Improve SAMR connectivity

Author: MichaelGrafnetter

Documentation/CHANGELOG.md

@@ -7,7 +7,14 @@ All notable changes to this project will be documented in this file. The format
 
 ## [Unreleased]
 
-- Nothing yet.
+### Added
+
+- Added the `-UseNamedPipe` parameter to the `Get-SamPasswordPolicy` cmdlet.
+
+### Fixed
+
+- Fixed a missing `throw` in `SafeUnicodeSecureStringPointer` that silently ignored invalid password byte arrays.
+- Improved SAMR authentication fallback for localhost and missing SPN scenarios.
 
 ## [6.4] - 2026-03-28
 

Documentation/PowerShell/Add-ADReplSidHistory.md

@@ -112,7 +112,7 @@ Specifies the destination domain in which the destination principal resides. The
 ```yaml
 Type: String
 Parameter Sets: CrossForest
-Aliases:
+Aliases: DstDomain
 
 Required: True
 Position: Named
@@ -127,7 +127,7 @@ Specifies the destination security principal that receives the source SID histor
 ```yaml
 Type: String
 Parameter Sets: CrossForest, IntraDomain
-Aliases:
+Aliases: DstPrincipal
 
 Required: True
 Position: Named
@@ -157,7 +157,7 @@ Specifies the credentials to be used in the source domain.
 ```yaml
 Type: PSCredential
 Parameter Sets: CrossForest
-Aliases:
+Aliases: SrcCreds
 
 Required: False
 Position: Named
@@ -172,7 +172,7 @@ Specifies the source domain to query for the SID of the source principal. The do
 ```yaml
 Type: String
 Parameter Sets: CrossForest
-Aliases:
+Aliases: SrcDomain
 
 Required: True
 Position: Named
@@ -187,7 +187,7 @@ Specifies the primary domain controller (PDC) or PDC role owner in the source do
 ```yaml
 Type: String
 Parameter Sets: CrossForest
-Aliases:
+Aliases: SrcDomainController, SourceServer
 
 Required: False
 Position: Named
@@ -202,7 +202,7 @@ Specifies the source security principal whose SID history is to be added. If -De
 ```yaml
 Type: String
 Parameter Sets: CrossForest, IntraDomain
-Aliases:
+Aliases: SrcPrincipal
 
