[HELP] RapidLAPS & Entra & Agent - Trouble getting things working

[Algent]

Having just upgraded to v3 (3.0.1218.0), was interested to try out RapidLAPS and followed the procedure but I'm running into issues that I'm not sure are bugs or just me doing something wrong.

Our computer are AD joined using Intune. I have an Entra App setup for both Auth to AMS and to grab LAPS passwords from entra.

When installing the agent on my machine I choose "Entra authentication", then it showed up in devices list, but with a bunch of empty stuff:

It seem to fail to retrieve policy, in the agent log I get: "Lithnet.AccessManager.Agent.ApiException: The API call failed with HTTP status InternalServerError:Internal Server Error. The API returned error code 'internal-error': An internal error occurred and the request could not be processed"

And in the access-manager-api.log: Lithnet.AccessManager.Api.Providers.CheckInDataValidator|The check in data contained a domain controller name, but the device is not an Active Directory device Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware|An unhandled exception has occurred while executing the request. System.DirectoryServices.ActiveDirectory.ActiveDirectoryObjectNotFoundException: The specified domain does not exist or cannot be contacted. b63ae....Censored Entra tenant ID

I'm a bit clueless about what I could be doing wrong.

I also tried to setup agent in AD auth mode, and this step seem almost seem to work except when I get to the RapidLAPS auth popup to elevate I get an error and a "Could not find a device with credentials for the certificate issued to ..." in the log. Possibly because LAPS password is in Entra ? I'm not sure.

Thanks

[ryannewington]

Hi @Algent,

The first issue looks like it could be a bug related to the fact it's a hybrid joined device, but I need the full API log to be able to see exactly what happened here. Are you able to share that? At a minimum I need the full stack trace for the ActiveDirectoryObjectNotFoundException

The second issue is just because the agent is reusing its old certificate from when it was in entra join mode, but the server no longer knows about the object. Use the command line to reset the agent, and re set it up using AD auth.

"%ProgramFiles%\Lithnet\Access Manager Agent\Lithnet.AccessManager.Agent.exe" --reset
"%ProgramFiles%\Lithnet\Access Manager Agent\Lithnet.AccessManager.Agent.exe" --setup

[Algent]

Hi, here is the trace.

2024-09-09 15:52:30.2170| WARN|5612|00-9291525e5a44f66ca312ef9366524683-9489bafc1a65d006-00|10.11.50.X|LithnetAccessManagerAgent/3.0.1210.0|Lithnet.AccessManager.Api.Providers.CheckInDataValidator|The check in data contained a domain controller name, but the device is not an Active Directory device
2024-09-09 15:52:30.4105|ERROR|5612|00-9291525e5a44f66ca312ef9366524683-9489bafc1a65d006-00|10.11.50.X|LithnetAccessManagerAgent/3.0.1210.0|Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware|An unhandled exception has occurred while executing the request.
System.DirectoryServices.ActiveDirectory.ActiveDirectoryObjectNotFoundException: The specified domain does not exist or cannot be contacted. b63ae120-c7f3-48cc-ab6c-e20f39bf3773
   at System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext context)
   at Lithnet.AccessManager.ActiveDirectory.DiscoveryServices.GetDcsForDomain(String domainDns)+MoveNext() in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.ActiveDirectory\Providers\DiscoveryServices.cs:line 775
   at System.Linq.Enumerable.Contains[TSource](IEnumerable`1 source, TSource value, IEqualityComparer`1 comparer)
   at Lithnet.AccessManager.Api.Providers.CheckInDataValidator.ValidateCheckInData(AgentCheckIn data, IDevice device) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Api\Providers\CheckInDataValidator.cs:line 61
   at Lithnet.AccessManager.Api.Controllers.AgentCheckInController.UpdateAgentDataAsync(AgentCheckIn data) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Api\Controllers\AgentCheckInController.cs:line 51
   at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfIActionResultExecutor.Execute(ActionContext actionContext, IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeInnerFilterAsync>g__Awaited|13_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|20_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.<Invoke>g__Awaited|10_0(ExceptionHandlerMiddlewareImpl middleware, HttpContext context, Task task)
2024-09-09 15:52:30.4105|ERROR|5612|00-9291525e5a44f66ca312ef9366524683-9489bafc1a65d006-00|10.11.50.X|LithnetAccessManagerAgent/3.0.1210.0|Lithnet.AccessManager.Api.ApiExceptionHandler|The request could not be processed
System.DirectoryServices.ActiveDirectory.ActiveDirectoryObjectNotFoundException: The specified domain does not exist or cannot be contacted. b63ae120-c7f3-48cc-ab6c-e20f39bf3773
   at System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext context)
   at Lithnet.AccessManager.ActiveDirectory.DiscoveryServices.GetDcsForDomain(String domainDns)+MoveNext() in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.ActiveDirectory\Providers\DiscoveryServices.cs:line 775
   at System.Linq.Enumerable.Contains[TSource](IEnumerable`1 source, TSource value, IEqualityComparer`1 comparer)
   at Lithnet.AccessManager.Api.Providers.CheckInDataValidator.ValidateCheckInData(AgentCheckIn data, IDevice device) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Api\Providers\CheckInDataValidator.cs:line 61
   at Lithnet.AccessManager.Api.Controllers.AgentCheckInController.UpdateAgentDataAsync(AgentCheckIn data) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Api\Controllers\AgentCheckInController.cs:line 51
   at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfIActionResultExecutor.Execute(ActionContext actionContext, IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeInnerFilterAsync>g__Awaited|13_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|20_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.<Invoke>g__Awaited|10_0(ExceptionHandlerMiddlewareImpl middleware, HttpContext context, Task task)

