Closed alecorgit closed 7 months ago
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.
@alecorgit apologies for the delayed response.
Could you reproduce the issue, and then post the contents of the access-manager-webapp.log
here. This will give us more information on why the service couldn't obtain the password from the directory.
Hello @ryannewington, I suppose the message is misleading, we solved it by assigning write permissions to the service account by executing the Set-AdmPwdResetPasswordPermission command. The write permission is used by the service account to reset the password after reading it.
The access-manager-webapp.log error was:
||Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware|An exception was thrown attempting to execute the error handler. Lithnet.AccessManager.ActiveDirectory.DirectoryException: DsBind failed ---> System.ComponentModel.Win32Exception (5): Access is denied. --- End of inner exception stack trace ---
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.
"The requested computer does not have a local admin password" cross trusted domains
The Lithnet Access Manager Service (AMS) is intalled in a child domain, the service account is a gMSA in the same child domain. Everything works fine in the same child domain, we are able to retrieve the Legacy LAPS password using AMS. In the other domains, both child and root, we are facing the following error "The requested computer does not have a local admin password":
Using Active Directory Users and Computers we are able to see the ms-Mcs-AdmPwd password.
The AMS rules are configured (as in the working child domain) and the Service Account permissions are configured correctly using Set-AdmPwdReadPasswordPermission, they appear as Delegated using Find-AdmPwdExtendedRights.
The current version is 2.0.9456.0