Set-CertificateTemplateAcl cmd-let issue on v3.7

[kubkpower]

The following command runs fine with PSPKI v3.5: Get-CertificateTemplate -Name WebServer | Get-CertificateTemplate | Add-CertificateTemplateAcl -User user1 -AccessType Allow -AccessMask Read, Enroll | Set-CertificateTemplateAcl The equivalent command has no effect using PSPKI v3.7: Get-CertificateTemplate -Name WebServer | Get-CertificateTemplate | Add-CertificateTemplateAcl -Identity user1 -AccessType Allow -AccessMask Read, Enroll | Set-CertificateTemplateAcl The issue seems to be related to the Set-CertificateTemplateACL cmd-let as the Add-CertificateTemplateAcl seems to append correctly the requested ACL. I have no clue as the command does not return anything.

[Crypt32]

Please, upgrade to latest version 3.7.2 and see if issue still persists.

[kubkpower]

I can confirm that the issue persists using v3.7.2 (Windows 2019 freshly installed for DC and PKI). I noticed that the cmd-let Get-CertificateTemplateACL returns an empty path attribute. I don't know if it helps. Maybe the root cause is in the Get-CertificateTemplateACL cmd-let ...

[Crypt32]

SysadminsLV.PKI.zip can you try this PKI library (replace in Library folder) and confirm if it does work for you. It seems that DirectoryEntry.ObjectSecurity property setter doesn't properly handle new security descriptor object. I've slightly changed the logic to modify attached security descriptor instead of assigning a new SD. Please, confirm if this works for you.

I've found another possible issue: change commit may silently fail if you don't have enough permissions to write ACLs. That is, no error is produced and no ACL is written. Make sure if your PS session is elevated and elevated account does have permissions to write ACLs on certificate templates.

[kubkpower]

After replacing the DLL, the PSPKI module doesn't import anymore with error :

import-module : Could not load file or assembly 'file:///C:\Program
Files\WindowsPowerShell\Modules\pspki\3.7.2\Library\SysadminsLV.PKI.dll' or one of its dependencies. Operation is not
supported. (Exception from HRESULT: 0x80131515)

[Crypt32]

I just tried this and it works for me: installed module from PS gallery, replaced SysadminsLV.PKI.dll library from zip archive and module is imported successfully.

[kubkpower]

I tried to uninstall the module. Install 3.7.2 from gallery. Overwrited the dll. The import-module still fails...

[Crypt32]

Just curious: when you extracted the DLL, did you unblock the file in Windows Explorer?

[Crypt32]

and what is your execution policy? The DLL is test and not digitally signed.

[kubkpower]

Exact, I add to unblock the file. Sorry. I'll do the tests.

[kubkpower]

Great ! It works. Thank you very much

[Crypt32]

I would like to keep it opened until I put it in the next version. Here is a signed version of PKI library. SysadminsLV.PKI.zip

[kubkpower]

Thanks

[berny275]

Same issue, I'm running as elevated and I can make permissions changes using the Certificate Templates Console as this user.

I tried downloading the new DLL and re-starting powershell and re-importing the module, I can see in the library folder I have version 3.7.2.1 of the DLL, but it's still not writing the ACL.

I've tested this under 3.5.0 and it still fails there too.

Windows 2016 CA and AD with 2016 DFL/FFL. September 2020 patches.

[Crypt32]

What exactly doesn't work?

[berny275]

Get-CertificateTemplate -Name WebServer | Get-CertificateTemplate | Add-CertificateTemplateAcl -User user1 -AccessType Allow -AccessMask Read, Enroll | Set-CertificateTemplateAcl

If I look at the results of the command above, I see the ACL in the list, but the additional ACL isn't being applied.

[Crypt32]

Fixed in v4.0.0