From the field: RPC client authentication breaks SID translation

SID translation problems

Weird things can happen if something goes wrong with the RPC protocol, wheter it’s related to network traffic being blocked by a firewall (yes, I’m talking to you ephemeral ports) or just because the name resolution contains numerous configuration errors.

Recently I was asked to troubleshoot SID translation problems over a forest trust. The configuration was pretty straightforward, two forests with a one-way forest trust. Now, when the administrator nested groups from domain A to domain B it showed the SID of that security group instead of the Distinguished Name.

SID Translation

I started to run some port tests with portqry between Domain Controllers and clients but all looked pretty good, all traffic passed. There were no warnings or errors in the eventlogs of the Domain Controllers whatsoever, DNS was up and running without any issues. Everything was functional except the SID translation didn’t work.

Next up: create a network trace with netsh and check the results with Microsoft Message Analyzer.

RPC Error Access Denied

The trace gave me some more insights, every time a group from the other forest was opened (at this point SID translation should occur) the RPC Endpoint gave a status ERROR_ACCESS_DENIED. We can see that the EPM bind is successful but in the end te connection fails.

Combined with the error access denied and status=0x5 I came across this article.

RPC Endpoint Mapper Client Authentication

At this point I was going to compare the group policy configuration of both forests and found a mismatch. Both domains have implemented CIS-CAT group policies. No bells ringing? The Center of Internet Security (CIS) delivers a (paid) security benchmarking tool named CIS-CAT (CIS Configuration Assessment Tool). This tool scans your OS and creates security advisory reports, this includes Group Policy recommendations.

One of the configured GPO’s was RPC Endpoint Mapper client authentication. This policy was configured and linked to the Domain Controllers OU, this was true for only domain A. This is the statement CIS-CAT makes about this particular policy:

This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. This policy setting can cause a specific issue with 1-way forest trusts if it is applied to the trusting domain DCs (see Microsoft KB3073942), so we do not recommend applying it to domain controllers.

I couldn’t blame the admins because CIS added this information in a updated version of their benchmark, the version from 2015 didn’t include this statement.

After disabling this policy SID translation started to work.

Lessons Learned:

Never ever enable this policy on Domain Controllers where a one-way forest trust is in place.

 

References

RPC Endpoint Mapper client authentication prevents users and groups from being added to trusting forest
https://support.microsoft.com/en-us/kb/3073942

Restrictions for Unauthenticated RPC Clients: The group policy that punches your domain in the face
https://blogs.technet.microsoft.com/askds/2011/04/08/restrictions-for-unauthenticated-rpc-clients-the-group-policy-that-punches-your-domain-in-the-face/

Troubleshooting SID translation failures from the obvious to the not so obvious
https://blogs.technet.microsoft.com/askds/2011/07/28/troubleshooting-sid-translation-failures-from-the-obvious-to-the-not-so-obvious/

CIS Microsoft Windows Server 2012 R2 Benchmark v2.2.0 – 04-28-2016
https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.0.pdf