ExtendedTypeSystemException, "Unknown error (0x80005000)"

[ghost]

Hello!

First of all, many thanks for your hard work!

I am getting this wierd error when running Invoke-PKIAudit:

=== Certificate Authority ===
ComputerName            : ca.contoso.com
CAName                  : CA One
ConfigString            : ca.contoso.com\CA One
IsRoot                  : False
AllowsUserSuppliedSans  :
VulnerableACL           : False
EnrollmentPrincipals    :
EnrollmentEndpoints     :
NTLMEnrollmentEndpoints :
DACL                    :
Misconfigurations       :

ExtendedTypeSystemException: C:\Users\trespassing-potato\Dokument\gitlab\research\PSPKIAudit\PSPKI\3.7.2\Server\Get-CertificateTemplate.ps1:19
Line |
  19 |      $ldap.psbase.children | ForEach-Object {
     |      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | The following exception occurred while trying to enumerate the collection: "Unknown error (0x80005000)".


[*] No vulnerable certificate templates found for this CA.

Also getting some warnings:

WARNING: Error enumerating ACL information for CA 'ca.contoso.com\CA One' : Exception calling "GetSecurityDescriptor" with "0" argument(s): "Specified Certification Authority 'CA One' is unavailable."

[ghost]

I tried to evaluate the "offending code" in my shell and there I'm not getting the error:

> $Domain = ([ADSI]"LDAP://RootDSE").ConfigurationNamingContext
> $PkiConfigContext = "CN=Public Key Services,CN=Services,$Domain"
> ([ADSI]"LDAP://CN=Certificate Templates,$pkiConfigContext").psbase.children | measure

Count             : 132

[leechristensen]

Hmm, going to ping @Crypt32 since he's the maintainer of PSPKI and might have some insights here.

We call Get-CertificateTemplate here:

PSPKIAudit/Code/Invoke-PKIAudit.ps1

Line 395 in 0bd5f26

$Templates = Get-CertificateTemplate

In the version of PSPKI we're using, the error originates from here:

PSPKIAudit/PSPKI/3.7.2/Server/Get-CertificateTemplate.ps1

Lines 18 to 25 in 0bd5f26

	$ldap = [ADSI]"LDAP://CN=Certificate Templates,$PkiConfigContext"
	$ldap.psbase.children | ForEach-Object {
	$temps += New-Object psobject -Property @{
	Name = $_.Properties["cn"].Value;
	DisplayName = $_.Properties["DisplayName"].Value;
	OID = $_.Properties["msPKI-Cert-Template-OID"].Value;
	}
	}

[bill-e-ghote]

I cloned the repo today and am also seeing this error. I can reproduce the error manually with:

$ldap = [ADSI]"LDAP://CN=Certificate Templates,$PkiConfigContext"
$ldap

[Crypt32]

Are you running these commands on domain-joined machines?

[bill-e-ghote]

My apologies for the delayed response. I've missed the notifications from Github.

Yes, these were run on a domain-joined machine.

[Crypt32]

Can you confirm if your LDAP URL is resolved properly? I mean, it looks like this:

LDAP://CN=Certificate Templates, CN=Public Key Services, CN=Services, CN=Configuration, {ForestNamingContext}

that {ForestNamingContext} is a sequence of DC=XYZ attributes.

[leechristensen]

I cloned the repo today and am also seeing this error. I can reproduce the error manually with:

$ldap = [ADSI]"LDAP://CN=Certificate Templates,$PkiConfigContext" $ldap

@bill-e-ghote Thank you for the info! Does the full DN contain any special characters in it by chance that might need to be escaped? Special characters that need to be escapted in DNs include the following ,=+<>#; and if the common name begins with a space or #.