Access Manager provides web-based access to local admin (LAPS) passwords, BitLocker recovery keys, and just-in-time administrative access to Windows computers in a modern, secure, and user-friendly way.
Describe the bug
Access Manager is unable to decrypt passwords encrypted by New LAPS.
It can still access unencrypted passwords.
I'm not sure if it's a bug or if I missed something when switching from Legacy LAPS to New LAPS.
To Reproduce
Try to obtain the password of any computer where the password has been encrypted by New LAPS (in the GPO: "Enable password encryption" is set to "Enabled"). Access Manager's service account has been added to "Configure authorized password decryptors" in the GPO so it should have the necessary permissions.
If encryption is disabled then Access Manager can again obtain the password.
Expected behavior
Access Manager should be able to access and decrypt the password.
Access Manager installation
OS: Windows Server 2019
Version: 2.0.9419.0
Additional context
The encrypted password can be obtained from New LAPS (either through Powershell or the GUI).
Logs
The following error appears in access-manager-webapp.log when trying to access the password:
Lithnet.AccessManager.Server.PasswordRetrievalException: Unable to decrypt password
---> System.IO.InvalidDataException: The data was not of the correct size
at Lithnet.AccessManager.Server.PasswordProviders.MsLapsEncryptedPasswordBlob..ctor(Span1 rawData) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\PasswordProviders\MsLapsEncryptedPasswordBlob.cs:line 35 at Lithnet.AccessManager.Server.PasswordProviders.MsLapsPasswordProviderBase.CreatePasswordItem(Byte[] passwordBytes) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\PasswordProviders\MsLapsPasswordProviderBase.cs:line 23 --- End of inner exception stack trace --- at Lithnet.AccessManager.Server.PasswordProviders.MsLapsPasswordProviderBase.CreatePasswordItem(Byte[] passwordBytes) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\PasswordProviders\MsLapsPasswordProviderBase.cs:line 30 at Lithnet.AccessManager.Server.PasswordProviders.MsLapsAdEncryptedPasswordProvider.GetCurrentPasswordAsync(IComputer computer, Nullable1 newExpiry) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\PasswordProviders\MsLapsAdEncryptedPasswordProvider.cs:line 76
at Lithnet.AccessManager.Server.PasswordProvider.GetCurrentPasswordAsync(IComputer computer, Nullable`1 newExpiry) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Providers\PasswordProvider.cs:line 42
Describe the bug Access Manager is unable to decrypt passwords encrypted by New LAPS. It can still access unencrypted passwords. I'm not sure if it's a bug or if I missed something when switching from Legacy LAPS to New LAPS.
To Reproduce Try to obtain the password of any computer where the password has been encrypted by New LAPS (in the GPO: "Enable password encryption" is set to "Enabled"). Access Manager's service account has been added to "Configure authorized password decryptors" in the GPO so it should have the necessary permissions. If encryption is disabled then Access Manager can again obtain the password.
Expected behavior Access Manager should be able to access and decrypt the password.
Access Manager installation
Additional context The encrypted password can be obtained from New LAPS (either through Powershell or the GUI).
Logs The following error appears in access-manager-webapp.log when trying to access the password:
Lithnet.AccessManager.Server.PasswordRetrievalException: Unable to decrypt password ---> System.IO.InvalidDataException: The data was not of the correct size at Lithnet.AccessManager.Server.PasswordProviders.MsLapsEncryptedPasswordBlob..ctor(Span
1 rawData) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\PasswordProviders\MsLapsEncryptedPasswordBlob.cs:line 35 at Lithnet.AccessManager.Server.PasswordProviders.MsLapsPasswordProviderBase.CreatePasswordItem(Byte[] passwordBytes) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\PasswordProviders\MsLapsPasswordProviderBase.cs:line 23 --- End of inner exception stack trace --- at Lithnet.AccessManager.Server.PasswordProviders.MsLapsPasswordProviderBase.CreatePasswordItem(Byte[] passwordBytes) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\PasswordProviders\MsLapsPasswordProviderBase.cs:line 30 at Lithnet.AccessManager.Server.PasswordProviders.MsLapsAdEncryptedPasswordProvider.GetCurrentPasswordAsync(IComputer computer, Nullable
1 newExpiry) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\PasswordProviders\MsLapsAdEncryptedPasswordProvider.cs:line 76 at Lithnet.AccessManager.Server.PasswordProvider.GetCurrentPasswordAsync(IComputer computer, Nullable`1 newExpiry) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Providers\PasswordProvider.cs:line 42