search

netwrix / pingcastle

PingCastle - Get Active Directory Security at 80% in 20% of the time
https://www.pingcastle.com
Other
2.3k stars 284 forks source link

Item has already been added #261

Open idefixgallier opened 6 days ago

idefixgallier commented 6 days ago

Hey! The healthscanner does not work any more:

_Free Edition of PingCastle 3.3.0 - Not for commercial use Starting the task: Perform analysis for XXX.local [07:40:30] Getting domain information (XXX.local) Performance warning: using LDAP instead of ADWS [07:41:13] Gathering general data [07:41:14] This domain contains approximatively 30526 objects [07:41:14] Gathering user data [07:41:21] An exception occured when doing the task: Perform analysis for XXX.local [07:41:21] An exception occured when doing the task: Perform analysis for XXX.local Note: you can run the program with the switch --log to get more detail Exception: Item has already been added. Key in dictionary: 'objectsid' Key being added: 'objectsid' at System.Collections.Hashtable.Insert(Object key, Object nvalue, Boolean add) at System.Collections.DictionaryBase.System.Collections.IDictionary.Add(Object key, Object value) at System.DirectoryServices.Extensions.CompleteHintInformationIfNeeded(Object searchResultObject, IEnumerable`1 entries) at System.DirectoryServices.SearchResultCollection.get_InnerList() at System.DirectoryServices.SearchResultCollection.GetEnumerator() at PingCastle.ADWS.LDAPConnection.EnumerateInternalWithLDAP(String distinguishedName, String filter, String[] properties, String scope, WorkOnReturnedObjectByADWS callback) at PingCastle.ADWS.ADWebService.Enumerate(Action preambleWithReentry, String distinguishedName, String filter, String[] properties, WorkOnReturnedObjectByADWS callback, String scope) at PingCastle.Healthcheck.HealthcheckAnalyzer.GenerateUserData(ADDomainInfo domainInfo, ADWebService adws) at PingCastle.Healthcheck.HealthcheckAnalyzer.PerformAnalyze(PingCastleAnalyzerParameters parameters) at PingCastle.Tasks.<>c__DisplayClass30_0.b_0() at PingCastle.Tasks.StartTask(String taskname, TaskDelegate taskdelegate)

We checked if we do have duplicate SIDs with ntdsutil but we haven't found any.... How can we help to solve this?

kr Martin

JoeDibley commented 3 days ago

Hi there, Thanks for the issue. This will likely be an issue with the specific domain controller scanned. You will need to run the NTDSUtil duplicate sids check on all your domain controllers not just a single one to identify the issue.

Alternatively you can use pingcastle.exe --healthcheck --server DCName or specify a domain controller when you specify the domain on the interactive scan.

I will be adding something to the backlog to handle the objectsid error better.

idefixgallier commented 3 days ago

Dear Joe!

Thank you for the quick response!

This is interesting … I started the check from a RDP server and all variants worked flawlessly.

It may be the case that the same pingcastle started from a client is limit in its work by e.g. some ASR Defender rule.

I will check this as soon as I am in the university again and report back (maybe with the culprit then). It may help you to develop a more detailed warning if this error occurs.

Kr

Martin

From: Joe @.> Sent: Thursday, 26 September 2024 21:06 To: netwrix/pingcastle @.> Cc: idefixgallier @.>; Author @.> Subject: Re: [netwrix/pingcastle] Item has already been added (Issue #261)

Hi there, Thanks for the issue. This will likely be an issue with the specific domain controller scanned. You will need to run the NTDSUtil duplicate sids check on all your domain controllers not just a single one to identify the issue.

Alternatively you can use pingcastle.exe --healthcheck --server DCName or specify a domain controller when you specify the domain on the interactive scan.

I will be adding something to the backlog to handle the objectsid error better.

— Reply to this email directly, view it on GitHub https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnetwrix%2Fpingcastle%2Fissues%2F261%23issuecomment-2377724016&data=05%7C02%7C%7Cc0511b8cf65f47540b9608dcde5e5070%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638629743857147841%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=yMOsov362gXBGE4lmbYU4SLNLLIM%2BohU9SGzYW6ULKI%3D&reserved=0 , or unsubscribe https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAQNJWZSYNJU6SU2EFOMRKULZYRLK5AVCNFSM6AAAAABOXQF4FSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNZXG4ZDIMBRGY&data=05%7C02%7C%7Cc0511b8cf65f47540b9608dcde5e5070%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638629743857179997%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=impstyiKzruey8qCrITNgph3t1VqqXJ4Vxx%2B7zH6Hm8%3D&reserved=0 . You are receiving this because you authored the thread. https://github.com/notifications/beacon/AQNJWZQ7ZGQYCAZIXON4GEDZYRLK5A5CNFSM6AAAAABOXQF4FSWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTUNXEYHA.gif Message ID: @. @.> >