KennethScott
Networking issues with impersonation enabled
First, thank you for the great tool you created! Unfortunately I got some Problems: When running a script with impersonation enabled, commands needing network connection are failing.
Server: Windows Server 2022, fresh install, domain joined
Here are some examples:
Simple ping from Terminal:
Impersonation disabled:
PS > ping github.com
| Out-String
03.05.2023 10:18:55 System Loading script...
03.05.2023 10:18:55 System Beginning script execution...
03.05.2023 10:18:58 Data
Pinging github.com [140.82.121.4] with 32 bytes of data:
Reply from 140.82.121.4: bytes=32 time=17ms TTL=51
Reply from 140.82.121.4: bytes=32 time=17ms TTL=51
Reply from 140.82.121.4: bytes=32 time=22ms TTL=51
Reply from 140.82.121.4: bytes=32 time=17ms TTL=51
Ping statistics for 140.82.121.4:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 17ms, Maximum = 22ms, Average = 18ms
03.05.2023 10:18:58 System Script execution ended.
Impersonation enabled:
PS > ping github.com
| Out-String
03.05.2023 10:20:36 System Loading script...
03.05.2023 10:20:36 System Beginning script execution...
03.05.2023 10:20:36 Data Ping request could not find host github.com. Please check the name and try again.
03.05.2023 10:20:36 System Script execution ended.
Simple Script using Get-ADUser:
Script:
Param([string]$ADUser, [string]$Server)
Write-Information "WindowsIdentity Current Name is $([System.Security.Principal.WindowsIdentity]::GetCurrent().Name)"
$User = Get-ADUser $ADUser -Server $Server -Properties *
$User.DistinguishedName
$User.Name
$User.Mail
Impersonation disabled:
specops_service_account is a normal domain user account
SpecOps | Script Runner
TimeStamp Type Data
03.05.2023 10:25:23 System Loading script...
03.05.2023 10:25:23 System Beginning script execution...
03.05.2023 10:25:23 Info WindowsIdentity Current Name is DOMAIN\specops_service_account
03.05.2023 10:25:23 Data CN=LastName\, FirstName,OU=IT,OU=Users,DC=domain,DC=com
03.05.2023 10:25:23 Data LastName, FirstName
03.05.2023 10:25:23 Data [email protected]
03.05.2023 10:25:23 System Script execution ended.
Impersonation enabled:
SpecOps | Script Runner
TimeStamp Type Data
03.05.2023 10:29:55 System Loading script...
03.05.2023 10:29:55 System Beginning script execution...
03.05.2023 10:29:55 Info WindowsIdentity Current Name is DOMAIN\admin_user
03.05.2023 10:29:55 Error Microsoft.ActiveDirectory.Management.ADServerDownException: Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.
---> System.ServiceModel.CommunicationException: The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:01:59.9970000'.
---> System.IO.IOException: The read operation failed, see inner exception.
---> System.ServiceModel.CommunicationException: The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:01:59.9970000'.
---> System.Net.Sockets.SocketException (10054): An existing connection was forcibly closed by the remote host.
at System.ServiceModel.Channels.SocketConnection.HandleReceiveAsyncCompleted()
at System.ServiceModel.Channels.SocketConnection.OnReceiveAsync(Object sender, SocketAsyncEventArgs eventArgs)
--- End of inner exception stack trace ---
at System.ServiceModel.Channels.SocketConnection.EndRead()
at System.ServiceModel.Channels.ConnectionStream.OnReadComplete(Object state)
--- End of stack trace from previous location ---
at System.ServiceModel.Channels.ConnectionStream.ReadAsync(Byte[] buffer, Int32 offset, Int32 count, CancellationToken cancellationToken)
at System.IO.Stream.ReadAtLeastAsyncCore(Memory`1 buffer, Int32 minimumBytes, Boolean throwOnEndOfStream, CancellationToken cancellationToken)
at System.Runtime.CompilerServices.PoolingAsyncValueTaskMethodBuilder`1.StateMachineBox`1.System.Threading.Tasks.Sources.IValueTaskSource.GetResult(Int16 token)
at System.Net.Security.NegotiateStream.g__ReadAllAsync|104_0[TIOAdapter](Stream stream, Memory`1 buffer, Boolean allowZeroRead, CancellationToken cancellationToken)
at System.Net.Security.NegotiateStream.ReadAsync[TIOAdapter](Memory`1 buffer, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at System.Net.Security.NegotiateStream.ReadAsync[TIOAdapter](Memory`1 buffer, CancellationToken cancellationToken)
at System.ServiceModel.Channels.StreamConnection.EndRead()
--- End of inner exception stack trace ---
at System.ServiceModel.Channels.StreamConnection.EndRead()
at System.ServiceModel.Channels.ConnectionHelpers.IConnectionExtensions.ReadAsync(IConnection connection, Int32 offset, Int32 size, TimeSpan timeout)
at System.ServiceModel.Channels.ConnectionHelpers.IConnectionExtensions.ReadAsync(IConnection connection, Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout)
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreambleAsync(IConnection connection, ArraySegment`1 preamble, TimeSpan timeout)
at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnectionAsync(TimeSpan timeout)
