search

netwrix / pingcastle

PingCastle - Get Active Directory Security at 80% in 20% of the time
https://www.pingcastle.com
Other
2.35k stars 292 forks source link

Bug: Certificate-based authentication (P12) with --azuread fails #232

Closed Leightonish closed 4 months ago

Leightonish commented 6 months ago

Hi Vincent,

I am experiencing issues with PingCastle and Azure Active Directory certificate-based authentication (P12).

In essence, the authentication seems to be successful, but I am not authorized to read anything from the directory. The Global Reader role has been assigned to the Service Principal. However, I am facing a persistent 401 Unauthorized error when attempting to perform a scan.

(Also confirmed to be a bug after reaching out to support)

There is currently a bug. We are working on finding a workaround for certificate authentication.

The error log is as follows:

PS> PingCastle.exe --azuread --clientid redacted --tenantid redacted --p12-file certificate.pfx --p12-pass redacted Starting the task: Analyze [08:01:28] Starting [08:01:28] Authenticate [08:01:28] DNS Domains [08:01:29] Exception when doing DNS Domains [08:01:29] The creator of this fault did not specify a Reason. [08:01:29] Continuing [08:01:29] Known tenant [08:01:29] Exception when doing Known tenant [08:01:29] Response status code does not indicate success: 401 (Unauthorized). [08:01:29] Continuing [08:01:29] Get Configuration [08:01:29] Company Info [08:01:29] Exception when doing Company Info [08:01:29] The creator of this fault did not specify a Reason. [08:01:29] Continuing [08:01:29] UsersPermissionToReadOtherUsersEnabled is False. Only an admin will be able to analyze users & admins [08:01:29] Policies [08:01:29] Exception when doing Policies [08:01:29] Error when calling https://graph.windows.net:443/redacted/policies?api-version=1.61-internal : Access denied to the specified API version. [08:01:29] Continuing [08:01:29] AD Connect [08:01:30] Exception when doing AD Connect [08:01:30] Response status code does not indicate success: 401 (Unauthorized). [08:01:30] Continuing [08:01:30] Applications and permissions [08:01:30] Exception when doing Applications and permissions [08:01:30] Error when calling https://graph.windows.net:443/redacted/servicePrincipals?api-version=1.61-internal : Access denied to the specified API version. [08:01:30] Continuing [08:01:30] Roles [08:01:30] Exception when doing Roles [08:01:30] The creator of this fault did not specify a Reason. [08:01:30] Continuing [08:01:30] Foreign domains [08:01:30] Outlook online Error: unauthorized_client Description: AADSTS700016: Application with identifier 'redacted' was not found in the directory 'Microsoft Services'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. [08:01:30] Exception when doing Outlook online [08:01:30] Response status code does not indicate success: 400 (Bad Request). [08:01:30] Continuing [08:01:30] Computing risks [08:01:30] Done [08:01:30] An exception occured when doing the task: Analyze

vletoux commented 4 months ago

this is by design: internal api (1.61-internal) are not opened to applications. I need to find a workaround

prashantvidja commented 2 months ago

@Leightonish Any update on this? Did you find any workaround?

Thanks

Leightonish commented 2 months ago

@Leightonish Any update on this? Did you find any workaround?

Thanks

No workaround found for service principals yet. Have to run manually with a regular Entra ID user (PRT authentication).

prashantvidja commented 2 months ago

@Leightonish

Getting below exception while running with PRT

Free Edition of PingCastle 3.2.0 - Not for commercial use Starting the task: Analyze [1:41:21 PM] Starting [1:41:21 PM] Authenticate [1:41:22 PM] An exception occured when doing the task: Analyze Note: you can run the program with the switch --log to get more detail Exception: Index was out of range. Must be non-negative and less than the size of the collection. Parameter name: index at System.ThrowHelper.ThrowArgumentOutOfRangeException(ExceptionArgument argument, ExceptionResource resource) at PingCastle.Cloud.Tokens.TokenFactory.d9.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at PingCastle.Cloud.Tokens.TokenFactory.d01.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at PingCastle.Cloud.Credentials.CredentialBase.<GetToken>d__71.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at PingCastle.Cloud.Analyzer.Analyzer.d4.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at PingCastle.Tasks.b35_0() at PingCastle.Tasks.StartTask(String taskname, TaskDelegate taskdelegate)