Locksmith icon indicating copy to clipboard operation
Locksmith copied to clipboard
verified publisher icon TrimarcJake

If CA is unavailable, Auditing/ESC6/ESC11 Reporting is Unclear

Open jakehildreth opened this issue 1 year ago • 8 comments

Describe the Bug If Locksmith cannot get data from certutil.exe (either from network issues or limited privileges), Locksmith reports Auditing/ESC6/ESC11 Issue as "CA Unavailable" and Fix as "N/A". This is not helpful.

Steps To Reproduce

  1. Lock down the use of certutil by low-privileged users.
  2. run Locksmith.

Expected Behavior If CA is unavailable, Locksmith should return the reason why it's unavailable.

Environment

  • Locksmith Version: 2025.1.14 (unreleased)
  • OS: Windows Server 2019
  • PowerShell Version: Windows PowerShell 5.1
  • PowerShell Host: VS Code Terminal

Additional Context Submitted on behalf of @PSmithing

jakehildreth avatar Jan 25 '25 12:01 jakehildreth

I'm struggling with this issue even in a situation where I do have adequate privileges. All the PS Modules are loaded but even with admin level it lists CA Unavailable. Would be nice to get some feedback because every other test I've run between the systems passes.

I'm happy to assist with some troubleshooting or testing too.

MNTech68 avatar Mar 26 '25 16:03 MNTech68

Let's add some extra handling to lines that rely on CertUtil. We should capture the command output and proceed based on the strings or error level returned. Some responses that we might be able to handle are:

  • Administrator permissions are needed to use the selected options.
  • The network path was not found.
  • The system can't find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
  • The network name can't be found. 0x80070043 (WIN32: 67 ERROR_BAD_NET_NAME)
  • A connection with the server couldn't be established 0x80072efd (INet: 12029 ERROR_INTERNET_CANNOT_CONNECT)
  • The server name or address couldn't be resolved 0x80072ee7 (INet: 12007 ERROR_INTERNET_NAME_NOT_RESOLVED)

And these strings should give us enough info to provide a helpful follow-up in PowerShell.

SamErde avatar Mar 26 '25 19:03 SamErde

@MNTech68 are you using Locksmith in a multi-domain forest?

jakehildreth avatar Apr 21 '25 16:04 jakehildreth

No, this is a single domain/forest configuration.

MNTech68 avatar Apr 23 '25 02:04 MNTech68

The code requires a 'PING' check before assuming the CA is online. Networks that do not allow ICMP requests will be unable to complete the test suite.

caractacus avatar Jun 17 '25 17:06 caractacus

Hi @caractacus! Are you providing a possible answer to @MNTech68 or are you making a request to bypass ping checks?

jakehildreth avatar Jun 17 '25 17:06 jakehildreth

An option to skip online checks would be of value to some of our use cases. I’ll try it out. Would you like pull request? Might take some time.

caractacus avatar Jun 19 '25 12:06 caractacus

PRs are always welcome!

jakehildreth avatar Jun 19 '25 12:06 jakehildreth