PSPKI icon indicating copy to clipboard operation
PSPKI copied to clipboard

Published 20 hours ago verified publisher icon PKISolutions

CrossForest PKI Connect-CertificationAuthority doesn't show displayname

Open DanTheMan-NL opened this issue 1 year ago • 2 comments

Whenever I use Connect-CertificationAuthority -ComputerName {FQDN} to a CA in a different forest I receive an output without the displayname:

DisplayName                              ComputerName              IsAccessible ServiceStatus Type
-----------                              ------------              ------------ ------------- ----
                                         FQDN.example.com     True         Running       Enterprise Subordinate CA

Appearently the displayname is necessary for other commands to function properly because when I use this command output with another command I receive this error:

PS C:\windows\system32> Connect-CertificationAuthority -ComputerName {FQDN} | Get-PendingRequest
Get-AdcsDatabaseRow : Exception calling "GetDbReader" with "1" argument(s): "CCertView::OpenConnection: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)"
At C:\Program Files\WindowsPowerShell\Modules\pspki\3.7.2\Server\Get-PendingRequest.ps1:23 char:13
+             Get-AdcsDatabaseRow `
+             ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-AdcsDatabaseRow

I have not synced the CA objects with the forest where this management server is stationed and I'm not willing to do that because of security- and operational reasons.

In this issue I read this should be possible without syncing the objects: https://github.com/PKISolutions/PSPKI/issues/26

Is there anyway to do this? I really want to use PSPKI on a management server in a different forest without having to sync the CA objects to this forest.

DanTheMan-NL avatar Aug 18 '22 13:08 DanTheMan-NL

Can you show all properties from CA object? E.g. Connect-CertificationAuthority -ComputerName {FQDN} | format-list *. And confirm what version of PSPKI you are using.

Crypt32 avatar Aug 18 '22 17:08 Crypt32

This is the output I get. I only changed the real FQDN with {FQDN} the rest is the same with the blank output:

PS C:\windows\system32> Connect-CertificationAuthority -ComputerName {FQDN} | format-list *

Name : DisplayName : ComputerName : {FQDN} ConfigString : {FQDN}
DistinguishedName : Type : Enterprise Subordinate CA IsEnterprise : True IsRoot : False OperatingSystem : Microsoft Windows Server 2019 Standard IsAccessible : True RegistryOnline : True ServiceStatus : Running SetupStatus : ServerInstall, SecurityUpgraded, ServerIsUptoDate Certificate : System.Security.Cryptography.X509Certificates.X509Certificate2 BaseCRL : DeltaCRL : EnrollmentServiceURI : EnrollmentEndpoints : {}

I use latest PSPKI v3.7.2 from https://www.powershellgallery.com/packages/PSPKI/3.7.2

DanTheMan-NL avatar Aug 19 '22 07:08 DanTheMan-NL