search

timmcmic / DLConversionV2

MIT License
43 stars 9 forks source link

Replace Active Directory WinRM access with direct access. #89

Closed TerryED0618 closed 1 year ago

TerryED0618 commented 1 year ago

I'm getting an access denied when connecting to Active Directory Global Catalog server via WinRM. The WinRM access method has an advantage that the ActiveDirectory module does not need to be installed in the current workstation (via RSAT). Yet WinRM relys on BasicAuth and is being deprecated, even though it is still required for on-premises Exchange Server (EMS).

Please consider removing all WinRM access that is not neccesary - such as for Active Directory.

WinRM access established here:

DLConversionV2.psm1:
    new-powershellsession -server $globalCatalogServer -credentials $activeDirectoryCredential -powershellsessionname $coreVariables.ADGlobalCatalogPowershellSessionName.value

It is used here:

Get-GroupSendAsPermission.ps1:
    $functionACLS = invoke-command -session $functionPSSession -ScriptBlock {import-module ActiveDirectory ; (get-ACL $args).access} -ArgumentList $objectPath *>&1

Get-onPremSendAs.ps1:
    $functionSendAsRights+= invoke-command {$blockName=$args[1];Get-ADPermission -identity $args[0] | where {($_.ExtendedRights -like "*send-as*") -and -not ($_.User -like "nt authority\self") -and ($_.isInherited -eq $false) -and ($_.user -like $blockName)}}-ArgumentList $recipient.identity,$functionQueryName

It is not used here:

Get-ADObjectConfiguration.ps1:
    $functionDLConfiguration=Get-ADObject -filter "mail -eq `"$groupSMTPAddress`"" -properties $parameterSet -server $globalCatalogServer -credential $adCredential -errorAction STOP
    $functionDLConfiguration=get-adObject -identity $DN -properties $parameterSet -server $globalCatalogServer -credential $adCredential -errorAction STOP

Get-CanonicalName.ps1:
    $functionTest = get-adobject -filter {distinguishedname -eq $dn} -properties canonicalName -credential $adCredential -server $globalCatalogServer -errorAction STOP-credential $adCredential -properties * -errorAction STOP 

get-ExchangeSchemaVersion.ps1
    $functionADRootDSE=Get-ADRootDSE -server $globalCatalogServer -credential $adCredential -errorAction STOP
    $functionExchangeSchemaObject = Get-AdObject $functionExchangeSchemaContext -server $globalCatalogServer -credential $adCredential -properties * -errorAction STOP 

Get-NormalizedDN.ps1:
    $functionTest = get-adObject -filter {distinguishedname -eq $dn} -properties * -credential $adCredential -errorAction STOP -server $activeDirectoryDomainName
timmcmic commented 1 year ago

So there's a good reason for this - and I'm certainly open to suggestions. Maybe i'm missing something.

The commands that you reference in the not used her section all depend on active directory web services or are direct ldap commands.

In the second that you highlight - it's only get-ACL. This was a conscious decision since get-ACL cannot be run remotely on an object. To capture the send as permissions without requiring the administrator performing the migration to be on a domain controller.

I do think though you highlight an interesting and missed case. I recently took changes in the majority of code to ensure the kerberos was implemented correctly for the Exchange connection. New-PsSession also supports an authentication switch. I may need to go back and revisit either adding this as an option or simply hard coding it to always user kerberos. The account specified has to be a domain member and a domain member workstation utilized - so kerberos implementations or hard coded should not be an issue.

I'll test and get back to you.

timmcmic commented 1 year ago

I went through and implemented some changes. There is a new branch called Kerberos if you want to test.

In the main dlconversionV2 file I implemented two new optional paramters. The activeDirectoryAuthenticationType and the azureADConnectAuthenticationType. Both allow for either basic or kerberos but the default is kerberos.

The new-powershellSession files were changes to require authenticationType be passed whether it was an online call or not. For active directory and adconnect it now uses kerberos to connect which should subsequently resolve the issues with the basic auth winRM.

My test suite is running now but I am not seeing any issues if you want to test.

Tim

timmcmic commented 1 year ago

I also went through and did some additional testing.

I put a group policy in place to disable WinRM basic auth on both the client and the server WinRM components.

I tested the currently released version and none of the AD commands or the get-acl command wrapped in the invocation call failed. Overall i'm not seeing any issues with basic authentication and the structure of the current code if basic authentication is disabled.