As for the other error I just did reset and setup. Thanks it's way faster than uninstalling. It still fail to give a code and end with a "rapidlaps is unavailable" if I try to elevate. Sorry I think I may have given the wrong error when writing this because I think I saw it yesterday:

2024-09-10 09:30:32.1565|TRACE|5612|00-75f73865656ce6df3ad10e0555b5cabb-c2652f63b6d75b0a-00|192.168.x.x|LithnetAccessManagerAgent/3.0.1210.0|Lithnet.AccessManager.Server.PasswordProvider|'AMS database password provider' has not password for the computer XXXXX-DI3T3EC; proceeding to next provider.
2024-09-10 09:30:32.2066|ERROR|5612|00-75f73865656ce6df3ad10e0555b5cabb-c2652f63b6d75b0a-00|192.168.x.x|LithnetAccessManagerAgent/3.0.1210.0|Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware|An unhandled exception has occurred while executing the request.
Lithnet.AccessManager.Api.Shared.DeviceLoginUnavailableException: The device login cannot be performed as a managed password for the device was not found
 ---> Lithnet.AccessManager.NoPasswordException: Exception of type 'Lithnet.AccessManager.NoPasswordException' was thrown.
   at Lithnet.AccessManager.Server.PasswordProvider.GetCurrentPasswordAsync(IComputer computer, Nullable`1 newExpiry) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Providers\PasswordProvider.cs:line 81
   at Lithnet.AccessManager.Server.DeviceLoginRequestProvider.GetCurrentPasswordUsernameAsync(IDevice device) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Providers\DeviceLoginRequestProvider.cs:line 37
   --- End of inner exception stack trace ---
   at Lithnet.AccessManager.Server.DeviceLoginRequestProvider.GetCurrentPasswordUsernameAsync(IDevice device) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Providers\DeviceLoginRequestProvider.cs:line 42
   at Lithnet.AccessManager.Server.DeviceLoginRequestProvider.CreateLoginRequestAsync(IDevice device, SessionKey sessionKey, LoginRequestType type, String accountName, String requestData, String promptResponseData) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Providers\DeviceLoginRequestProvider.cs:line 52
   at Lithnet.AccessManager.Api.Controllers.AgentDeviceLoginController.RequestDeviceLoginAsync(DeviceLoginRequest data) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Api\Controllers\AgentDeviceLoginController.cs:line 68
   at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfIActionResultExecutor.Execute(ActionContext actionContext, IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeInnerFilterAsync>g__Awaited|13_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|20_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.<Invoke>g__Awaited|10_0(ExceptionHandlerMiddlewareImpl middleware, HttpContext context, Task task)
2024-09-10 09:30:32.2066|ERROR|5612|00-75f73865656ce6df3ad10e0555b5cabb-c2652f63b6d75b0a-00|192.168.x.x|LithnetAccessManagerAgent/3.0.1210.0|Lithnet.AccessManager.Api.ApiExceptionHandler|The device login cannot be performed as a managed password for the device was not found
Lithnet.AccessManager.Api.Shared.DeviceLoginUnavailableException: The device login cannot be performed as a managed password for the device was not found
 ---> Lithnet.AccessManager.NoPasswordException: Exception of type 'Lithnet.AccessManager.NoPasswordException' was thrown.
   at Lithnet.AccessManager.Server.PasswordProvider.GetCurrentPasswordAsync(IComputer computer, Nullable`1 newExpiry) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Providers\PasswordProvider.cs:line 81