 Required: True
 Position: Named

Documentation/PowerShell/Get-SamPasswordPolicy.md

@@ -13,7 +13,8 @@ Queries Active Directory for the default password policy.
 ## SYNTAX
 
 ```
-Get-SamPasswordPolicy -Domain <String> [-Credential <PSCredential>] [-Server <String>] [<CommonParameters>]
+Get-SamPasswordPolicy -Domain <String> [-UseNamedPipe] [-Credential <PSCredential>] [-Server <String>]
+ [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -102,6 +103,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -UseNamedPipe
+Use named pipes (RPC/NP) transport instead of TCP to connect to the target server.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: UseNamedPipes
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### CommonParameters
 This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
 

Src/DSInternals.Common/Interop/SafeUnicodeSecureStringPointer.cs

@@ -12,7 +12,7 @@ public sealed class SafeUnicodeSecureStringPointer : SafeHandleZeroOrMinusOneIsI
 {
     private int numChars;
 
-    public SafeUnicodeSecureStringPointer(SecureString password)
+    public SafeUnicodeSecureStringPointer(SecureString? password)
         : base(true)
     {
         if (password != null)
@@ -23,15 +23,15 @@ public SafeUnicodeSecureStringPointer(SecureString password)
         }
     }
 
-    public SafeUnicodeSecureStringPointer(byte[] password)
+    public SafeUnicodeSecureStringPointer(byte[]? password)
         : base(true)
     {
         if (password != null)
         {
             if (password.Length % sizeof(char) == 1)
             {
                 // Unicode strings must have even number of bytes
-                new ArgumentOutOfRangeException(nameof(password));
+                throw new ArgumentOutOfRangeException(nameof(password));
             }
 
             IntPtr buffer = Marshal.AllocHGlobal(password.Length + sizeof(char));

Src/DSInternals.Common/Interop/WindowsAuthenticationIdentity.cs

@@ -35,7 +35,7 @@ public struct WindowsAuthenticationIdentity : IDisposable
     /// <summary>
     /// String containing the user's password in the domain or workgroup.
     /// </summary>
-    private SafeUnicodeSecureStringPointer? _password;
+    private SafeUnicodeSecureStringPointer _password;
 
     /// <summary>
     /// Number of characters in Password, excluding the terminating NULL.
@@ -85,7 +85,7 @@ public string? Domain
     /// <summary>
     /// User's password.
     /// </summary>
-    public SecureString Password
+    public SecureString? Password
     {
         set
         {
@@ -100,14 +100,19 @@ public SecureString Password
     /// <summary>
     /// Initializes a new instance of the <see cref="WindowsAuthenticationIdentity"/> struct.
     /// </summary>
-    public WindowsAuthenticationIdentity(NetworkCredential credential)
+    public WindowsAuthenticationIdentity(NetworkCredential? credential)
     {
         if (credential != null)
         {
             User = credential.UserName;
             Domain = credential.Domain;
             Password = credential.SecurePassword;
         }
+        else
+        {
+            // Impersonate the current user with a null password
+            Password = null;
+        }
     }
 
     /// <summary>

Src/DSInternals.PowerShell/Commands/Base/SamCommandBase.cs

@@ -16,6 +16,10 @@ protected SamServer SamServer
         private set;
     }
 
+    // Most password-related operations are denied when RPC over TCP is used,
+    // so we use RPC over named pipes by default.
+    protected virtual bool UseNamedPipes => true;
+
     #region Parameters
     [Parameter(
         HelpMessage = "Specify the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user.",
@@ -61,7 +65,7 @@ protected override void BeginProcessing()
         try
         {
             NetworkCredential? netCred = this.Credential?.GetNetworkCredential();
-            this.SamServer = new(this.Server, SamServerAccessMask.LookupDomain | SamServerAccessMask.EnumerateDomains, netCred, useNamedPipes: true);
+            this.SamServer = new(this.Server, SamServerAccessMask.LookupDomain | SamServerAccessMask.EnumerateDomains, netCred, this.UseNamedPipes);
         }
         catch (Win32Exception ex)
         {

Src/DSInternals.PowerShell/Commands/LSA/GetSamPasswordPolicyCommand.cs

@@ -16,9 +16,20 @@ public string Domain
         get;
         set;
     }
+
+    [Parameter]
+    [Alias("UseNamedPipes")]
+    public SwitchParameter UseNamedPipe
+    {
+        get;
+        set;
+    }
     #endregion Parameters
 
     #region Cmdlet Overrides
+
+    protected override bool UseNamedPipes => UseNamedPipe.IsPresent;
+
     protected override void ProcessRecord()
     {
         this.WriteVerbose($"Opening domain {this.Domain}.");

Src/DSInternals.PowerShell/en-US/DSInternals.PowerShell.dll-Help.xml

@@ -1038,7 +1038,7 @@ PS C:\&gt; Start-Service -Name ntds</dev:code>
           </dev:type>
           <dev:defaultValue>False</dev:defaultValue>
         </command:parameter>
-        <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none">
+        <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="DstPrincipal">
           <maml:name>DestinationPrincipal</maml:name>