I am going to go ahead and publish the additional changes since the flexibility makes sense or maybe i'm missing a use case that you have that I do not.

timmcmic commented 1 year ago

Version 2.7.5 published defaults to kerberos for all winrm calls.

TerryED0618 commented 1 year ago

My thanks to your attention to this. Your fix does not address my issue, though is appreciated that Kerberos is now the default for remote PowerShell (WinRM).

I believe my issue is not with this solution, but with my assumption I could get away with AD Account Operator role. I have requested AD Domain Admin role to grant me remote login rights to the DC/GC.

[11/7/2022 11:16:15] - **** [11/7/2022 11:16:15] - BEGIN NEW-POWERSHELLSESSION [11/7/2022 11:16:15] - **** [11/7/2022 11:16:15] - Creating the powershell to server. ...> TerminatingError(New-PSSession): "The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: [DC01.contoso.com] Connecting to remote server DC01.contoso.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic." [DC01.contoso.com] Connecting to remote server DC01.contoso.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. Out-LogFile : [DC01.contoso.com] Connecting to remote server DC01.contoso.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. At C:\Program Files\WindowsPowerShell\Modules\DLConversionV2\2.7.5\New-PowershellSession.ps1:115 char:13

[11/7/2022 11:16:16] - **** [11/7/2022 11:16:16] - BEGIN disable-allPowerShellSessions [11/7/2022 11:16:16] - ****

timmcmic commented 1 year ago

Ah...

Yes - the documentation does indicate that domain admin is required if the DL and all resources are within one domain and enterprise admin if the DL contains resources from multiple domains within a forest.

I have not actually tested with less. This call is unfortunately required to capture send as rights on the group since it will not run remotely.

Tim

============================== Timothy J. McMichael Senior Support Escalation Engineer @.**@.> (980)-776-7465

Hours: Sunday - Wednesday 08:00 - 16:00 eastern time zone.

Manager: Tom Roughley @.**@.>)

Premier Support - (800)-936-3100 Broad Commercial Support - (800)-936-4900

==============================

From: Terry E Dow @.> Sent: Monday, November 7, 2022 12:33 PM To: timmcmic/DLConversionV2 @.> Cc: Tim McMichael @.>; Comment @.> Subject: Re: [timmcmic/DLConversionV2] Replace Active Directory WinRM access with direct access. (Issue #89)

My thanks to your attention to this. Your fix does not address my issue, though is appreciated that Kerberos is now the default for remote PowerShell (WinRM).

I believe my issue is not with this solution, but with my assumption I could get away with AD Account Operator role. I have requested AD Domain Admin role to grant me remote login rights to the DC/GC.

[11/7/2022 11:16:15] - **** [11/7/2022 11:16:15] - BEGIN NEW-POWERSHELLSESSION [11/7/2022 11:16:15] - **** [11/7/2022 11:16:15] - Creating the powershell to server. ...> TerminatingError(New-PSSession): "The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: [DC01.contoso.com] Connecting to remote server DC01.contoso.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic." [DC01.contoso.com] Connecting to remote server DC01.contoso.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. Out-LogFile : [DC01.contoso.com] Connecting to remote server DC01.contoso.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. At C:\Program Files\WindowsPowerShell\Modules\DLConversionV2\2.7.5\New-PowershellSession.ps1:115 char:13

[11/7/2022 11:16:16] - **** [11/7/2022 11:16:16] - BEGIN disable-allPowerShellSessions [11/7/2022 11:16:16] - ****

- Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftimmcmic%2FDLConversionV2%2Fissues%2F89%23issuecomment-1305954645&data=05%7C01%7Ctimmcmic%40microsoft.com%7Cf241df8384294d99c0b608dac0e61ba4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638034391791251537%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Fc5ShII4%2Fqi5eu4%2FlUulYP29HSGQ39aTaKnfbcPL%2FWM%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAKGTN6MEZP2CKMNH6DPUMX3WHE4MRANCNFSM6AAAAAARXKHXPE&data=05%7C01%7Ctimmcmic%40microsoft.com%7Cf241df8384294d99c0b608dac0e61ba4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638034391791406988%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nm2ZAZE3Qy8o5Dvq9LCajhN3k134K6A99hnCPMeXry4%3D&reserved=0. You are receiving this because you commented.Message ID: @.**@.>>