PSPKI
PSPKI copied to clipboard
Get/Add/Set-CertificateTemplateAcl not working
$NewTemplateName = "Tenant14OCSPResponseSigning" $ACLs = Get-CertificateTemplate -Name $NewTemplateName | Get-CertificateTemplateAcl # <- Path missing in Returned Object $Test = Add-CertificateTemplateAcl -InputObject $ACLs -Identity "WindowsServerAdmin" -AccessType Allow -AccessMask Read, Enroll $Return= Set-CertificateTemplateAcl -InputObject $Test
Returned object:
Path :
Owner : DOMAIN\sa
Group :
Access : {SysadminsLV.PKI.Security.AccessControl.CertTemplateAccessRule, SysadminsLV.PKI.Security.AccessC
ontrol.CertTemplateAccessRule, SysadminsLV.PKI.Security.AccessControl.CertTemplateAccessRule, Sy
sadminsLV.PKI.Security.AccessControl.CertTemplateAccessRule...}
Sddl : O:S-1-5-21-214951723-759394271-1631113771-1162D:(A;;WP;;;AU)(A;;WPDT;;;DA)(A;;WPDT;;;S-1-5-21-21
4951723-759394271-1631113771-519)(A;;0x4000020;;;S-1-5-21-214951723-759394271-1631113771-1161)(A
;;0x4000020;;;S-1-5-21-214951723-759394271-1631113771-1179)(A;;WPDT;;;S-1-5-21-214951723-7593942
71-1631113771-1608)
AccessToString : NT AUTHORITY\Authenticated Users Allow
DOMAIN\Domain Admins Allow
DOMAIN\Enterprise Admins Allow
DOMAIN\WindowsServerAdmin Allow
DOMAIN\TmplOCSP Allow
DOMAIN\CaTemplMgr Allow
AuditToString :
DisplayName : Tenant 14 OCSP Response Signing
AccessRightType : SysadminsLV.PKI.Security.AccessControl.CertTemplateRights
AccessRuleType : SysadminsLV.PKI.Security.AccessControl.CertTemplateAccessRule
AuditRuleType : SysadminsLV.PKI.Security.AccessControl.CertTemplateAuditRule
AreAccessRulesProtected : False
AreAuditRulesProtected : False
AreAccessRulesCanonical : True
AreAuditRulesCanonical : True
It looks like the Identity is added to the template without error, but when checking the permissions on the template they were not set. What I notice is that the Path parameter is not filled. Could that be the problem?
I need to check this.
What I notice is that the Path parameter is not filled. Could that be the problem?
that's expected. Path is used for applicable PS drive provider. There is no applicable PS drive provider for certificate templates and it is expected to be empty.
I've tried to repro the issue and the function seems to work as expected. However, there is one thing that can be missing: once you open Certificate Templates MMC snap-in, it caches all data and do not track for changes done outside this instance. You may need to refresh the MMC or re-open MMC to reload data from AD.
In our environment it’s not working and acl is not set with pspki 372. Even when I re-open mmc. For now we use an older version 3.4 of pspki which work as aspected for the acl aspect, but then I introduce other problems.
Verzonden vanuit Outlook voor iOShttps://aka.ms/o0ukef
Van: Vadims Podans @.> Verzonden: Friday, October 14, 2022 10:43:16 AM Aan: PKISolutions/PSPKI @.> CC: Ben Coremans @.>; Author @.> Onderwerp: Re: [PKISolutions/PSPKI] Get/Add/Set-CertificateTemplateAcl not working (Issue #176)
I've tried to repro the issue and the function seems to work as expected. However, there is one thing that can be missing: once you open Certificate Templates MMC snap-in, it caches all data and do not track for changes done outside this instance. You may need to refresh the MMC or re-open MMC to reload data from AD.
— Reply to this email directly, view it on GitHubhttps://github.com/PKISolutions/PSPKI/issues/176#issuecomment-1278685801, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AJJOBFK2PAMYNB6NRMW2PS3WDEMKJANCNFSM56ZXR6WQ. You are receiving this because you authored the thread.Message ID: @.***>
I'm sorry, seems like I tested against wrong version. Wouldn't you mind to replace SysadminsLV.PKI.dll
file in PSPKI installtion Library
folder from this attachment: https://github.com/PKISolutions/PSPKI/issues/129#issuecomment-722561086?