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpenAsync(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.OnOpenAsyncInternal(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.System.ServiceModel.IAsyncCommunicationObject.OpenAsync(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.OnOpenAsync(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.OnOpenAsyncInternal(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.System.ServiceModel.IAsyncCommunicationObject.OpenAsync(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.OpenAsyncInternal(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(MethodCall methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(MethodInfo targetMethod, Object[] args)
at generatedProxy_1.Get(Message)
at Microsoft.ActiveDirectory.Management.AdwsConnection.SearchAnObject(ADSearchRequest request)
--- End of inner exception stack trace ---
at Microsoft.ActiveDirectory.Management.AdwsConnection.InitializeForAutoReconnect[TChannel](Boolean& isAutoReconnecting, TChannel& channel, ChannelFactory`1& chFactory, String endpointName, CommunicationException& commException)
at Microsoft.ActiveDirectory.Management.AdwsConnection.SearchAnObject(ADSearchRequest request)
at Microsoft.ActiveDirectory.Management.AdwsConnection.Search(ADSearchRequest request)
at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADSyncOperations.Search(ADSessionHandle handle, ADSearchRequest request)
at Microsoft.ActiveDirectory.Management.ADObjectSearcher.GetRootDSE()
at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.GetRootDSE()
at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.GetConnectedStore()
at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.GetCmdletSessionInfo()
at Microsoft.ActiveDirectory.Management.Commands.ADGetCmdletBase`3.ADGetCmdletBaseProcessCSRoutine()
at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()
at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()
03.05.2023 10:29:55 Error An unexpected error occurred. Null response received.
03.05.2023 10:29:55 Error An unexpected error occurred. Null response received.
03.05.2023 10:29:55 Error An unexpected error occurred. Null response received.
03.05.2023 10:29:55 System Script execution ended.
Ping from inside a script:
Using a hostname: 03.05.2023 10:34:52 | Data | Ping request could not find host server.domain.com. Please check the name and try again.
Using an IP address: 03.05.2023 10:34:52 | Data | Unable to contact IP driver. General failure.
this is what I got in scriptsettings.json
{
"CategoryId": "Admin",
"Id": "69E1162E-CA0A-4683-A643-29D57D8D1919",
"PathAndFilename": "./Scripts/GetADUser.ps1",
"Name": "Get-ADUser",
"Summary": "Get-ADUser; EnableImpersonation: true",
"EnableImpersonation": true,
"InputParms": [
{
"Name": "ADUser",
"Type": "text",
"Placeholder": "Enter username..",
"Description": "Input String Parameter",
"Required": "true"
},
{
"Name": "Server",
"Type": "text",
"Description": "Domain Controller",
"Required": "true"
}
],
"Runspace": {
"ExecutionPolicy": "Unrestricted",
"Min": 1,
"Max": 2,
"Modules": [
"ActiveDirectory"
]
}
},
{
"CategoryId": "Admin",
"Id": "69E1162E-CA0A-4683-A643-29D57D8D1920",
"PathAndFilename": "./Scripts/GetADUser.ps1",
"Name": "Get-ADUser without Impersonation",
"Summary": "Get-ADUser; EnableImpersonation: false",
"EnableImpersonation": false,
"InputParms": [
{
"Name": "ADUser",
"Type": "text",
"Placeholder": "Enter username..",
"Description": "Input String Parameter",
"Required": "true"
},
{
"Name": "Server",
"Type": "text",
"Description": "Domain Controller",
"Required": "true"
}
],
"Runspace": {
"ExecutionPolicy": "Unrestricted",
"Min": 1,
"Max": 2,
"Modules": [
"ActiveDirectory"
]
}
}
Thanks for letting me know - sorry to hear it isn't working for you. Can you confirm these for me? OS: Windows Server 2022 Hosting: IIS App Pool Identity: Domain service account Authentication: Windows enabled (Anonymous, Forms, etc. all disabled)
I'll be honest, I haven't had the opportunity to really use the impersonation option very much so it could very well have some issues. I'll try to make some time this weekend to look into it further though and see what I can come up with.
Thanks-
Just a quick update - I tried this really quick tonight and can't seem to recreate the problem (yet). I'm just on a Windows 11 desktop that is not joined to a domain, but I was able to execute ping's, Get-WebURL's, etc. with impersonation on and off without issue.
Question, is the IIS App Pool's service account a local administrator on that server?
One other thought you might check - try temporarily disabling UAC just to see if that makes any difference.
Also, I don't suppose there's any additional info in the server's Event Viewer logs?
Thanks for letting me know - sorry to hear it isn't working for you. Can you confirm these for me? OS: Windows Server 2022 Hosting: IIS App Pool Identity: Domain service account Authentication: Windows enabled (Anonymous, Forms, etc. all disabled)
Yes, this is correct
Question, is the IIS App Pool's service account a local administrator on that server?
I added it, but without any success
Also, I don't suppose there's any additional info in the server's Event Viewer logs?
Sorry, I am not sure where to look :/
Not quite sure since when, but ping is now working with impersonation enabled
How can I log out from the web UI? even after a Server Reboot I am still logged in ..