search

netwrix / pingcastle

PingCastle - Get Active Directory Security at 80% in 20% of the time
https://www.pingcastle.com
Other
2.35k stars 292 forks source link

Bug: AzureAD Check crashes when using an Auditor License in 3.0 #174

Closed 978z3rzf89ou9jidejd0u93kjh8 closed 1 year ago

978z3rzf89ou9jidejd0u93kjh8 commented 1 year ago

Since version 3.0 of PingCastle the AzureAD check crashes right at the start, when I use an auditor license. The issue goes away when I run the free version by replacing the config file. I have tested on multiple systems (all Windows 10 based) with multiple tenants and with both authentication methods (PRT & Ask). In the previous version the healthcheck did run with the same license without issue.

The trace.log, after running with the --log switch, looks as follows:

After parsing arguments
Things to do OK
GetRegisteredPRTIdentities
1 identities
Identity: [...redacted...]; path=/; domain=login.microsoftonline.com; secure; httponly
Before loading token
Token: 
[New run]2023-04-05 13:07:11Z
PingCastle version 3.0.0.0
Running on dotnet:4.0.30319.42000
Starting Analyze at:05/04/2023 13:07:11
[13:07:11] Starting
[13:07:11] Authenticate
GetToken with PRT
Needing assembly PingCastle.XmlSerializers, Version=3.0.0.0, Culture=neutral, PublicKeyToken=null unknown (PingCastle.XmlSerializers, Version=3.0.0.0, Culture=neutral, PublicKeyToken=null)
Needing assembly PingCastle.XmlSerializers unknown (PingCastle.XmlSerializers)
RunAuthorize: post to https://login.microsoftonline.com/common/oauth2/authorize
ExtractCodeFromResponse
TitleNode found
RunGetToken: post to https://login.microsoftonline.com/common/oauth2/token
Response status code does not indicate success: 400 (Bad Request).
   at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
   at PingCastle.Cloud.Tokens.TokenFactory.<RunGetToken>d__46'1.MoveNext() in c:\git\PingCastlePublic\Cloud\Tokens\TokenFactory.cs:line 374
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at PingCastle.Cloud.Tokens.TokenFactory.<GetToken>d__0'1.MoveNext() in c:\git\PingCastlePublic\Cloud\Tokens\TokenFactory.cs:line 39
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at PingCastle.Cloud.Credentials.CredentialBase.<GetToken>d__0'1.MoveNext() in c:\git\PingCastlePublic\Cloud\Credentials\CredentialBase.cs:line 41
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at PingCastle.Cloud.Analyzer.Analyzer.<Analyze>d__4.MoveNext() in c:\git\PingCastlePublic\Cloud\Analyzer\Analyzer.cs:line 55
[Red][13:07:12] An exception occured when doing the task: Analyze
[Red]Note: you can run the program with the switch --log to get more detail
An exception occured when doing the task: Analyze
[Red]Exception: Response status code does not indicate success: 400 (Bad Request).
Type:System.Net.Http.HttpRequestException
[DarkRed]   at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
   at PingCastle.Cloud.Tokens.TokenFactory.<RunGetToken>d__46'1.MoveNext() in c:\git\PingCastlePublic\Cloud\Tokens\TokenFactory.cs:line 374
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at PingCastle.Cloud.Tokens.TokenFactory.<GetToken>d__0'1.MoveNext() in c:\git\PingCastlePublic\Cloud\Tokens\TokenFactory.cs:line 39
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at PingCastle.Cloud.Credentials.CredentialBase.<GetToken>d__0'1.MoveNext() in c:\git\PingCastlePublic\Cloud\Credentials\CredentialBase.cs:line 41
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at PingCastle.Cloud.Analyzer.Analyzer.<Analyze>d__4.MoveNext() in c:\git\PingCastlePublic\Cloud\Analyzer\Analyzer.cs:line 134
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at PingCastle.Tasks.<AnalyzeTask>b__24() in c:\git\PingCastlePublic\Tasks.cs:line 698
   at PingCastle.Tasks.StartTask(String taskname, TaskDelegate taskdelegate) in c:\git\PingCastlePublic\Tasks.cs:line 1275
vletoux commented 1 year ago

Can you contact support@pingcastle.com with the detailed log for both cases ? Indeed, there is no difference if you have a license or not during the audit phase.

978z3rzf89ou9jidejd0u93kjh8 commented 1 year ago

While creating two new traces I remembered that I just copied the license file from the previous version instead of inserting the license string in the new license file from version 3.0. This did not affect the normal HealthCheck but it did affect the AzureAD check. After just copying the string to the file provided with version 3.0 all worked well.

So only my own fault of not using it correctly. Closing the issue and apologies for the trouble.