search

lithnet / resourcemanagement-ui-assistedpasswordreset

Administrator-assisted pasword reset module for FIM 2010 and MIM 2016
MIT License
5 stars 1 forks source link

System.DirectoryServices.DirectoryServicesCOMException (0x80072020) #7

Closed mwassell closed 7 years ago

mwassell commented 7 years ago

Hi Ryan, I believe that I'm running into a similar issue to the other issue described by the previous poster.

For reference, here is the trace output:

[11060] Loaded page as [removed uid] using Negotiate authentication [11060] Got resource urn:uuid:97a87075-6b73-47df-9412-538f75ca19b5 from resource management service [11060] Got localized display name for DisplayName-Person-en-CA from cache [11060] Row 0 added [11060] Got localized display name for AccountName-Person-en-CA from cache [11060] Row 1 added [11060] Got localized display name for Domain-Person-en-CA from cache [11060] Row 2 added [11060] Set target set to S-1-5-21-1526727870-169486041-619646970-12345 [11060] Loading page. IsPostBack: True. IsPartialPostBack: True [11060] Loaded page as [removed uid] using Negotiate authentication [11060] Loading page. IsPostBack: True. IsPartialPostBack: True [11060] Loaded page as [removed uid] using Negotiate authentication [11060] Using specified password [11060] Creating context with current credentials [11060] Searching for user S-1-5-21-1526727870-169486041-619646970-12345 [11060] Directory exception encountered: System.DirectoryServices.DirectoryServicesCOMException (0x80072020): An operations error occurred. [11060]
[11060] at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) [11060] at System.DirectoryServices.DirectoryEntry.Bind() [11060] at System.DirectoryServices.DirectoryEntry.get_AdsObject() [11060] at System.DirectoryServices.PropertyValueCollection.PopulateList() [11060] at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName) [11060] at System.DirectoryServices.PropertyCollection.get_Item(String propertyName) [11060] at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer() [11060] at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit() [11060] at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize() [11060] at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx() [11060] at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate) [11060] at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue) [11060] at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue) [11060] at Lithnet.ResourceManagement.UI.AssistedPasswordReset.Reset.GetUserPrincipal(PrincipalContext context, Boolean canRetry) [11060] Handling operations error by requesting explicit credentials [11060] Prompting for credentials [11060] Credentals pending [11060] Did not get a user context. Aborting [11060] Loading page. IsPostBack: True. IsPartialPostBack: True [11060] Loaded page as [removed uid] using Negotiate authentication [11060] Attempting to validate [removed uid] [11060] Credentials did not validate

Another interesting point to note is that the same user can reset passwords while logged in locally on the system as a normal (non-privileged) user.

[11060] Loading page. IsPostBack: False. IsPartialPostBack: False [11060] Loaded page as [removed uid] using Negotiate authentication [11060] Got resource urn:uuid:97a87075-6b73-47df-9412-538f75ca19b5 from resource management service [11060] Got localized display name for DisplayName-Person-en-CA from cache [11060] Row 0 added [11060] Got localized display name for AccountName-Person-en-CA from cache [11060] Row 1 added [11060] Got localized display name for Domain-Person-en-CA from cache [11060] Row 2 added [11060] Set target set to S-1-5-21-1526727870-169486041-619646970-12345 [11060] Loading page. IsPostBack: True. IsPartialPostBack: True [11060] Loaded page as [removed uid] using Negotiate authentication [11060] Loading page. IsPostBack: True. IsPartialPostBack: True [11060] Loaded page as [removed uid] using Negotiate authentication [11060] Using specified password [11060] Creating context with current credentials [11060] Searching for user S-1-5-21-1526727870-169486041-619646970-12345 [11060] Got user context [removed uid] [11060] Attempting to set password [11060] Password set [19252] Trace Start:74End Index:84 [11060] Loading page. IsPostBack: False. IsPartialPostBack: False [11060] Loaded page as [removed uid] using Negotiate authentication [11060] Got resource urn:uuid:97a87075-6b73-47df-9412-538f75ca19b5 from resource management service [11060] Got localized display name for DisplayName-Person-en-CA from cache [11060] Row 0 added [11060] Got localized display name for AccountName-Person-en-CA from cache [11060] Row 1 added [11060] Got localized display name for Domain-Person-en-CA from cache [11060] Row 2 added [11060] Set target set to S-1-5-21-1526727870-169486041-619646970-12345

I found a similar post on the MSDN forums: https://social.technet.microsoft.com/Forums/en-US/14ee2d25-9d2f-4caa-b8b9-73b1904ca2bd/ldap-query-results-in-an-operations-error-occurred?forum=winserverDS

Possibly API related?