           <maml:description>
             <maml:para>Specifies the destination security principal that receives the source SID history.</maml:para>
@@ -1062,7 +1062,7 @@ PS C:\&gt; Start-Service -Name ntds</dev:code>
           </dev:type>
           <dev:defaultValue>None</dev:defaultValue>
         </command:parameter>
-        <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none">
+        <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="SrcPrincipal">
           <maml:name>SourcePrincipal</maml:name>
           <maml:description>
             <maml:para>Specifies the source security principal whose SID history is to be added. If -DeleteSourceObject is specified, this value should be a DN; otherwise, it should be a domain-relative SAM name.</maml:para>
@@ -1089,7 +1089,7 @@ PS C:\&gt; Start-Service -Name ntds</dev:code>
           </dev:type>
           <dev:defaultValue>None</dev:defaultValue>
         </command:parameter>
-        <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
+        <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="DstDomain">
           <maml:name>DestinationDomain</maml:name>
           <maml:description>
             <maml:para>Specifies the destination domain in which the destination principal resides. The domain name can be an FQDN or a NetBIOS name.</maml:para>
@@ -1101,7 +1101,7 @@ PS C:\&gt; Start-Service -Name ntds</dev:code>
           </dev:type>
           <dev:defaultValue>None</dev:defaultValue>
         </command:parameter>
-        <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none">
+        <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="DstPrincipal">
           <maml:name>DestinationPrincipal</maml:name>
           <maml:description>
             <maml:para>Specifies the destination security principal that receives the source SID history.</maml:para>
@@ -1125,7 +1125,7 @@ PS C:\&gt; Start-Service -Name ntds</dev:code>
           </dev:type>
           <dev:defaultValue>None</dev:defaultValue>
         </command:parameter>
-        <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
+        <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="SrcCreds">
           <maml:name>SourceCredential</maml:name>
           <maml:description>
             <maml:para>Specifies the credentials to be used in the source domain.</maml:para>
@@ -1137,7 +1137,7 @@ PS C:\&gt; Start-Service -Name ntds</dev:code>
           </dev:type>
           <dev:defaultValue>None</dev:defaultValue>
         </command:parameter>
-        <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
+        <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="SrcDomain">
           <maml:name>SourceDomain</maml:name>
           <maml:description>
             <maml:para>Specifies the source domain to query for the SID of the source principal. The domain name can be an FQDN or a NetBIOS name.</maml:para>
@@ -1149,7 +1149,7 @@ PS C:\&gt; Start-Service -Name ntds</dev:code>
           </dev:type>
           <dev:defaultValue>None</dev:defaultValue>
         </command:parameter>
-        <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
+        <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="SrcDomainController, SourceServer">
           <maml:name>SourceDomainController</maml:name>
           <maml:description>
             <maml:para>Specifies the primary domain controller (PDC) or PDC role owner in the source domain.</maml:para>
@@ -1161,7 +1161,7 @@ PS C:\&gt; Start-Service -Name ntds</dev:code>
           </dev:type>
           <dev:defaultValue>None</dev:defaultValue>
         </command:parameter>
-        <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none">
+        <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="SrcPrincipal">
           <maml:name>SourcePrincipal</maml:name>
           <maml:description>
             <maml:para>Specifies the source security principal whose SID history is to be added. If -DeleteSourceObject is specified, this value should be a DN; otherwise, it should be a domain-relative SAM name.</maml:para>
@@ -1212,7 +1212,7 @@ PS C:\&gt; Start-Service -Name ntds</dev:code>
         </dev:type>
         <dev:defaultValue>False</dev:defaultValue>
       </command:parameter>
-      <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
+      <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="DstDomain">
         <maml:name>DestinationDomain</maml:name>
         <maml:description>
           <maml:para>Specifies the destination domain in which the destination principal resides. The domain name can be an FQDN or a NetBIOS name.</maml:para>
@@ -1224,7 +1224,7 @@ PS C:\&gt; Start-Service -Name ntds</dev:code>
         </dev:type>
         <dev:defaultValue>None</dev:defaultValue>
       </command:parameter>
-      <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none">
+      <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="DstPrincipal">
         <maml:name>DestinationPrincipal</maml:name>
         <maml:description>
           <maml:para>Specifies the destination security principal that receives the source SID history.</maml:para>
@@ -1248,7 +1248,7 @@ PS C:\&gt; Start-Service -Name ntds</dev:code>
