Test-IsADUserPasswordCompromised: Getting error "The output char buffer is too small to contain the decoded characters" for some user accounts

[sphr2k]

Thanks for providing this great piece of software :)

I noticed a bug in the Test-IsADUserPasswordCompromised Cmdlet. For some user accounts (not sure what's different about them), the Test-IsADUserPasswordCompromised does not work.

Full error message below.

System.ArgumentException: The output char buffer is too small to contain the decoded characters, encoding 'Unicode (UTF-8)' fallback 'System.Text.DecoderReplacementFallback'.
Parameter name: chars
   at System.Text.Encoding.ThrowCharsOverflow()
   at System.Text.Encoding.ThrowCharsOverflow(DecoderNLS decoder, Boolean nothingDecoded)
   at System.Text.UTF8Encoding.GetChars(Byte* bytes, Int32 byteCount, Char* chars, Int32 charCount, DecoderNLS baseDecoder)
   at System.Text.DecoderNLS.GetChars(Byte[] bytes, Int32 byteIndex, Int32 byteCount, Char[] chars, Int32 charIndex, Boolean flush)
   at System.Text.DecoderNLS.GetChars(Byte[] bytes, Int32 byteIndex, Int32 byteCount, Char[] chars, Int32 charIndex)
   at System.IO.BinaryReader.InternalReadOneChar()
   at System.IO.BinaryReader.PeekChar()
   at DSInternals.Common.Data.KeyCredential..ctor(Byte[] blob)
   at DSInternals.Common.Data.DSAccount.LoadKeyCredentials(DirectoryObject dsObject)
   at DSInternals.Common.Data.DSAccount..ctor(DirectoryObject dsObject, DirectorySecretDecryptor pek)
   at DSInternals.Replication.DirectoryReplicationClient.GetAccount(Guid objectGuid)
   at Lithnet.ActiveDirectory.PasswordProtection.PowerShell.TestIsADUserPasswordCompromised.ProcessRecord() in D:\dev\git\lithnet\ad-password-protection\src\PasswordProtectionPS\TestIsADUserPasswordCompromised.cs:line 55

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.

[ryannewington]

Apologies for the delay in getting back to you.

This looks like a bug in the DSInternals module. Can you use the latest DSInternals PowerShell module on an account that isn't working to see if the issue is present in the current version? If it is, we will need to log the issue over there. The command to run is as follows:

https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/PowerShell/Get-ADReplAccount.md

[sphr2k]

Thanks for your feedback. Coincidentally, my own account is affected. However, Get-ADReplAccount from DSInternals 4.4.1 works fine for my account.

[ryannewington]

Ok I'll try making a new build with the latest DS internals library embedded - it seems like the issue must have been resolved.

[ryannewington]

Try this build Lithnet.ActiveDirectory.PasswordProtection.msi.zip

[ryannewington]

@sphr2k Just checking in to see if the build provided resolved the issue in your environment?

[sphr2k]

@ryannewington Sorry for the delay. I installed the new build from your previous post. Something seems to be wrong with the embedded DSInternals in this version:

Test-IsADUserPasswordCompromised : Could not load file or assembly 'DSInternals.Replication, Version=3.2.0.0,
Culture=neutral, PublicKeyToken=af7e77ba04a3c166' or one of its dependencies. The system cannot find the file
specified.
At line:1 char:1
+ Test-IsADUserPasswordCompromised -AccountName Test
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Test-IsADUserPasswordCompromised], FileNotFoundException
    + FullyQualifiedErrorId : System.IO.FileNotFoundException,Lithnet.ActiveDirectory.PasswordProtection.PowerShell.Te
   stIsADUserPasswordCompromised

[ryannewington]

@sphr2k I can't seem to replicate this issue, no matter what I try. One thing I did just notice is that DS internals version (3.2.0.0) is the old version. I'm wondering if the module hasn't installed properly. Or perhaps a PowerShell session was open when the installer run and is hanging onto old files.

Can you uninstall, reboot, and reinstall and see if that fixes things?

[sphr2k]

@ryannewington Sorry for the trouble - you're right, something must have prevented the DSInternals module update. After running a repair install, everything is working as it should. Thanks a lot!

[ryannewington]

Thanks for confirming. I've published the build containing this fix.

https://github.com/lithnet/ad-password-protection/releases/tag/v1.0.7239