Not getting correct group membership. There is a privilege attribute certificate (PAC) processing problem in cross-domain group configurations with Windows 2012 DCs using SID compression. The PAC contains information about the group membership and authorization information for the corresponding security principal. The problem shows as a difference between the number of groups in the PAC and the count in the PAC header.
The following in vasd debug is indicates this issue:
libvas_auth_get_pac() failed, error = VAS_ERR_FAILURE: Unspecified failure#012 Could not decode PAC#012 Caused by:#012 SYSERR--1: Unknown error 18446744073709551615
This error is also indicative of the issue:
vasd: [DEBUG libvaslogon.cpp:4414] Fatal error, libvaslogon_process_pac() failed with 0
This issue can cause authentication attempts to fail randomly.
The problem is caused by our handling of SID compression in this cross-domain situation with a mix of domain controllers' versions. There is a mix of 2003, 2008 and 2012 domain controllers. In a cross forest situation where a user's pac says it has compressed sids, then doesn't, and that breaks QAS's ability to parse the PAC. Defect ID #466358 has been created for the tracking of this issue.
Windows 2012 Domain Controllers implement SID compression and is turned on by default.
Setting msDS-SupportedEncryptionTypes to the value of 524319 turns off sid compression for the object. (Resource-SID-compression-disabled)
/opt/quest/bin/vastool -u administrator setattrs host/ msDS-SupportedEncryptionTypes 524319
Disable the SID compression on the Windows 2012 domain controllers. Please see the following Microsoft article for instructions:
Upgrade to QAS 4.1.8 or higher. You can download the software from the following URL:
Note: While the login will now not stop on the pac parsing error after upgrading to QAS 4.1.8, the user's cross domain groups will still be missing, which still can cause issues, like failure to login due to lacking access control. For example: /opt/quest/bin/vastool user checklogin user201 command shows:
Access policy denial. User is not authorized to access this host.
The below command shows that the group is not in the user's pac
Starting in version 126.96.36.19919 of Authentication Services the value of the msDS-SupportedEncryptionTypes attribute is set to 524319 by default. Upgrade.
To check the value:
vastool -u host/ attrs host/ msDS-SupportedEncryptionTypes