DVLS PAM Reset AD Password - Exception has been thrown by the target of an invocation

Hello,

Please see the following article to raise the debug level and how to consult the DVLS logs.
https://docs.devolutions.net/kb/devolutions-server/how-to-articles/view-server-datasource-logs/

Are the accounts you're trying to reset their passwords members of the AD Protected users group or Domain Administrators group?

Best regards,

Hi Erica,

Yes the accounts where resetting the password does not work are domain admins. Is there additional permission reqiured for that to work?

Thanks
Joe

Hi Erica,

On a seperate but related note, it seems DVLS PAM is trying to use port 389 after completing a password reset, even though the provider is configured to use LDAPS on port 636. After initiating a password reset, the user sees an error saying 'an unexpected error occured. the server could not be contacted', however the password change does actually occur and password history is updated.

Further, after each password reset, the DVLS logs record the error below for a domain behind a firewall that blocks port 389. Wireshark also indicates there is communication on port 389 being attempted. Other functions such as testing the provider, or checking the account password sync seem to work fine exclusively over port 636. Is this expected behaviour, or should the traffic only be occuring on port 636?

PrincipalServerDownException - The server could not be contacted.

at System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName, ServerProperties& properties)
at System.DirectoryServices.AccountManagement.PrincipalContext.DoServerVerifyAndPropRetrieval()
at System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name, String container, ContextOptions options, String userName, String password)
at System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name, String container, String userName, String password)
at Devolutions.Server.Pam.PasswordPropagation.Factories.PropagatePasswordFactory.GetUserPrincipalName()
at Devolutions.Server.Pam.PasswordPropagation.Factories.PropagatePasswordFactory.Create()
at Devolutions.Server.Pam.PasswordPropagation.Factories.PropagatePasswordFactory.Create(PamCredentialBO credential, SecureString newPassword)
at Devolutions.Server.Pam.PasswordPropagation.Factories.PropagatePasswordFactory.<>c.<CreateAction>b__8_0(PamCredentialBO credential, SecureString newPassword)
at Devolutions.Server.Managers.Pam.PamManager.CommitPasswordChanges(PamCredential updatedCredential, SecureString password, PamUser user, PamBaseAdapter adapter, PamExecutionContext context)
at Devolutions.Server.Managers.Pam.PamManager.ResetPassword(Guid credentialId, PamUser user, PamBaseAdapter initialAdapter, PamExecutionContext context)
at Devolutions.Pam.Controllers.PamPasswordsController.ResetPassword(Guid id)

------------------------------------------

LdapException - The LDAP server is unavailable.

at System.DirectoryServices.Protocols.LdapConnection.Connect()
at System.DirectoryServices.Protocols.LdapConnection.SendRequestHelper(DirectoryRequest request, Int32& messageID)
at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
at System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName, ServerProperties& properties)

Hi Joe,

If the accounts you want to reset passwords are members of the domain admins, then the PAM Provider must be in the domain admins group too. It's an AD limitation and the PAM module cannot override that restriction.

About the LDAP error message you get, I will ask an engineer to have a look on that problem and will get back to you.

Thank you for your patience.

Best regards,

Hi Erica,

I was able to work around the domain admin limitation by granting the DVLS provider service account access to the AdminSDHolder as per https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/appendix-i--creating-management-accounts-for-protected-accounts-and-groups-in-active-directory?source=recommendations

For reference, the specific commands that were run on the domain DC are:
dsacls.exe CN=AdminSDHolder,CN=System,DC=domain,DC=local /G domain.local\service_dvls:CA;"Reset Password"
dsacls.exe CN=AdminSDHolder,CN=System,DC=domain,DC=local /G domain.local\service_dvls:CA;"Change Password"
dsacls.exe CN=AdminSDHolder,CN=System,DC=domain,DC=local /G domain.local\service_dvls:RPWP;"LockoutTime"
dsacls.exe CN=AdminSDHolder,CN=System,DC=domain,DC=local /G domain.local\service_dvls:RPWP;"PwdlastSet"
dsacls.exe CN=AdminSDHolder,CN=System,DC=domain,DC=local /G domain.local\service_dvls:RPWP;"userAccountControl"

Perhaps these steps can be added to the Devolutions KB article https://docs.devolutions.net/pam/kb/how-to-articles/least-permission-jit-group-elevation/

Pls let me know if you would like more info.

Joe

Hi Joe,

Thank you very much for this information. We will indeed update our online documentation to include these steps.

About the error, I didn't get any feedback from our engineering team yet. As soon as I receive any information, I will let you know.

Thank you for your patience.

Best regards,

Hi Joe,

For the LDAPS issue, a ticket has been submitted to our engineering team. Once a fix will be available, we will post it here.

Thank you for your patience.

Best regards,

Hello Joe,

Can you confirm if the LDAPS issue still happens in 2023.3 ? I'm debugging this issue and I think this issue has been fixed with the recent changes we did with the new version of the PAM.

Best regards,

Paul Dumais

Hi Paul,

So far I havent noticed any issues with LDAPS in 2023.3.6

Pls let me know if there is anything you would like me to test.

Joe

Thanks Joe,

I will mark the issue as closed for now, as I can't reproduce it and the code was completely changed so this issue should not happen anymore.

Best Regards,
Paul

Hi Erica,

Circling back on this one, noticed that the KB article still doesnt have the steps for 'Creating Management Accounts for Protected Accounts and Groups in Active Directory'.

Its not a huge deal, but whever I have to redo this, I have find this forum request, as opposed to referencing the official documentation,

On a seperate note, the following PowerShell code may be useful for some users in delegating the other permissions for non-protected accounts.

$OU = "OU=Users,DC=domain,DC=local"
$user = "domain\dvls"

If ($args[0] -ne $null){
$OU = $args[0]
}

If ($args[1] -ne $null){
$User = $args[1]
}

$ProcessParams = @()
$ProcessParams += "`"$OU`" /I:S /G `"$User`":CA;`"Reset Password`";user"
$ProcessParams += "`"$OU`" /I:S /G `"$User`":CA;`"Change Password`";user"
$ProcessParams += "`"$OU`" /I:S /G `"$User`":RPWP;`"LockoutTime`";user"
$ProcessParams += "`"$OU`" /I:S /G `"$User`":RPWP;`"PwdlastSet`";user"
$ProcessParams += "`"$OU`" /I:S /G `"$User`":RPWP;`"PwdlastSet`";user"

ForEach ($ProcessParam in $ProcessParams) {
Start-Process -FilePath "dsacls.exe" -ArgumentList $ProcessParam -NoNewWindow -Wait
}


Thanks
Joe

Hi Joe,

Thank you for your feedback and for sharing this PowerShell script with the community.

You are right, the KB hasn't been updated. I submitted a ticket to the documentation team to update it. They should do it in the next few days.

Best regards,

perfect, thanks Erica

Hi Joe

The article has been updated!
https://docs.devolutions.net/pam/kb/how-to-articles/least-permission-jit-group-elevation/

As the link has been modified, I updated the links to this article in this thread.

Best regards,

Thanks Erica.

Joe

Hi Joe

The article has been updated!
https://docs.devolutions.net/pam/kb/how-to-articles/least-privileges-ad-password/

As the link has been modified, I updated the links to this article in this thread.

Best regards,

@Erica Poirier
Hello,
Where did this article go?

Regards,
Simon

Hello,

Thank you for your feedback.

It's now on the PAM documentation section.
https://docs.devolutions.net/pam/kb/how-to-articles/least-permission-jit-group-elevation/

I have updated my posts in this thread.

Best regards,