:07.4597|TRACE|00-da290065bb4ab6fbfb8b62073a137217-5eafda8c83011e29-00|192.168.2.10|myDomain\myAdminAccount|Lithnet.AccessManager.ActiveDirectory.DiscoveryServices|Local DCLocator: Finding domain controller for domain mydomain.com with flags DS_DIRECTORY_SERVICE_8_REQUIRED 2022-10-29 00:00:07.4597|TRACE|00-da290065bb4ab6fbfb8b62073a137217-5eafda8c83011e29-00|192.168.2.10|myDomain\myAdminAccount|Lithnet.AccessManager.ActiveDirectory.DiscoveryServices|Local DCLocator: Found DC DC01.mydomain.com for domain mydomain.com, with flags DS_DIRECTORY_SERVICE_8_REQUIRED 2022-10-29 00:00:07.4597|TRACE|00-da290065bb4ab6fbfb8b62073a137217-5eafda8c83011e29-00|192.168.2.10|myDomain\myAdminAccount|Lithnet.AccessManager.Server.Authorization.AuthorizationContextProvider|Attempting to create AuthorizationContext against server DC01.mydomain.com in domain mydomain.com for user myDomain\myAdminAccount 2022-10-29 00:00:07.4791|TRACE|00-da290065bb4ab6fbfb8b62073a137217-5eafda8c83011e29-00|192.168.2.10|myDomain\myAdminAccount|Lithnet.AccessManager.Server.Authorization.RoleAuthorizationInformationBuilder|Found 1 roles for user myDomain\myAdminAccount

ryannewington commented 1 year ago

Can you post a screen shot of the error you are seeing in the browser

brolifen commented 1 year ago

image image

Seems to be a generic error. I also have to mention that the trial Enterprise license just expired too now and the active product edition is "Community edition". However, it showed this error during the grace period too.

ryannewington commented 1 year ago

In the app config folder (Usually C:\Program Files\Lithnet\Access Manager Service\config", there is a file called appsettings-local.json. Can you make a backup copy of this, and replace the contents of the original with the following

{
  "Logging": {
    "LogLevel": {
      "Default": "Trace",
      "Microsoft": "Trace",
      "Microsoft.AspNetCore": "Trace",
      "Microsoft.Hosting.Lifetime": "Warning",
      "Quartz": "Warning",
      "Lithnet.AccessManager.Server.Rpc": "Information",
      "Lithnet.AccessManager.Server.Workers.JitGroupWorker": "Information"
    },
    "EventLog": {
      "LogLevel": {
        "Default": "Error",
        "Lithnet": "Information"
      }
    }
  }
}

Restart the service, and try the operation again to see if we get logs.

Can I trouble you to send those logs, and that fiddler trace to support@lithnet.io please?

ryannewington commented 1 year ago

Also worth just making sure you are on the latest build

https://github.com/lithnet/access-manager/releases/tag/v2.0.9054-preview3a

brolifen commented 1 year ago

Also worth just making sure you are on the latest build

https://github.com/lithnet/access-manager/releases/tag/v2.0.9054-preview3a

This was it :). The latest build did resolve the problem.

ryannewington commented 1 year ago

FYI production release of v2 is now available.