Any help you could provide would be greatly appreciated.

Thanks in advance!

ryannewington commented 7 years ago

Urgh. The dreaded and significantly unhelpful 'operations error'.

Just to confirm the scenario, this occurs when user A tries to reset any user's password while using the tool from a remote machine? However, it works when user A is running this from the FIM portal server itself? User A has this problem when trying to reset any user password?

Do you have the ability to run a wireshark capture on the fim portal server to capture the LDAP conversation?

mwassell commented 7 years ago

Hey Ryan, yes, you are correct and that is the symptom that I am seeing. The behavior seems super weird from a functional perspective in my opinion. I had a thought that it might be related to LSA restrictions, but I haven't been able to isolate a cause.

I'm happy to provide more info. I'll submit a reply tomorrow with the relevant info from the pcap, or I can email it to you directly if you'd like to have a look.

I also enabled Kerberos logging on the host and I wasn't able to see anything relevant. I'll dig in deeper on it tomorrow.

Thanks again! :)

mwassell commented 7 years ago

Seems to be a Kerberos related issue...

Kerberos Record Mark: 131 bytes krb-error pvno: 5 msg-type: krb-error (30) stime: 2017-09-22 15:42:25 (UTC) susec: 806132 error-code: eRR-BADOPTION (13) realm: [domain] sname name-type: kRB5-NT-SRV-INST (2) sname-string: 2 items SNameString: ldap SNameString: [dc hostname] e-data: 3015a103020103a20e040c720200c00000000003000000 PA-PW-SALT padata-type: kRB5-PADATA-PW-SALT (3) padata-value: 720200c00000000003000000 NT Status: STATUS_NO_MATCH (0xc0000272) Unknown: 0x00000000 Unknown: 0x00000003

I see that error returned even if Unconstrained delegation is enabled though. Hmm...

ryannewington commented 7 years ago

The fact that it works on the local box could mean it is falling back to NTLM. Are the SPNs on your DCs correct in that they have both LDAP/shortname and LDAP/fqdn variants?

mwassell commented 7 years ago

Thanks Ryan. Yes, I double checked and made sure that the SPNs registered on the DCs are correct.

Another interesting piece to the puzzle, I noticed that Kerberos is actually succeeding during the password change operation on the local host. It is not falling back to NTLM, but that was a great suggestion.

Here is the TGS-REQ packet from the attempt while connected to the local machine:

Kerberos
    Record Mark: 1912 bytes
    tgs-req
        pvno: 5
        msg-type: krb-tgs-req (12)
        padata: 2 items
        req-body
            Padding: 0
            kdc-options: 40810000 (forwardable, renewable, canonicalize)
            realm: [domain]
            sname
                name-type: kRB5-NT-SRV-INST (2)
                sname-string: 2 items
                    SNameString: ldap
                    SNameString: [dc hostname]
            till: 2037-09-13 02:48:05 (UTC)
            nonce: 1357190953
            etype: 5 items
            enc-authorization-data

And here is the reply:

Kerberos
    Record Mark: 2093 bytes
    tgs-rep
        pvno: 5
        msg-type: krb-tgs-rep (13)
        crealm: [domain]
        cname
            name-type: kRB5-NT-PRINCIPAL (1)
            cname-string: 1 item
                CNameString: [username]
        ticket
            tkt-vno: 5
            realm: [domain]
            sname
                name-type: kRB5-NT-SRV-INST (2)
                sname-string: 2 items
                    SNameString: ldap
                    SNameString: [dc hostname]
            enc-part
        enc-part

The remaining Kerberos ticket exchanges and KPASSWD packets follow this.

It's also worth mentioning is that the same behavior is occurring from multiple client PCs and all Kerberos traffic appears to be working fine otherwise.

Very curious...

mwassell commented 7 years ago

Got it. This was related to a combination of Kerberos and application configuration issues.

Please delete or mark this resolved when you can Ryan.

Thanks for your help again!

ryannewington commented 7 years ago

@mwassell glad you got it resolved!