PSPKI
PSPKI copied to clipboard
PKISolutions
Deny-CertificateRequest Raises Exception
Following the example from the documentation, I run the following (simplified) command to deny all pending cert requests at the given certificate authority:
Get-CertificationAuthority -ComputerName domain.example.com | Get-PendingRequest | Deny-CertificateRequest
From this command, the following exception is raised:
New-Object : A constructor was not found. Cannot find an appropriate constructor for type SysadminsLV.PKI.Utils.ServiceOperationResult.
At C:\Program Files\WindowsPowerShell\Modules\PSPKI\Server\Deny-CertificateRequest.ps1:34 char:17
+ ... New-Object SysadminsLV.PKI.Utils.ServiceOperationResult - ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [New-Object], PSArgumentException
+ FullyQualifiedErrorId : CannotFindAppropriateCtor,Microsoft.PowerShell.Commands.NewObjectCommand
I've been able to use the requests returned by the Get-PendingRequest command in other areas of my script, but whenever I attempt to deny any of these requests, this same error occurs.
I've found a workaround to this problem making the following changes to the Deny-CertificateRequest script locally:
32 | ...
33 | } catch {
34 | New-Object SysadminsLV.PKI.Utils.ServiceOperationResult -ArgumentList `
35 | 1,
36 | $_.Exception -Property @{
37 | InnerObject = $Request.RequestID
38 | }
39 | }
40 | ...
That's interesting, because it should use first constructor: https://github.com/PKISolutions/pkix.net/blob/f77ec6d1e4d23ac87a6a427b835724839b10f856/PKI/Utils/ServiceOperationResult.cs#L15. Maybe, HResult property is not available in exception?
The error occurred when was trying to deny a request without administrator privileges. Here is the stack trace from the caught exception in Deny-CertificateRequest:
System.UnauthorizedAccessException: CCertAdmin::DenyRequest: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
at System.Management.Automation.ComInterop.ComRuntimeHelpers.CheckThrowException(Int32 hresult, ExcepInfo& excepInfo, ComMethodDesc method, Object[] args, UInt32 argErr)
at CallSite.Target(Closure , CallSite , ComObject , Object , Object )
at System.Dynamic.UpdateDelegates.UpdateAndExecute3[T0,T1,T2,TRet](CallSite site, T0 arg0, T1 arg1, T2 arg2)
at System.Dynamic.UpdateDelegates.UpdateAndExecute3[T0,T1,T2,TRet](CallSite site, T0 arg0, T1 arg1, T2 arg2)
at System.Dynamic.UpdateDelegates.UpdateAndExecute3[T0,T1,T2,TRet](CallSite site, T0 arg0, T1 arg1, T2 arg2)
at System.Management.Automation.Interpreter.DynamicInstruction`4.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
Hi, I've tried to repro the issue by using an account that has Read permissions on CA and doesn't have "Manage Certificates" and it works fine for me:
PS C:\> $ca | Get-PendingRequest -RequestID 304 | Deny-CertificateRequest
HResult StatusMessage
------- -------------
-2147024891 Access is denied.
PS C:\>
I've received expected error object. Module version is 3.7.2.
I'm not sure what more information I can give you about this issue as I am not entirely familiar with the Windows account architecture. The account I am using to deny requests is a local administrator on the server containing the Certificate Authority. The error only occurs only when executing the command from a non-escalated Powershell window. Every other command works just fine - reading requests primarily. I double checked the module version, and I am indeed running version 3.7.2. If there is something in particular that may assist you in reproducing this issue, please let me know.