-
Title
Cross-domain groups missing when using sid compression with Windows 2012 DC. Not getting correct group membership. Authentication Fails , Random Authentication failures. -
Description
Not getting correct group membership. There is a privilege attribute certificate (PAC) processing problem in cross-domain group configurations with Windows 2012 DCs using SID compression. The PAC contains information about the group membership and authorization information for the corresponding security principal. The problem shows as a difference between the number of groups in the PAC and the count in the PAC header.
The following in vasd debug is indicates this issue:
libvas_auth_get_pac() failed, error = VAS_ERR_FAILURE: Unspecified failure#012 Could not decode PAC#012 Caused by:#012 SYSERR--1: Unknown error 18446744073709551615
This error is also indicative of the issue:
vasd[1848]: [DEBUG libvaslogon.cpp:4414] Fatal error, libvaslogon_process_pac() failed with 0
This issue can cause authentication attempts to fail randomly.
-
Cause
The problem is caused by our handling of SID compression in this cross-domain situation with a mix of domain controllers' versions. There is a mix of 2003, 2008 and 2012 domain controllers. In a cross forest situation where a user's pac says it has compressed sids, then doesn't, and that breaks QAS's ability to parse the PAC. Defect ID #466358 has been created for the tracking of this issue.
-
Resolution
Windows 2012 Domain Controllers implement SID compression and is turned on by default.
WORKAROUND:
Setting msDS-SupportedEncryptionTypes to the value of 524319 turns off sid compression for the object. (Resource-SID-compression-disabled)
1 -Join the client to AD. For example: /opt/quest/bin/vastool -u administrator join yourdomain.com2 - You can run the following command as an AD administrator to set it after it is joined:/opt/quest/bin/vastool -u administrator setattrs host/ msDS-SupportedEncryptionTypes 524319
WORKAROUND 2:
Disable the SID compression on the Windows 2012 domain controllers. Please see the following Microsoft article for instructions:
RESOLUTION:
Upgrade to QAS 4.1.8 or higher. You can download the software from the following URL:
Note: While the login will now not stop on the pac parsing error after upgrading to QAS 4.1.8, the user's cross domain groups will still be missing, which still can cause issues, like failure to login due to lacking access control. For example: /opt/quest/bin/vastool user checklogin user201 command shows:
Access policy denial. User is not authorized to access this host.
DENIED (access denied) [user=user201] [service=login]Access Rule = [Only Allow rules defined, user does not match any allow rule]The below command shows that the group is not in the user's pac
/opt/quest/bin/vastool -u user201 auth -ps groupsRESOLUTION UPDATE:
Starting in version 4.2.2.25319 of Authentication Services the value of the msDS-SupportedEncryptionTypes attribute is set to 524319 by default. Upgrade.
To check the value:
vastool -u host/ attrs host/ msDS-SupportedEncryptionTypes
msDS-SupportedEncryptionTypes: 524319
-
Change Request
466358 -
Additional Information
Defect ID 694890 is for the same issue as 466358