Unable to login with certain accounts

[dbaars]

Describe the bug Unable to login with certain accounts. On the user side (i.e. web login) they just get re-prompted for authentication details (user/pass). In Lithnet Access Manager Service Configuration > Authorization rules > Computers, if I use the "Effective access" button to test the user account, I receive an error

The account is a member of the group given access control to the OU where the computer object is The account is a member of the group under App Configuration / User authentication / Sign-in restrictions The user and computer accounts are in the same directory

To Reproduce Steps to reproduce the behavior: Lithnet Access Manager configuration error:

1. Go to: Lithnet Access Manager Service Configuration > Authorization rules > Computers
2. Click on: Effective Access
3. Enter username/computer
4. Click Evaluate access
5. See error

In access-manager-service log I see

023-09-26 12:39:38.2680|TRACE|4612||||Lithnet.AccessManager.Server.Providers.UserSearchResultProvider|Found user key in cache
2023-09-26 12:39:38.2680|TRACE|4612||||Lithnet.AccessManager.Server.Providers.ComputerSearchResultProvider|Found computer key in cache
2023-09-26 12:39:38.2680|TRACE|4612||||Lithnet.AccessManager.Server.Authorization.ComputerTargetProviderAd|Matched NIWA\NIWA-1012909$ to target OU OU=Clients,OU=Computer Accounts,DC=niwa,DC=local
2023-09-26 12:39:38.2680|TRACE|4612||||Lithnet.AccessManager.Server.Authorization.AuthorizationContextProvider|Attempting to create S4U AuthorizationContext against server <localhost> in domain niwa.local for user NIWA\t2baarsd
2023-09-26 12:39:38.2847| WARN|4612||||Lithnet.AccessManager.Server.Authorization.AuthorizationContextProvider|Unable to establish authorization context for user NIWA\t2baarsd against an appropriate target server. The authorization context will be built locally, but information about membership in domain local groups in the target domain may missed

User login:

1. Browse to the lithnet access manager URL
2. Prompted for user/pass
3. User is re-prompted again and again. No error on screen
4. If the user hits cancel on the login, they receive a 401 Unauthorized error.

In access-manager-ui log file

2023-09-26 12:39:38.3000|ERROR|Lithnet.AccessManager.Server.UI.EffectiveAccessViewModel|Unable to calculate effective permissions
StreamJsonRpc.RemoteInvocationException: AuthzInitializeContextFromSid failed
 ---> Lithnet.Security.Authorization.AuthorizationContextException: AuthzInitializeContextFromSid failed
 ---> System.ComponentModel.Win32Exception (5): Access is denied.
   --- End of inner exception stack trace ---
   at Lithnet.Security.Authorization.AuthorizationContext.InitializeAuthorizationContextFromSid(SafeAuthzResourceManagerHandle authzRm, SecurityIdentifier sid, AuthzInitFlags flags)
   at Lithnet.Security.Authorization.AuthorizationContext..ctor(SecurityIdentifier principal, String server, Boolean allowLocalFallback, AuthzInitFlags flags)
   at Lithnet.Security.Authorization.AuthorizationContext..ctor(SecurityIdentifier principal)
   at Lithnet.AccessManager.Server.Authorization.AuthorizationContextProvider.GetAuthorizationContext(IActiveDirectoryUser user, AuthorizationContextDomainDetails domainDetails, Boolean allowLocalFallback) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Authorization\Shared\AuthorizationContextProvider.cs:line 66
   at Lithnet.AccessManager.Server.Authorization.ComputerAuthorizationInformationBuilder.BuildAuthorizationInformationAsync(IActiveDirectoryUser user, IComputer computer, IList`1 matchedComputerTargets) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Authorization\Computers\ComputerAuthorizationInformationBuilder.cs:line 109
   at Lithnet.AccessManager.Server.Providers.EffectiveAccessProvider.GetEffectiveAccessAsync(String computerKey, String userKey, IEnumerable`1 targets) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Providers\EffectiveAccessProvider.cs:line 43
   --- End of inner exception stack trace ---
   at StreamJsonRpc.JsonRpc.InvokeCoreAsync[TResult](RequestId id, String targetName, IReadOnlyList`1 arguments, IReadOnlyList`1 positionalArgumentDeclaredTypes, IReadOnlyDictionary`2 namedArgumentDeclaredTypes, CancellationToken cancellationToken, Boolean isParameterObject)
   at Lithnet.AccessManager.Server.Rpc.RpcEffectiveAccessProvider.GetEffectiveAccessAsync(String computerKey, String userKey, IEnumerable`1 targets) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Rpc.Client\ProviderImplementations\RpcEffectiveAccessProvider.cs:line 28
   at Lithnet.AccessManager.Server.UI.EffectiveAccessViewModel.CalculateEffectiveAccess() in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server.UI\ViewModels\WindowContent\EffectiveAccessViewModel.cs:line 172
RPC server exception:
Lithnet.Security.Authorization.AuthorizationContextException: AuthzInitializeContextFromSid failed
 ---> System.ComponentModel.Win32Exception: Access is denied.
   --- End of inner exception stack trace ---
      at Lithnet.Security.Authorization.AuthorizationContext.InitializeAuthorizationContextFromSid(SafeAuthzResourceManagerHandle authzRm, SecurityIdentifier sid, AuthzInitFlags flags)
      at Lithnet.Security.Authorization.AuthorizationContext..ctor(SecurityIdentifier principal, String server, Boolean allowLocalFallback, AuthzInitFlags flags)
      at Lithnet.Security.Authorization.AuthorizationContext..ctor(SecurityIdentifier principal)
      at Lithnet.AccessManager.Server.Authorization.AuthorizationContextProvider.GetAuthorizationContext(IActiveDirectoryUser user, AuthorizationContextDomainDetails domainDetails, Boolean allowLocalFallback) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Authorization\Shared\AuthorizationContextProvider.cs:line 66
      at Lithnet.AccessManager.Server.Authorization.ComputerAuthorizationInformationBuilder.BuildAuthorizationInformationAsync(IActiveDirectoryUser user, IComputer computer, IList`1 matchedComputerTargets) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Authorization\Computers\ComputerAuthorizationInformationBuilder.cs:line 109
      at Lithnet.AccessManager.Server.Providers.EffectiveAccessProvider.GetEffectiveAccessAsync(String computerKey, String userKey, IEnumerable`1 targets) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Providers\EffectiveAccessProvider.cs:line 43

Expected behavior Account can login and view LAPS passwords Effective access check returns a result

Screenshots

Access Manager installation

• OS: Windows Server
• Version: 2022 21H2

Additional context Add any other context about the problem here.

Logs See above

[ryannewington]

@dbaars

Are the users who can log in vs not in different domains?

Have you added the AMS service account to the groups as specific in our install guide?

https://docs.lithnet.io/ams/installation/installing-the-access-manager-server/installing-the-access-manager-service#step-11-configure-active-directory-permissions

[dbaars]

Hi Ryan, thanks for the reply.

Same domain - different OU.

Yes if you mean the Access Control Assistance Operators and Windows Authorization Access Group

In the AMS Configuration tool it also has green ticks -

Dylan

[ryannewington]

Thanks for confirming Dylan

This is most likely that the default permissions have been changed on the objects in those OUs. Try adding the AMS service account with permissions to read all user and group objects in the OU that is not working, and see if that resolves the issue.

[dbaars]

Morning Ryan,

well after a lot of testing I tracked it down to 1 group (the "role" group) being in some odd state. I didn't really investigate security permissions on it, once I had narrowed it down to that group I deleted and re-created and now everything is working. Thanks for your help!

Dylan