   at Lithnet.AccessManager.Server.DeviceLoginRequestProvider.GetCurrentPasswordUsernameAsync(IDevice device) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Providers\DeviceLoginRequestProvider.cs:line 37
   --- End of inner exception stack trace ---
   at Lithnet.AccessManager.Server.DeviceLoginRequestProvider.GetCurrentPasswordUsernameAsync(IDevice device) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Providers\DeviceLoginRequestProvider.cs:line 42
   at Lithnet.AccessManager.Server.DeviceLoginRequestProvider.CreateLoginRequestAsync(IDevice device, SessionKey sessionKey, LoginRequestType type, String accountName, String requestData, String promptResponseData) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Providers\DeviceLoginRequestProvider.cs:line 52
   at Lithnet.AccessManager.Api.Controllers.AgentDeviceLoginController.RequestDeviceLoginAsync(DeviceLoginRequest data) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Api\Controllers\AgentDeviceLoginController.cs:line 68
   at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfIActionResultExecutor.Execute(ActionContext actionContext, IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeInnerFilterAsync>g__Awaited|13_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|20_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.<Invoke>g__Awaited|10_0(ExceptionHandlerMiddlewareImpl middleware, HttpContext context, Task task)

[ryannewington]

@Algent that's perfect. Thanks.

We have a fix in the works and will provide an updated download in the next day or two.

I'm glad the reset was helpful. I should have realised however, that AMS wont check AzureAD for a password for a client that is AD registered. So we'll have to wait for this fix to get you up and running on a hybrid device (or you can modify Windows LAPS to store the password in AD, instead of AAD)

[Algent]

Awesome, thanks a lot.

I had a guess it was a AD vs AAD issue for the other method yeah. We recently switched to Intune to automate better setup of new machine and I'm not fond of how it does LAPS. In AMS every Intune enrolled machine show up 3 times (one from AD, two from AAD, probably because we do something wrong during enroll), would be pretty difficult for the software to figure out where to look.

[ryannewington]

Hi @Algent

We've got a fix for this issue in v3.0.1227 available here: https://packages.lithnet.io/win/access-manager-service/v3.0/x64/latest

You'll need to reset the agent again and switch over to AAD authentication.

Please let me know if this resolves the issue for you.

You should only see a single device, when you have a hybrid joined device, and AMS can see both the AD and AAD. If you have two devices in AAD, then yeah, something on the AAD side isnt right there.

Ryan

[Algent]

Hi,

I just installed the fix and after resetting the fix it it worked perfectly, thanks a lot for your help. I think you can consider this issue resolved.

Just to answer you on the seeing several devices thing, here is how it look for my machine (censored domain and name but it's 3 times the same thing):

First one is the AAD entity, 2nd one is the hybrid one from the AD I guess. And 3rd is leftover from first intune enrollment that for some reason duplicate it and leave a stale entity. Anyway, this isn't really an issue for us, we just know to go for the most recent AAD entry.

Thanks again for everything.