Closed mwassell closed 7 years ago
Urgh. The dreaded and significantly unhelpful 'operations error'.
Just to confirm the scenario, this occurs when user A tries to reset any user's password while using the tool from a remote machine? However, it works when user A is running this from the FIM portal server itself? User A has this problem when trying to reset any user password?
Do you have the ability to run a wireshark capture on the fim portal server to capture the LDAP conversation?
Hey Ryan, yes, you are correct and that is the symptom that I am seeing. The behavior seems super weird from a functional perspective in my opinion. I had a thought that it might be related to LSA restrictions, but I haven't been able to isolate a cause.
I'm happy to provide more info. I'll submit a reply tomorrow with the relevant info from the pcap, or I can email it to you directly if you'd like to have a look.
I also enabled Kerberos logging on the host and I wasn't able to see anything relevant. I'll dig in deeper on it tomorrow.
Thanks again! :)
Seems to be a Kerberos related issue...
Kerberos Record Mark: 131 bytes krb-error pvno: 5 msg-type: krb-error (30) stime: 2017-09-22 15:42:25 (UTC) susec: 806132 error-code: eRR-BADOPTION (13) realm: [domain] sname name-type: kRB5-NT-SRV-INST (2) sname-string: 2 items SNameString: ldap SNameString: [dc hostname] e-data: 3015a103020103a20e040c720200c00000000003000000 PA-PW-SALT padata-type: kRB5-PADATA-PW-SALT (3) padata-value: 720200c00000000003000000 NT Status: STATUS_NO_MATCH (0xc0000272) Unknown: 0x00000000 Unknown: 0x00000003
I see that error returned even if Unconstrained delegation is enabled though. Hmm...
The fact that it works on the local box could mean it is falling back to NTLM. Are the SPNs on your DCs correct in that they have both LDAP/shortname and LDAP/fqdn variants?
Thanks Ryan. Yes, I double checked and made sure that the SPNs registered on the DCs are correct.
Another interesting piece to the puzzle, I noticed that Kerberos is actually succeeding during the password change operation on the local host. It is not falling back to NTLM, but that was a great suggestion.
Here is the TGS-REQ packet from the attempt while connected to the local machine:
Kerberos
Record Mark: 1912 bytes
tgs-req
pvno: 5
msg-type: krb-tgs-req (12)
padata: 2 items
req-body
Padding: 0
kdc-options: 40810000 (forwardable, renewable, canonicalize)
realm: [domain]
sname
name-type: kRB5-NT-SRV-INST (2)
sname-string: 2 items
SNameString: ldap
SNameString: [dc hostname]
till: 2037-09-13 02:48:05 (UTC)
nonce: 1357190953
etype: 5 items
enc-authorization-data
And here is the reply:
Kerberos
Record Mark: 2093 bytes
tgs-rep
pvno: 5
msg-type: krb-tgs-rep (13)
crealm: [domain]
cname
name-type: kRB5-NT-PRINCIPAL (1)
cname-string: 1 item
CNameString: [username]
ticket
tkt-vno: 5
realm: [domain]
sname
name-type: kRB5-NT-SRV-INST (2)
sname-string: 2 items
SNameString: ldap
SNameString: [dc hostname]
enc-part
enc-part
The remaining Kerberos ticket exchanges and KPASSWD packets follow this.
It's also worth mentioning is that the same behavior is occurring from multiple client PCs and all Kerberos traffic appears to be working fine otherwise.
Very curious...
Got it. This was related to a combination of Kerberos and application configuration issues.
Please delete or mark this resolved when you can Ryan.
Thanks for your help again!
@mwassell glad you got it resolved!
Hi Ryan, I believe that I'm running into a similar issue to the other issue described by the previous poster.
