I am having some problems with the encryption in windows Laps in Active Directory. I am using Samba-AD, so I have followed this guide:
https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_configure_laps.html
And it worked great. I was able to expire the password seamlessly, like you’re supposed to in LAPS. Which is really nice btw.
However, I want to encrypt the passwords, as I’m afraid of security problems if I didn’t. So I added the setting to the GPO, Enable password Encryption set to Enabled, with our Domain Admins group set as the password decryptors. And suddenly LAPS stopped working. Looking at the event viewer on the client computers at Applications and Services Logs > Microsoft > Windows > LAPS > Operational. I see the Errors:
“”
LAPS failed to update Active Directory with the new password. The current password has not been modified. Error code: 0x80090034
See https://go.microsoft.com/fwlink/?linkid=2220550 for more information.””
Preceded by:
“”
Encryption of the new password failed.
Error code: 0x80090034
This problem may occur if a KDS root key is not available. Verify that a KDS root key is available by running the Get-KdsRootKey PowerShell cmdlet, and also verify that the root key’s EffectiveTime field is valid right now.
If a KDS root key is not present, you must add one by running the Add-KdsRootKey PowerShell cmdlet with the -EffectiveImmediately parameter. Allow sufficient time for the new key to replicate around your forest.
See https://go.microsoft.com/fwlink/?linkid=2220550 for more information.
“”
I didn’t have a KDS root key, so i created one and waited the 10+ hours, but it still didnt work.
When I run “Get-KDSrootKey” on my client as a user I don’t get a response, but when i run as a admin user on a client computer i can get it.
I’m starting to think that the KDS root key is maybe not the underlying problem, but i cant see what else it can be.
I found this post https://answers.microsoft.com/en-us/msoffice/forum/all/error-code-80090034/2c968bd7-8f20-4878-83cc-2296e26d5aad
and tried following it, but it didn’t work.
I have looked into replication issues, but it doesn’t seem that there is any.
I hope you can help me, as I am very lost and have had problems with this for a looong time now.
I would really appreciate any help, as I’m very lost, and new to these things 🙂
Thank you!
user24910981 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.