search

lithnet / access-manager

Access Manager provides web-based access to local admin (LAPS) passwords, BitLocker recovery keys, and just-in-time administrative access to Windows computers in a modern, secure, and user-friendly way.
Other
238 stars 20 forks source link

Unable to decrypt password with New LAPS #198

Closed SophScuba closed 1 year ago

SophScuba commented 1 year ago

Describe the bug Access Manager is unable to decrypt passwords encrypted by New LAPS. It can still access unencrypted passwords. I'm not sure if it's a bug or if I missed something when switching from Legacy LAPS to New LAPS.

To Reproduce Try to obtain the password of any computer where the password has been encrypted by New LAPS (in the GPO: "Enable password encryption" is set to "Enabled"). Access Manager's service account has been added to "Configure authorized password decryptors" in the GPO so it should have the necessary permissions. If encryption is disabled then Access Manager can again obtain the password.

Expected behavior Access Manager should be able to access and decrypt the password.

Access Manager installation

Additional context The encrypted password can be obtained from New LAPS (either through Powershell or the GUI).

Logs The following error appears in access-manager-webapp.log when trying to access the password:

Lithnet.AccessManager.Server.PasswordRetrievalException: Unable to decrypt password ---> System.IO.InvalidDataException: The data was not of the correct size at Lithnet.AccessManager.Server.PasswordProviders.MsLapsEncryptedPasswordBlob..ctor(Span1 rawData) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\PasswordProviders\MsLapsEncryptedPasswordBlob.cs:line 35 at Lithnet.AccessManager.Server.PasswordProviders.MsLapsPasswordProviderBase.CreatePasswordItem(Byte[] passwordBytes) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\PasswordProviders\MsLapsPasswordProviderBase.cs:line 23 --- End of inner exception stack trace --- at Lithnet.AccessManager.Server.PasswordProviders.MsLapsPasswordProviderBase.CreatePasswordItem(Byte[] passwordBytes) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\PasswordProviders\MsLapsPasswordProviderBase.cs:line 30 at Lithnet.AccessManager.Server.PasswordProviders.MsLapsAdEncryptedPasswordProvider.GetCurrentPasswordAsync(IComputer computer, Nullable1 newExpiry) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\PasswordProviders\MsLapsAdEncryptedPasswordProvider.cs:line 76 at Lithnet.AccessManager.Server.PasswordProvider.GetCurrentPasswordAsync(IComputer computer, Nullable`1 newExpiry) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Providers\PasswordProvider.cs:line 42

ryannewington commented 1 year ago

Hi @dmartela

We've just addressed this issue in build 2.0.9420.0

Let me know if this resolves it for you

SophScuba commented 1 year ago

Hello @ryannewington It has indeed fixed the issue, thanks a lot!

ryannewington commented 1 year ago

Awesome. Thanks for confirming!