Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AdcsAuthorityInformationAccess: Multiple issues and/or bugs #128

Open
ericscheffler opened this issue Mar 23, 2021 · 1 comment · May be fixed by #141
Open

AdcsAuthorityInformationAccess: Multiple issues and/or bugs #128

ericscheffler opened this issue Mar 23, 2021 · 1 comment · May be fixed by #141
Labels
bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community. needs investigation The issue needs to be investigated by the maintainers or/and the community.

Comments

@ericscheffler
Copy link

Details of the scenario you tried and the problem that is occurring

I am configuring a new CA with the intention of automating smart card (CAC) authentication as much as possible. With my configuration I'm attempting to remove all but the AIA included in my configuration below, but am getting the errors below when I attempt to run the config. There appear to be a number of issues occurring; the first is that before the first run of the configuration, the "Get-CaAiaUriList" is returning a value of "False" for the AllowRestartService parameter, which conflicts with that of my configuration where I set that value to "True"; the second is the "Type mismatch for property 'AiaUri'" error, which as of now I don't know why I'm seeing this; the final issue is that it appears that in lines 110-118 any entries not specified in the "AiaUri" parameter should be being removed from the server, but they are not (at least in my testing). Additionally, it is possible that these issues are being caused by my configuration being incorrect, but any feedback would be appreciated.

Verbose logs showing the problem

VERBOSE: [cacca1]: LCM: [ Start Resource ] [[AdcsAuthorityInformationAccess]SetAia]
VERBOSE: [cacca1]: LCM: [ Start Test ] [[AdcsAuthorityInformationAccess]SetAia]
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Testing Active Directory Authority Information Access.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Getting Active Directory Authority Information Access.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Getting Active Directory Authority Information Access URI list for 'AddToCertificateAia'.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Retrieving local certification authority configuration.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Preparing the "cacca1.cacauth.test\cacauth-cacca1-CA-1" certification authority configuration.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Retrieving the authority information access extension entries for the certification authority.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Getting Active Directory Authority Information Access URI list for 'AddToCertificateOcsp'.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Retrieving local certification authority configuration.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Preparing the "cacca1.cacauth.test\cacauth-cacca1-CA-1" certification authority configuration.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Retrieving the authority information access extension entries for the certification authority.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] NOTMATCH: Value (type 'System.Boolean') for property 'AllowRestartService' does not match. Current stat
e is 'False' and desired state is 'True'. (DRC0021)
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] NOTMATCH: Type mismatch for property 'AiaUri' Current state type is 'System.String' and desired type is
'System.String[]'. (DRC0019)
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Test-DscParameter result is 'False'. (DRC0026)
VERBOSE: [cacca1]: LCM: [ End Test ] [[AdcsAuthorityInformationAccess]SetAia] in 0.1880 seconds.
VERBOSE: [cacca1]: LCM: [ Start Set ] [[AdcsAuthorityInformationAccess]SetAia]
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Setting Active Directory Authority Information Access.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Getting Active Directory Authority Information Access.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Getting Active Directory Authority Information Access URI list for 'AddToCertificateAia'.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Retrieving local certification authority configuration.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Preparing the "cacca1.cacauth.test\cacauth-cacca1-CA-1" certification authority configuration.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Retrieving the authority information access extension entries for the certification authority.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Getting Active Directory Authority Information Access URI list for 'AddToCertificateOcsp'.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Retrieving local certification authority configuration.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Preparing the "cacca1.cacauth.test\cacauth-cacca1-CA-1" certification authority configuration.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Retrieving the authority information access extension entries for the certification authority.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Adding 'AIA' URI 'http:///CertEnroll/_.crt'.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Retrieving local certification authority configuration.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Preparing the "cacca1.cacauth.test\cacauth-cacca1-CA-1" certification authority configuration.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Retrieving existing authority information access extension entries.
The specified authority information access extension entry already exists in the "cacca1.cacauth.test\cacauth-cacca1-CA-1" certification authority configuration.
+ CategoryInfo : InvalidOperation: (http://<ServerD...ficateName>.crt:) [], CimException
+ FullyQualifiedErrorId : EntryAlreadyExists,Microsoft.CertificateServices.Administration.Commands.CA.AddAiaCommand
+ PSComputerName : localhost

VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Removing 'AIA' URI 'ldap:///CN=,CN=AIA,CN=Public Key Services,CN=Services,'.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Retrieving local certification authority configuration.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Preparing the "cacca1.cacauth.test\cacauth-cacca1-CA-1" certification authority configuration.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Retrieving existing authority information access extension entries.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Removing the authority information access extension entry from the "cacca1.cacauth.test\cacauth-cacca1-
CA-1" certification authority.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Active Directory Certificate Authority settings have changed, so 'CertSvc' service is restarting.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Retrieving CertSvc service information.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Restarting the CertSvc service.
VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Performing the operation "Restart-Service" on target "Active Directory Certificate Services (CertSvc)".
VERBOSE: [cacca1]: LCM: [ End Set ] [[AdcsAuthorityInformationAccess]SetAia] in 1.0480 seconds.
The PowerShell DSC resource '[AdcsAuthorityInformationAccess]SetAia' with SourceInfo 'C:\DSC\Configurations\ConfigureCA.ps1::151::9::AdcsAuthorityInformationAccess' threw one or more
non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for
more details.
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : NonTerminatingErrorFromProvider
+ PSComputerName : localhost

VERBOSE: [cacca1]: LCM: [ End Set ]
The SendConfigurationApply function did not succeed.
+ CategoryInfo : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : MI RESULT 1
+ PSComputerName : localhost

VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 212.545 seconds

Suggested solution to the issue

The DSC configuration that is used to reproduce the issue (as detailed as possible)

        # Configure AIA
        AdcsAuthorityInformationAccess SetAia
        {
            IsSingleInstance    = 'Yes'
            AiaUri              = @(
                'http://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CAName><CertificateName>.crt'
            )
            AllowRestartService = $true
        }

The operating system the target node is running

OsName : Microsoft Windows Server 2019 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture : 64-bit
WindowsVersion : 1809
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage : en-US
OsMuiLanguages : {en-US}

Version and build of PowerShell the target node is running

Name Value

PSVersion 5.1.17763.1490
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.1490
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

Version of the DSC module that was used ('dev' if using current dev branch)

ActiveDirectoryCSDsc 5.0.0
@PlagueHO PlagueHO added bug The issue is a bug. needs investigation The issue needs to be investigated by the maintainers or/and the community. help wanted The issue is up for grabs for anyone in the community. labels Apr 9, 2021
@dan-hughes
Copy link
Contributor

Same as #138?

@dan-hughes dan-hughes mentioned this issue Apr 18, 2024
Closed
9 tasks
dan-hughes pushed a commit to dan-hughes/ActiveDirectoryCSDsc that referenced this issue Apr 18, 2024
Add changelog for fixing dsccommunity#128
965ad60
@dan-hughes dan-hughes linked a pull request Apr 18, 2024 that will close this issue
Open
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community. needs investigation The issue needs to be investigated by the maintainers or/and the community.
Projects
None yet
Milestone
No milestone
3 participants
@dan-hughes @PlagueHO @ericscheffler