Jump to content

Local Admin Heartbeat not working


DerBagger
 Share

Recommended Posts

Hey guys,

 

we are trying to set up your password reset feature for our Windows 2019 servers.

We want to manage a different local admin account on each server.

The funny thing is that we can reset the accounts via Passwordstate, but we can´t check the heartbeat.

 

Every time I try to send a manuel heartbeat I get the following error:

	
A manual Account Heartbeat check failed to validated the password for account Lapras (\IT\Windows\Windows Server lokale Admins) of Account Type 'Windows' 
on Host juno.****.de. Error = Failed to validate the local password for account 'Lapras' on Host 'juno.****.de'.
Error = Ausnahme beim Aufrufen von "ValidateCredentials" mit 3 Argument(en): "Zugriff verweigert" 

 

I tried to run your heartbeat ps script from the host itself. It is working on the host without a problem.

 

Do you guys have any idea what I did wrong?

Link to comment
Share on other sites

Hi DerBagger,

 

Access Denied in our script could possibly be caused by the account being locked out, which I assume isn't the case as you can run the script manually on the remote host.  Or possibly if you have UAC (User Account Control (UAC) turned on, on your Passwordstate web server.  Could you try turning it off, and then run the script again?  Does this help at all?  To turn it off, please search for UAC under the start menu, and turn the slider down to "Never Notify"

 

If it does we may need to put a better explanation of this in the error output, instead of just "Access is Denied".

 

Regards,

Support.

 

 

Link to comment
Share on other sites

  • 2 months later...

Hi @support

@DerBagger

 

We had the same problem in our environment. You find the solution below.
 

Error = Exception when calling "ValidateCredentials" with 3 argument(s): "Access denied"


I've been doing research here for a while now. Even if I disable UAC on PasswordState Server and the target server I still get the error message when I do a heartbeat check. 
As soon as I execute your script locally on the target system in Powershell it works.

If i execute the following part of your script (or the whole script) from the PasswordState Server, i get the exact same error.
So the ValidateCredential method from the System.DirectoryServices.AccountManagement.PrincipalContext class cannot connect to a remote network resource with (remote) local administrative accounts:

 

$UserName = 'Administrator'
$HostName = 'TestHost.domain.local'
$CurrentPassword = 'TestPassword123!'

Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine, $HostName)
$resultsarray = '' 
$resultsarray = $DS.ValidateCredentials($UserName, $CurrentPassword, [DirectoryServices.AccountManagement.ContextOptions]::Negotiate) 2>&1


I also tried to connect to the remote Server with same credentials via CIM or WMI, i also get an access denied error, same problem:

 

$UserName = 'Administrator'
$HostName = 'TestHost.domain.local'
$CurrentPassword = 'TestPassword123!'

$cred = [System.Management.Automation.PsCredential]::new($Username, (ConvertTo-SecureString $CurrentPassword -AsPlainText -Force))
Get-WMiObject win32_computersystem -ComputerName $HostName -Credential $cred

 

 

Solution:
This has to do with a restriction in remote access of network resources that was added in Windows Server 2008.
This is NOT necessary for communication within a domain. You only need to do this for communication from Domain -> Workgroup or Domain -> Other Domain (Not Trusted).
See the the follow Microsoft article: https://docs.microsoft.com/en-us/troubleshoot/windows-client/networking/cannot-logon-access-administrative-share#cause

In the above mentioned url to the microsoft docs, a workaround is documented by setting a specific registry key on every system you need to connect. 

 

Set Registry Key:

 New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system" -Name "LocalAccountTokenFilterPolicy" -Value 1 -PropertyType DWORD -Force 

 

For this to work you also need to change the WSMAN TrustedHosts list on your passwordmanager server and add every host or '*' (wildcard) on which you want to validate the credentials if not already done.

 

Change Trusted Hosts on Passwordmanager Server:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value '*' -confirm:$false -Force

 

As a small side note: The password reset functionality works perfectly on the same servers for local administrator accounts with a privileged account! Afterwards the "Heartbeat Status" will also show "OK". But the pure heartbeat function does not work as described.)

 

Regards,

René

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...