ActiveDirectoryCSDsc icon indicating copy to clipboard operation
ActiveDirectoryCSDsc copied to clipboard
verified publisher icon dsccommunity

AdcsAuthorityInformationAccess: Multiple issues and/or bugs

Open ericscheffler opened this issue 4 years ago • 1 comments

Details of the scenario you tried and the problem that is occurring

I am configuring a new CA with the intention of automating smart card (CAC) authentication as much as possible. With my configuration I'm attempting to remove all but the AIA included in my configuration below, but am getting the errors below when I attempt to run the config. There appear to be a number of issues occurring; the first is that before the first run of the configuration, the "Get-CaAiaUriList" is returning a value of "False" for the AllowRestartService parameter, which conflicts with that of my configuration where I set that value to "True"; the second is the "Type mismatch for property 'AiaUri'" error, which as of now I don't know why I'm seeing this; the final issue is that it appears that in lines 110-118 any entries not specified in the "AiaUri" parameter should be being removed from the server, but they are not (at least in my testing). Additionally, it is possible that these issues are being caused by my configuration being incorrect, but any feedback would be appreciated.

Verbose logs showing the problem

VERBOSE: [cacca1]: LCM: [ Start Resource ] [[AdcsAuthorityInformationAccess]SetAia] VERBOSE: [cacca1]: LCM: [ Start Test ] [[AdcsAuthorityInformationAccess]SetAia] VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Testing Active Directory Authority Information Access. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Getting Active Directory Authority Information Access. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Getting Active Directory Authority Information Access URI list for 'AddToCertificateAia'. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Retrieving local certification authority configuration. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Preparing the "cacca1.cacauth.test\cacauth-cacca1-CA-1" certification authority configuration. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Retrieving the authority information access extension entries for the certification authority. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Getting Active Directory Authority Information Access URI list for 'AddToCertificateOcsp'. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Retrieving local certification authority configuration. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Preparing the "cacca1.cacauth.test\cacauth-cacca1-CA-1" certification authority configuration. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Retrieving the authority information access extension entries for the certification authority. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] NOTMATCH: Value (type 'System.Boolean') for property 'AllowRestartService' does not match. Current stat e is 'False' and desired state is 'True'. (DRC0021) VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] NOTMATCH: Type mismatch for property 'AiaUri' Current state type is 'System.String' and desired type is 'System.String[]'. (DRC0019) VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Test-DscParameter result is 'False'. (DRC0026) VERBOSE: [cacca1]: LCM: [ End Test ] [[AdcsAuthorityInformationAccess]SetAia] in 0.1880 seconds. VERBOSE: [cacca1]: LCM: [ Start Set ] [[AdcsAuthorityInformationAccess]SetAia] VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Setting Active Directory Authority Information Access. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Getting Active Directory Authority Information Access. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Getting Active Directory Authority Information Access URI list for 'AddToCertificateAia'. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Retrieving local certification authority configuration. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Preparing the "cacca1.cacauth.test\cacauth-cacca1-CA-1" certification authority configuration. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Retrieving the authority information access extension entries for the certification authority. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Getting Active Directory Authority Information Access URI list for 'AddToCertificateOcsp'. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Retrieving local certification authority configuration. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Preparing the "cacca1.cacauth.test\cacauth-cacca1-CA-1" certification authority configuration. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Retrieving the authority information access extension entries for the certification authority. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Adding 'AIA' URI 'http://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CAName><CertificateName>.crt'. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Retrieving local certification authority configuration. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Preparing the "cacca1.cacauth.test\cacauth-cacca1-CA-1" certification authority configuration. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Retrieving existing authority information access extension entries. The specified authority information access extension entry already exists in the "cacca1.cacauth.test\cacauth-cacca1-CA-1" certification authority configuration. + CategoryInfo : InvalidOperation: (http://<ServerD...ficateName>.crt:) [], CimException + FullyQualifiedErrorId : EntryAlreadyExists,Microsoft.CertificateServices.Administration.Commands.CA.AddAiaCommand + PSComputerName : localhost

VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Removing 'AIA' URI 'ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,<Configurati onContainer><CAObjectClass>'. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Retrieving local certification authority configuration. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Preparing the "cacca1.cacauth.test\cacauth-cacca1-CA-1" certification authority configuration. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Retrieving existing authority information access extension entries. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Removing the authority information access extension entry from the "cacca1.cacauth.test\cacauth-cacca1- CA-1" certification authority. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Active Directory Certificate Authority settings have changed, so 'CertSvc' service is restarting. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Retrieving CertSvc service information. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Restarting the CertSvc service. VERBOSE: [cacca1]: [[AdcsAuthorityInformationAccess]SetAia] Performing the operation "Restart-Service" on target "Active Directory Certificate Services (CertSvc)". VERBOSE: [cacca1]: LCM: [ End Set ] [[AdcsAuthorityInformationAccess]SetAia] in 1.0480 seconds. The PowerShell DSC resource '[AdcsAuthorityInformationAccess]SetAia' with SourceInfo 'C:\DSC\Configurations\ConfigureCA.ps1::151::9::AdcsAuthorityInformationAccess' threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details. + CategoryInfo : InvalidOperation: (:) [], CimException + FullyQualifiedErrorId : NonTerminatingErrorFromProvider + PSComputerName : localhost

VERBOSE: [cacca1]: LCM: [ End Set ] The SendConfigurationApply function did not succeed. + CategoryInfo : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException + FullyQualifiedErrorId : MI RESULT 1 + PSComputerName : localhost

VERBOSE: Operation 'Invoke CimMethod' complete. VERBOSE: Time taken for configuration job to complete is 212.545 seconds

Suggested solution to the issue

The DSC configuration that is used to reproduce the issue (as detailed as possible)

        # Configure AIA
        AdcsAuthorityInformationAccess SetAia
        {
            IsSingleInstance    = 'Yes'
            AiaUri              = @(
                'http://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CAName><CertificateName>.crt'
            )
            AllowRestartService = $true
        }

The operating system the target node is running

OsName : Microsoft Windows Server 2019 Datacenter OsOperatingSystemSKU : DatacenterServerEdition OsArchitecture : 64-bit WindowsVersion : 1809 WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434 OsLanguage : en-US OsMuiLanguages : {en-US}

Version and build of PowerShell the target node is running

Name Value

PSVersion 5.1.17763.1490
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.1490
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

Version of the DSC module that was used ('dev' if using current dev branch)

ActiveDirectoryCSDsc 5.0.0

ericscheffler avatar Mar 23 '21 18:03 ericscheffler

Same as #138?

dan-hughes avatar Apr 18 '24 08:04 dan-hughes