DSInternals
DSInternals copied to clipboard
MichaelGrafnetter
Get-ADReplAccount : The input is shorter than the minimum length.
Hello,
When I try to do a Test-PasswordQuality, I systematically encounter this error message after a few minutes: Get-ADReplAccount : The input is shorter than the minimum length.
I tried with and without a dictionary file, the result is always the same. My account is member of "Domain Admins". Using DSInternals v4.12
Thanks.
Hello @m4xx75 , would you please be able to share the exception stack trace?
Hello @MichaelGrafnetter
Thank you for the feedback, and sorry for my late return (I was on vacation). Here is the trace of the error:
Get-ADReplAccount : The input is shorter than the minimum length.
Parameter name: blob
Actual value was 0.
At C:\Users\$env:USERNAME\Desktop\Test-PasswordQuality.ps1:11 char:11
+ $result = Get-ADReplAccount -All -Server "dc.domain.local" -NamingCon ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-ADReplAccount], ArgumentOutOfRangeException
+ FullyQualifiedErrorId : System.ArgumentOutOfRangeException,DSInternals.PowerShell.Commands.GetADReplAccountCommand
Resolv-Error:
PSMessageDetails :
Exception : System.ArgumentOutOfRangeException: The input is shorter than the minimum length.
Parameter name: blob
Actual value was 0.
at DSInternals.Common.Validator.AssertMinLength(Byte[] data, Int32 minLength, String paramName)
at DSInternals.Common.Cryptography.CngSoftwareProviderTransportBlob..ctor(Byte[] blob)
at DSInternals.Common.Data.RoamedCredential..ctor(Byte[] blob, String accountName, SecurityIdentifier accountSid)
at DSInternals.Common.Data.DSAccount.LoadRoamedCredentials(DirectoryObject dsObject)
at DSInternals.Common.Data.DSAccount..ctor(DirectoryObject dsObject, String netBIOSDomainName, DirectorySecretDecryptor pek)
at DSInternals.Replication.DirectoryReplicationClient.<GetAccounts>d__17.MoveNext()
at DSInternals.PowerShell.Commands.GetADReplAccountCommand.ReturnAllAccounts()
at System.Management.Automation.CommandProcessor.ProcessRecord()
TargetObject :
CategoryInfo : NotSpecified: (:) [Get-ADReplAccount], ArgumentOutOfRangeException
FullyQualifiedErrorId : System.ArgumentOutOfRangeException,DSInternals.PowerShell.Commands.GetADReplAccountCommand
ErrorDetails :
InvocationInfo : System.Management.Automation.InvocationInfo
ScriptStackTrace : at <ScriptBlock>, C:\Users\$env:USERNAME\Desktop\Test-PasswordQuality.ps1: line 11
PipelineIterationInfo : {}
MyCommand : Get-ADReplAccount
BoundParameters : {}
UnboundArguments : {}
ScriptLineNumber : 11
OffsetInLine : 11
HistoryId : 2
ScriptName : C:\Users\$env:USERNAME\Desktop\Test-PasswordQuality.ps1
Line : $result = Get-ADReplAccount -All -Server "dc.domain.local" -NamingContext "DC=domain,DC=local" | Test-PasswordQuality # -WeakPasswordHashesSortedFile D:\pwnedpasswords_ntlm.txt
PositionMessage : At C:\Users\$env:USERNAME\Desktop\Test-PasswordQuality.ps1:11 char:11
+ $result = Get-ADReplAccount -All -Server "dc.domain.local" -NamingCon ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PSScriptRoot : C:\Users\$env:USERNAME\Desktop
PSCommandPath : C:\Users\$env:USERNAME\Desktop\Test-PasswordQuality.ps1
InvocationName : Get-ADReplAccount
PipelineLength : 0
PipelinePosition : 0
ExpectingInput : False
CommandOrigin : Internal
DisplayScriptPosition :
00000000000000000000000000000000000000000000000000000000000000000000000000000000
Message : The input is shorter than the minimum length.
Parameter name: blob
Actual value was 0.
ActualValue : 0
ParamName : blob
Data : {}
InnerException :
TargetSite : Void AssertMinLength(Byte[], Int32, System.String)
StackTrace : at DSInternals.Common.Validator.AssertMinLength(Byte[] data, Int32 minLength, String paramName)
at DSInternals.Common.Cryptography.CngSoftwareProviderTransportBlob..ctor(Byte[] blob)
at DSInternals.Common.Data.RoamedCredential..ctor(Byte[] blob, String accountName, SecurityIdentifier accountSid)
at DSInternals.Common.Data.DSAccount.LoadRoamedCredentials(DirectoryObject dsObject)
at DSInternals.Common.Data.DSAccount..ctor(DirectoryObject dsObject, String netBIOSDomainName, DirectorySecretDecryptor pek)
at DSInternals.Replication.DirectoryReplicationClient.<GetAccounts>d__17.MoveNext()
at DSInternals.PowerShell.Commands.GetADReplAccountCommand.ReturnAllAccounts()
at System.Management.Automation.CommandProcessor.ProcessRecord()
HelpLink :
Source : DSInternals.Common
HResult : -2146233086
Don't hesitate if you need more information THANKS
@m4xx75 Thanks for the info. There is apparently an empty CNG private key file stored in the ms-PKI-AccountCredentials attribute of one of the user accounts. I will need to update my code to deal with this non-standard situation.
Hello @MichaelGrafnetter ,
Thank you for this feedback. Actually, I have a number of accounts with this attribute empty.
Do you have any idea when you'll be able to update your tool?
THANKS.
Can't promise any specific date. The problem is not an empty attribute, that would be absolutely OK. But your DB contains private keys of length 0, which is definitely strange and I haven't seen that before. Unfortunately, Microsoft's implementation of DPAPI is undocumented, which makes it harder to catch all the possible scenarios in my test lab.
Okay @MichaelGrafnetter , thank you for this clarification.
By any chance, could you tell me how to detect these accounts with a powershell command?
I looked around, I came across your article "#CQLabs – Extracting Roamed Private Keys from Active Directory by Michael Grafnetter", but I couldn't find a cmdlet on the internet that allows me to do this.
The goal would be to correct these accounts in order to bypass the problem that I am encountering.
THANKS.
@m4xx75 The issue should be resolved in DSInternals 4.14, which is more tolerant to malformed roamed credentials.