Check Password Succeeds with incorrect password for AnyIdentity template Windows Accounts

Hi,

I have been able to reproduce your problem, I'll create a ticket and take a look at it.

Thank you

Hi,

I made a modification on the AnyIdentity Provider and updated on the Git Hub.

You can also change the script for the Heartbeat for this version

[CmdletBinding()]
param (
    [Parameter(Mandatory = $True)][ValidateNotNullOrEmpty()][String]$Username,
    [Parameter(Mandatory = $True)][ValidateNotNullOrEmpty()][SecureString]$Password,
    [Parameter(Mandatory = $True)][ValidateNotNullOrEmpty()][String]$Hostname
)
try
{
    Add-Type -AssemblyName System.DirectoryServices.AccountManagement
    $obj = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('machine',$Hostname)

    $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Password)
    $UnsecurePassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)

    $result = $obj.ValidateCredentials($Username, $UnsecurePassword)
    if($result -ne $true) {
        Write-Error "The username or password does not match the credential on the machine";
    }

    Write-Output $result
}
catch
{
    Write-Error $error[0].Exception.ToString()
}

Best regards

Thank you very much for the quick turnaround Marc-Andre. The updated script works correctly now.

I've also added an option to the template (attached) to exclude disabled accounts during discovery. Not sure if I should be uploading this to Github to share with community, or if its something you would like to review first?

Hi Marc-Andre,

I'm encountering another related issue when attempting to do a password reset. The following error occurs if I try to reset the password of a local Windows account linked to the AnyIdentity provider. If I logon to the DVLS server an manually run the New-PSSession with same parameters as the AnyIdentity provider, its connects ok, so I think WinRM is working correctly.

PSRemotingTransportException - Connecting to remote server XXXXXX failed with the following error message : Illegal operation attempted on a registry key that has been marked for deletion. For more information, see the about_Remote_Troubleshooting Help topic.

The error message similar to the issues described here:
https://learn.microsoft.com/en-us/sharepoint/troubleshoot/administration/800703fa-illegal-operation-error
https://stackoverflow.com/questions/27266379/while-trying-to-initiate-new-ps-session-it-stops-working-in-script

I'd prefer not to have to set the DisableForceUnload registry key on target systems, so is there a way the PowerShell code within the indentity template can be adjusted so the error does not occur, or alternatively an automatic retry?

Thanks
Joe

Hi joe,

Thank you, I will look and update the script. Don't hesitate if you see anything else that could be modified.

For your problem, I'm not yet sure what could be causing this. I will have to investigate.
Does it happen to you every time you reset?
And Is the password still reset?

Thanks

Hi Marc-Andre,

The reset is working today without any changes being made, so the issue maybe sporadic. I think what is happening is that sometimes the windows session on the remote machine takes a while to logoff after an invoke-command has been run. If a new invoke-command is initiated too soon thereafter, it fails because windows does not allow a user to logon while that same user's session is still logging off. Perhaps this can be circumvented by a retry and/or enumeration of existing user sessions on remote machine prior to running the invoke-command https://4sysops.com/archives/how-to-find-a-logged-in-user-remotely-using-powershell/

Regarding additional modifications to the Windows AnyIdentity template, one item I think would be useful is to be able to specify an OU in Active Directory to scan for computer objects, intead of manually specifying them in provider configuration. I was thinking this could be achieved by adding an additional property to the template called LdapComputerContainer, but it wouldn't be applicable to the template being used for standalone machines. To address that it maybe necessary to fork the AnyIdentity template into a domain targeted one, and another for non-domain usage. Alternatively if there was a way to make the properties on the template dynamic, the user could choose what method to use for the list of computers, and then the GUI would exclusively display the applicable properties.

Another concept for the computer source list, instead of using LDAP paths and/or strings containing hostnames, would be to dynamicaly query the DVLS vault/s directly for computer connection entries matching a configurable filter. This might actually be a pretty good option, because then within the AnyIdentity template, it maybe possible to leverage properties of the entries defined in the connection vault, for example what credential to use on a per computer basis. Also, it may be possible to support this approach with the AD syncronizer native to RDM (or maybe DVLS).

Please let me know if you would like more info.

Joe

Hi Marc-Andre,

Another update for you relating to the powershell commands in the anyidentity template for account discovery.

It might be useful to replace the WMI code for the discovery action with the PowerShell cmdlet Get-LocalUser, as I noticed WMI would deny access to the class 'Win32_UserAccount' if the user is not a local administrator. Comparatively, the powershell code below runs ok without the user being a local administrator, as long as they are of the local group 'Remote Management Users' on the target machine. I'm attempting to find a method of granting of least privellege access to the service account used by the DVLS PAM provider, and adding the account to the local group 'Remote Management Users' seems to provide sufficient powershell connectivity permissions to discover local accounts.

Pls let me know if you would like more info.

Joe

If ($ExcludeDisabled)
{
$LocalAccounts = Get-LocalUser | Where-Object {$_.Enabled -eq $true} -ErrorAction 'Stop'
}
Else
{
$LocalAccounts = Get-LocalUser -ErrorAction 'Stop'
}

Hi Marc-Andre,

Another update for the Windows AnyIdentity template:

In the attached json template, the code for the Heartbeat action has been updated to run a script block on the remote machine via Invoke-Command, as the previous method was failing for machines in an untrusted domain.

Please let me know if you would like further info.

Joe

Hi joe

Thanks for the edits, much appreciated. I had just encountered a problem with the heartbeat and your modification seems to correct it. For the option to remove disable accounts, this is a nice addition that will come in handy. I uploaded your changes to our GitHub. If you ever have another modification, do not hesitate to make a PR on our GitHub.

Best regards.

Hi Marc-Andre,

Your most welcome. How do I go about making a 'PR on our GitHub'?

I have another modification for the AccountDiscovery code that uses an ADSI object instead. Previously I/we changed it from WMI to PowerShell cmdlet Get-LocalUser due to access denied when WMI Win32_UserAccount class is queried without local administrative privilege. Unfortunately the Powershell cmdlet Get-LocalUsers doesnt work on legacy Windows 2012 machines, whereas the ADSI approach works both on Windows 2012 and newer.

Thanks
Joe

Hi joe
You can submit your change here : https://github.com/Devolutions/PAM-Providers
Let me know if you encounter any issues.
You can also submit it here and I'll be happy to import the change.

Thank you

Hi Marc-Andre,

What buttons do I click on the github site to submit a change? I have a github account, but uploading files is disabled, and it doesnt let me create a new pull request.

Thanks
Joe

Hi

You will have to pull our project and create a branch and make us a PR of your branch to our Master branch.

Let me know if you have other question

Best regards

Hi Marc-Andre,

PR submitted, https://github.com/Devolutions/PAM-Providers/pull/11

Thanks
Joe