What is the Issue : When upgraded or new install of Privilege Access Management(PAM) some rest API calls only work locally on the PAM server.
When calling the REST API you receive the following return
With a response body of:
{
“odata.error”:{“code”:””,”message”:{ “lang”:”en-US”,”value”:”An operations error occurred.\r\n”}}
}
API requests that work:
/api/pamresources/pamrequeststoapprove
/api/pamresources/pamrequests
/api/pamresources/pamrequests({requestId)/Close
API requests that fail:
/api/pamresources/pamroles
/api/session/sessioninfo
/api/pamresources/pamrequeststoapprove – Approve or Reject
The issue now becomes a bit strange because we so no errors in the event logs or even traces. so in order to see the actual error happing (not internal server error). We used a tool call DebugDiag to be able collect the memory dump when the 500 error occurred.
Looking at the error : Type: System.DirectoryServices.ActiveDirectory.ActiveDirectoryOperationException
Message: An operations error occurred.
This exception originated from System_DirectoryServices_ni!System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(System.DirectoryServices.ActiveDirectory.DirectoryContext, System.DirectoryServices.DirectoryEntry, System.String).
Now we are getting somewhere. Ok now why is this happening ? well we have to go to the configuration for this information. In PAM API the interface is using impersonation. The thing we are seeing is the double hop scenario with the new code that was added to the PAM that looks up items as the user to connect to the domain context. This is why some of the request works is because they do not need to go off box and the 1 hop rule is in effect.
Below is what is happening causing the failed request:
Once i see what is happen now it time to begin to fix the issue as i know if i change the authentication to basic / with impersonation it will work because of 2 hop is not in effect until i get to the server . So first we needed to make sure were authenticating using Kerberos. So a great sample page I use a lot located here . It is a sample test.aspx page that show you all the details when connecting up to the site case in point
- Shows the Authentication mechanism
- Shows who I authenticated as
- Shows the Identity the app is running as , If you turn off Impersonation you would see this change to the PRIV\Sharepoint (REST API AppPool Account
Ok so we are set on connecting to the site on Kerberos so now i need to change my delegation. Most folks have delegation setup already in FIM/MIM environment like described in the following link . So after we confirm multiple times SPN/Delegation it came to mind to switch the delegation from constrained to unconstrained
to
After setting this we performed a IISReset and then klist purge on webserver and client machine. Now we test and results are in that it is working as we expected
Now we need to understand if we want to use constrained delegation. As we know the unconstrained work by this we know the system.directory services communicates with the domain ldap protocol unfortunately we don’t know what domain controller we are going to talk to if your PRIV environment is a bit larger than my test lab.
So we update the delegation to add the domain controller and ldap service:
Test again and it works like a champ. Environments with multiple domain controllers you know what you need to do. Again we are open to anyone with ideas on how to delegation to the domain so it covers all domain controllers. This was the only way to make it work with constrained delegation.
One other thing to note during our testing we found also the above with fail if you follow the previous guidance described in the MIM CTP Test Lab Guide for Privileged Access Management.docx to add the user to the protected users group by running the following page 29 , Step 6 :
Add-ADGroupMember “Protected Users” priv.Jen
This is because once the user is added to this group it takes on special protections that user’s account cannot be delegated
https://technet.microsoft.com/en-us/library/dn466518(v=ws.11).aspx Protected User Security Group
This change was not on the latest online documentation but was in previous so I wanted to make sure we call this out if your using the Lab guide
