Item has already been added

[idefixgallier]

Hey! The healthscanner does not work any more:

_Free Edition of PingCastle 3.3.0 - Not for commercial use Starting the task: Perform analysis for XXX.local [07:40:30] Getting domain information (XXX.local) Performance warning: using LDAP instead of ADWS [07:41:13] Gathering general data [07:41:14] This domain contains approximatively 30526 objects [07:41:14] Gathering user data [07:41:21] An exception occured when doing the task: Perform analysis for XXX.local [07:41:21] An exception occured when doing the task: Perform analysis for XXX.local Note: you can run the program with the switch --log to get more detail Exception: Item has already been added. Key in dictionary: 'objectsid' Key being added: 'objectsid' at System.Collections.Hashtable.Insert(Object key, Object nvalue, Boolean add) at System.Collections.DictionaryBase.System.Collections.IDictionary.Add(Object key, Object value) at System.DirectoryServices.Extensions.CompleteHintInformationIfNeeded(Object searchResultObject, IEnumerable`1 entries) at System.DirectoryServices.SearchResultCollection.get_InnerList() at System.DirectoryServices.SearchResultCollection.GetEnumerator() at PingCastle.ADWS.LDAPConnection.EnumerateInternalWithLDAP(String distinguishedName, String filter, String[] properties, String scope, WorkOnReturnedObjectByADWS callback) at PingCastle.ADWS.ADWebService.Enumerate(Action preambleWithReentry, String distinguishedName, String filter, String[] properties, WorkOnReturnedObjectByADWS callback, String scope) at PingCastle.Healthcheck.HealthcheckAnalyzer.GenerateUserData(ADDomainInfo domainInfo, ADWebService adws) at PingCastle.Healthcheck.HealthcheckAnalyzer.PerformAnalyze(PingCastleAnalyzerParameters parameters) at PingCastle.Tasks.<>c__DisplayClass30_0.b_0() at PingCastle.Tasks.StartTask(String taskname, TaskDelegate taskdelegate)

We checked if we do have duplicate SIDs with ntdsutil but we haven't found any.... How can we help to solve this?

kr Martin

[JoeDibley]

Hi there, Thanks for the issue. This will likely be an issue with the specific domain controller scanned. You will need to run the NTDSUtil duplicate sids check on all your domain controllers not just a single one to identify the issue.

Alternatively you can use pingcastle.exe --healthcheck --server DCName or specify a domain controller when you specify the domain on the interactive scan.

I will be adding something to the backlog to handle the objectsid error better.

[idefixgallier]

Dear Joe!

Thank you for the quick response!

This is interesting … I started the check from a RDP server and all variants worked flawlessly.

It may be the case that the same pingcastle started from a client is limit in its work by e.g. some ASR Defender rule.

I will check this as soon as I am in the university again and report back (maybe with the culprit then). It may help you to develop a more detailed warning if this error occurs.

Kr

Martin

From: Joe @.> Sent: Thursday, 26 September 2024 21:06 To: netwrix/pingcastle @.> Cc: idefixgallier @.>; Author @.> Subject: Re: [netwrix/pingcastle] Item has already been added (Issue #261)

Hi there, Thanks for the issue. This will likely be an issue with the specific domain controller scanned. You will need to run the NTDSUtil duplicate sids check on all your domain controllers not just a single one to identify the issue.

Alternatively you can use pingcastle.exe --healthcheck --server DCName or specify a domain controller when you specify the domain on the interactive scan.

I will be adding something to the backlog to handle the objectsid error better.

— Reply to this email directly, view it on GitHub https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnetwrix%2Fpingcastle%2Fissues%2F261%23issuecomment-2377724016&data=05%7C02%7C%7Cc0511b8cf65f47540b9608dcde5e5070%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638629743857147841%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=yMOsov362gXBGE4lmbYU4SLNLLIM%2BohU9SGzYW6ULKI%3D&reserved=0 , or unsubscribe https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAQNJWZSYNJU6SU2EFOMRKULZYRLK5AVCNFSM6AAAAABOXQF4FSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNZXG4ZDIMBRGY&data=05%7C02%7C%7Cc0511b8cf65f47540b9608dcde5e5070%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638629743857179997%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=impstyiKzruey8qCrITNgph3t1VqqXJ4Vxx%2B7zH6Hm8%3D&reserved=0 . You are receiving this because you authored the thread. https://github.com/notifications/beacon/AQNJWZQ7ZGQYCAZIXON4GEDZYRLK5A5CNFSM6AAAAABOXQF4FSWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTUNXEYHA.gif Message ID: @. @.> >

[JoeDibley]

Hi there, Just checking in, did you managed to check this out any further?

[idefixgallier]

It's some kind of ASR rule or Defender magic, but we didn't have time to investigate it further. It's work in progress and I'll report back

Sent from Nine

---

From: Joe @.***> Sent: Wednesday, 9 October 2024 18:53 To: netwrix/pingcastle Cc: idefixgallier; Author Subject: Re: [netwrix/pingcastle] Item has already been added (Issue #261)

Hi there, Just checking in, did you managed to check this out any further?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>

[idefixgallier]

Hey!

We haven’t been able to identify a cause why ping castle delivers that error on certain clients. We still think that MS defender is the culprit but we cannot pinpoint an exact cause.

At lease we know on what clients its working and can use it ….

Thank you Joe

From: Joe @.> Sent: Wednesday, 9 October 2024 18:53 To: netwrix/pingcastle @.> Cc: idefixgallier @.>; Author @.> Subject: Re: [netwrix/pingcastle] Item has already been added (Issue #261)

Hi there, Just checking in, did you managed to check this out any further?

— Reply to this email directly, view it on GitHub https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnetwrix%2Fpingcastle%2Fissues%2F261%23issuecomment-2402834009&data=05%7C02%7C%7C960b79f81e014a0b979d08dce882e689%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638640896108197619%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=RYNKR7AgMxqpvtZsCaiNc8%2FHFyjRZqgQhwrARSzjwX4%3D&reserved=0 , or unsubscribe. You are receiving this because you authored the thread. https://github.com/notifications/beacon/AQNJWZVH5VLEJH53YFHVMPDZ2VNQRA5CNFSM6AAAAABOXQF4FSWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTUPHBLFS.gif Message ID: @. @.> >

[JoeDibley]

No problem at all. I'll close this for now but please do reopen or log a new issue if you discover the cause.