PowerShell: Get-ADUser throws "the encryption operation failed" on latest PowerShell 7.4-preview.5 daily build
Prerequisites
- Write a descriptive title.
- Make sure you are able to repro it on the latest released version
- Search the existing issues.
- Refer to the FAQ.
- Refer to Differences between Windows PowerShell 5.1 and PowerShell.
Steps to reproduce
This fails on PowerShell 7.4.0-preview.5 daily build:
Get-ADUser -Filter {SamAccountName -like "*test*"}
(This works on PowerShell 7.3.6 and PowerShell 5.1, and the AD sever is NOT down, contrary to the error message)
Expected behavior
Should return requested AD user objects
Actual behavior
Throws an exception "the encryption operation failed"
Error details
See visuals
Environment data
Name Value
---- -----
PSVersion 7.4.0-preview.5
PSEdition Core
GitCommitId 7.4.0-preview.5-19-gab5213e4b6ea4ac3ba0b84378ed1f31f6e14619c
OS Microsoft Windows 10.0.17763
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0, 5.0, 5.1, 6.0, 7.0}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Visuals
About this issue
- Original URL
- State: closed
- Created 10 months ago
- Reactions: 1
- Comments: 21 (2 by maintainers)
I was able to replicate the error myself and saw the exception message in the inner stacktrace being
I then did a search in the github runtime repository and found it was stored as net_io_encrypt. This string was used in two places but the stacktrace showed it was from
NegotiateStreamand it brought me to this block of code. I knew it wasn’t affecting NTLM as the-Server $ipAddrwas working so I knew it was callingEncryptwhich in turn I know calls the Win32 call EncryptMessage. Doing a git blame I saw the PR mentioned which made a few changes so that’s the first place I assumed was the culprit.As for the actual traces for
EncryptMessage. It was through a special tool I’ve written PSDetour which can hook C APIs and have it run PowerShell code instead. I have a few known APIs I’ve hooked for tracing purposes in the past at PSDetour-Hooks and this includes one for EncryptMessage. Using it is as simple as installing the deps and then using theTrace-Process.ps1script in that repository:There can be a lot of output depending on what you are tracing which is why I like to tee the output to a file. You can even use this to target non-PowerShell processes (like lsass!) but it is quite invasive so not something I recommend for production purposes and it won’t work for .NET Framework based processes (like Windows PowerShell 5.1).
Thanks for testing it! I’ll submit a PR later today.
Can confirm the changes in your dll now work
Looking at the raw SSPI calls I now see
This lines up with what I saw previously in net7 so the changes seem good.
Thanks for the quick turnaround, love your work!
Should this be added to the preview 5 and 6 release notes as a known issue or breaking change? That’s the first place many folks I know look when run in to issues… and would help others who routinely perform Get-ADxx commands to know if they should avoid using these versions.
Just an FYI while preview 6 of pwsh is based on rc1, the fix for this issue is not in rc1. The backport commit which fixed the problem should be in rc2+ https://github.com/dotnet/runtime/commit/217be6c5b81c38bcfdd8d014a3a0b4412b6c2c1c when it’s released.
@jborean93 Thanks! This is a great explanation, and another tool in my toolkit.
It’s not working for me either, different error tho but it confirms it is clearly a
previewissue.Checked in 2 different Domains, same error.