For reference, here is the trace output:
[11060] Loaded page as [removed uid] using Negotiate authentication [11060] Got resource urn:uuid:97a87075-6b73-47df-9412-538f75ca19b5 from resource management service [11060] Got localized display name for DisplayName-Person-en-CA from cache [11060] Row 0 added [11060] Got localized display name for AccountName-Person-en-CA from cache [11060] Row 1 added [11060] Got localized display name for Domain-Person-en-CA from cache [11060] Row 2 added [11060] Set target set to S-1-5-21-1526727870-169486041-619646970-12345 [11060] Loading page. IsPostBack: True. IsPartialPostBack: True [11060] Loaded page as [removed uid] using Negotiate authentication [11060] Loading page. IsPostBack: True. IsPartialPostBack: True [11060] Loaded page as [removed uid] using Negotiate authentication [11060] Using specified password [11060] Creating context with current credentials [11060] Searching for user S-1-5-21-1526727870-169486041-619646970-12345 [11060] Directory exception encountered: System.DirectoryServices.DirectoryServicesCOMException (0x80072020): An operations error occurred. [11060]
[11060] at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) [11060] at System.DirectoryServices.DirectoryEntry.Bind() [11060] at System.DirectoryServices.DirectoryEntry.get_AdsObject() [11060] at System.DirectoryServices.PropertyValueCollection.PopulateList() [11060] at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName) [11060] at System.DirectoryServices.PropertyCollection.get_Item(String propertyName) [11060] at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer() [11060] at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit() [11060] at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize() [11060] at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx() [11060] at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate) [11060] at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue) [11060] at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue) [11060] at Lithnet.ResourceManagement.UI.AssistedPasswordReset.Reset.GetUserPrincipal(PrincipalContext context, Boolean canRetry) [11060] Handling operations error by requesting explicit credentials [11060] Prompting for credentials [11060] Credentals pending [11060] Did not get a user context. Aborting [11060] Loading page. IsPostBack: True. IsPartialPostBack: True [11060] Loaded page as [removed uid] using Negotiate authentication [11060] Attempting to validate [removed uid] [11060] Credentials did not validate
Another interesting point to note is that the same user can reset passwords while logged in locally on the system as a normal (non-privileged) user.
[11060] Loading page. IsPostBack: False. IsPartialPostBack: False [11060] Loaded page as [removed uid] using Negotiate authentication [11060] Got resource urn:uuid:97a87075-6b73-47df-9412-538f75ca19b5 from resource management service [11060] Got localized display name for DisplayName-Person-en-CA from cache [11060] Row 0 added [11060] Got localized display name for AccountName-Person-en-CA from cache [11060] Row 1 added [11060] Got localized display name for Domain-Person-en-CA from cache [11060] Row 2 added [11060] Set target set to S-1-5-21-1526727870-169486041-619646970-12345 [11060] Loading page. IsPostBack: True. IsPartialPostBack: True [11060] Loaded page as [removed uid] using Negotiate authentication [11060] Loading page. IsPostBack: True. IsPartialPostBack: True [11060] Loaded page as [removed uid] using Negotiate authentication [11060] Using specified password [11060] Creating context with current credentials [11060] Searching for user S-1-5-21-1526727870-169486041-619646970-12345 [11060] Got user context [removed uid] [11060] Attempting to set password [11060] Password set [19252] Trace Start:74End Index:84 [11060] Loading page. IsPostBack: False. IsPartialPostBack: False [11060] Loaded page as [removed uid] using Negotiate authentication [11060] Got resource urn:uuid:97a87075-6b73-47df-9412-538f75ca19b5 from resource management service [11060] Got localized display name for DisplayName-Person-en-CA from cache [11060] Row 0 added [11060] Got localized display name for AccountName-Person-en-CA from cache [11060] Row 1 added [11060] Got localized display name for Domain-Person-en-CA from cache [11060] Row 2 added [11060] Set target set to S-1-5-21-1526727870-169486041-619646970-12345
I found a similar post on the MSDN forums: https://social.technet.microsoft.com/Forums/en-US/14ee2d25-9d2f-4caa-b8b9-73b1904ca2bd/ldap-query-results-in-an-operations-error-occurred?forum=winserverDS
Possibly API related?
Any help you could provide would be greatly appreciated.
Thanks in advance!