KB000009: Access Manager may return an out-of-date LAPS password, or no password at all

Summary

When requesting a LAPS password from the web app, the following situations may occur:

1. The user sees a message that says The requested computer does not have a local admin password

2. The user receives a password, but when they try to use it on the machine, they are told that the password is incorrect.

Cause

When a user requests access to a LAPS password, Access Manager will query each of the following sources to find a matching computer and retrieve its LAPS password.

1. The "Legacy LAPS" Active Directory attribute ms-mcs-AdmPwd

2. The "new" Windows LAPS Active Directory attribute msLAPS-Password

3. The AMS database, for devices running the Access Manager agent and using it to manage their LAPS passwords

4. The Entra ID service

The passwords retrieved are then sorted by their creation date, and the newest password is returned to the user.

Legacy LAPS passwords do not have a creation date stored with them, so they are always placed at the end of the list, and only returned if no other password is found.

If the service account does not have permission to read, or in the case of Windows LAPS, decrypt the password, then that entry is ignored.

For example, if an organization had previously deployed legacy LAPS, and then moved to Windows LAPS, they may have an obsolete password stored in the legacy LAPS attribute. If permissions have not been set up to correctly read the Windows LAPS attributes, Access Manager will only see the legacy LAPS attribute, and return that value. This would result in the user getting a password that no longer works on the target machine.

Another example is if an organization has deployed only legacy LAPS, but permissions have not been granted to read the attributes, then Access Manager will report that the computer does not have a LAPS password.

Resolution

The first step in resolving the issue is to use the Microsoft native tools to make sure a LAPS password exists in the first place. If the password does exist, then the problem is almost certainly a permissions problem.

For Active Directory-based LAPS passwords

Follow the steps carefully in the Active Directory LAPS configuration guide. Use the delegation script provided by the config app to correctly apply the Active Directory permissions.

If you are using encrypted passwords with Windows LAPS, ensure that the AMS service account is added to the authorized password decryptors setting as noted in the guide.

Note that if you add the AMS service account to an existing group that grants LAPS password permissions, then you'll need to restart the AMS server to pick up the new group membership.

Entra ID-based LAPS passwords

Follow the steps carefully in the Entra ID LAPS configuration guide.

Note that if you add scopes to the app registration, you will need to restart the AMS server to refresh its token and pick up the new scope claims.

Further troubleshooting

If you are still not seeing the correct password presented by the web app, then more information may be available in the server logs.

First, reproduce the issue by querying for the password in the web app.

Then look inside the access-manager-webapp.log file, located in the C:\Program Files\Lithnet Access Manager Server\logs folder. The log might show an error message or other information as to why the password could not be retrieved from the relevant directory.