search

lithnet / access-manager

Access Manager provides web-based access to local admin (LAPS) passwords, BitLocker recovery keys, and just-in-time administrative access to Windows computers in a modern, secure, and user-friendly way.
Other
238 stars 20 forks source link

[HELP] "The requested computer does not have a local admin password" cross trusted domains #225

Closed alecorgit closed 7 months ago

alecorgit commented 8 months ago

"The requested computer does not have a local admin password" cross trusted domains

The Lithnet Access Manager Service (AMS) is intalled in a child domain, the service account is a gMSA in the same child domain. Everything works fine in the same child domain, we are able to retrieve the Legacy LAPS password using AMS. In the other domains, both child and root, we are facing the following error "The requested computer does not have a local admin password":

image

Using Active Directory Users and Computers we are able to see the ms-Mcs-AdmPwd password.

The AMS rules are configured (as in the working child domain) and the Service Account permissions are configured correctly using Set-AdmPwdReadPasswordPermission, they appear as Delegated using Find-AdmPwdExtendedRights.

The current version is 2.0.9456.0

stale[bot] commented 8 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.

ryannewington commented 7 months ago

@alecorgit apologies for the delayed response.

Could you reproduce the issue, and then post the contents of the access-manager-webapp.log here. This will give us more information on why the service couldn't obtain the password from the directory.

alecorgit commented 7 months ago

Hello @ryannewington, I suppose the message is misleading, we solved it by assigning write permissions to the service account by executing the Set-AdmPwdResetPasswordPermission command. The write permission is used by the service account to reset the password after reading it.

The access-manager-webapp.log error was:

||Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware|An exception was thrown attempting to execute the error handler. Lithnet.AccessManager.ActiveDirectory.DirectoryException: DsBind failed ---> System.ComponentModel.Win32Exception (5): Access is denied. --- End of inner exception stack trace ---

stale[bot] commented 7 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.