         </dev:type>
         <dev:defaultValue>None</dev:defaultValue>
       </command:parameter>
-      <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
+      <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="SrcCreds">
         <maml:name>SourceCredential</maml:name>
         <maml:description>
           <maml:para>Specifies the credentials to be used in the source domain.</maml:para>
@@ -1260,7 +1260,7 @@ PS C:\&gt; Start-Service -Name ntds</dev:code>
         </dev:type>
         <dev:defaultValue>None</dev:defaultValue>
       </command:parameter>
-      <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
+      <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="SrcDomain">
         <maml:name>SourceDomain</maml:name>
         <maml:description>
           <maml:para>Specifies the source domain to query for the SID of the source principal. The domain name can be an FQDN or a NetBIOS name.</maml:para>
@@ -1272,7 +1272,7 @@ PS C:\&gt; Start-Service -Name ntds</dev:code>
         </dev:type>
         <dev:defaultValue>None</dev:defaultValue>
       </command:parameter>
-      <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
+      <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="SrcDomainController, SourceServer">
         <maml:name>SourceDomainController</maml:name>
         <maml:description>
           <maml:para>Specifies the primary domain controller (PDC) or PDC role owner in the source domain.</maml:para>
@@ -1284,7 +1284,7 @@ PS C:\&gt; Start-Service -Name ntds</dev:code>
         </dev:type>
         <dev:defaultValue>None</dev:defaultValue>
       </command:parameter>
-      <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none">
+      <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="SrcPrincipal">
         <maml:name>SourcePrincipal</maml:name>
         <maml:description>
           <maml:para>Specifies the source security principal whose SID history is to be added. If -DeleteSourceObject is specified, this value should be a DN; otherwise, it should be a domain-relative SAM name.</maml:para>
@@ -9061,6 +9061,17 @@ Local Domain SID      : S-1-5-21-2929860833-2984454239-2848460202
           </dev:type>
           <dev:defaultValue>localhost</dev:defaultValue>
         </command:parameter>
+        <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="UseNamedPipes">
+          <maml:name>UseNamedPipe</maml:name>
+          <maml:description>
+            <maml:para>Use named pipes (RPC/NP) transport instead of TCP to connect to the target server.</maml:para>
+          </maml:description>
+          <dev:type>
+            <maml:name>SwitchParameter</maml:name>
+            <maml:uri />
+          </dev:type>
+          <dev:defaultValue>False</dev:defaultValue>
+        </command:parameter>
       </command:syntaxItem>
     </command:syntax>
     <command:parameters>
@@ -9101,6 +9112,18 @@ Local Domain SID      : S-1-5-21-2929860833-2984454239-2848460202
         </dev:type>
         <dev:defaultValue>localhost</dev:defaultValue>
       </command:parameter>
+      <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="UseNamedPipes">
+        <maml:name>UseNamedPipe</maml:name>
+        <maml:description>
+          <maml:para>Use named pipes (RPC/NP) transport instead of TCP to connect to the target server.</maml:para>
+        </maml:description>
+        <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue>
+        <dev:type>
+          <maml:name>SwitchParameter</maml:name>
+          <maml:uri />
+        </dev:type>
+        <dev:defaultValue>False</dev:defaultValue>
+      </command:parameter>
     </command:parameters>
     <command:inputTypes>
       <command:inputType>

Src/DSInternals.SAM/Interop/NativeMethods.Sam.cs

@@ -45,15 +45,17 @@ internal static NtStatus SamConnect(string serverName, out SafeSamHandle serverH
     [DllImport(SamLib, SetLastError = true, CharSet = CharSet.Unicode)]
     private static extern NtStatus SamConnectWithCreds([In] ref UnicodeString serverName, out SafeSamHandle serverHandle, SamServerAccessMask accessMask, IntPtr objectAttributes, [In] ref WindowsAuthenticationIdentity authIdentity, [MarshalAs(UnmanagedType.LPWStr)] string? servicePrincipalName, [MarshalAs(UnmanagedType.Bool)] out bool isWin2k);
 
-    internal static NtStatus SamConnectWithCreds(string serverName, out SafeSamHandle serverHandle, SamServerAccessMask accessMask, NetworkCredential credential)
+    internal static NtStatus SamConnectWithCreds(string serverName, out SafeSamHandle serverHandle, SamServerAccessMask accessMask, NetworkCredential? credential)
     {
         UnicodeString unicodeServerName = new(serverName);
         string servicePrincipalName = SpnPrefix + serverName;
         WindowsAuthenticationIdentity authIdentity = new(credential);
 
         NtStatus result = SamConnectWithCreds(ref unicodeServerName, out serverHandle, accessMask, objectAttributes: IntPtr.Zero, ref authIdentity, servicePrincipalName, out bool _);
 
-        if (result == NtStatus.RpcUnknownAuthenticationService)
+        // If the server does not support Kerberos or if the SPN is not found, the server may return STATUS_RPC_UNKNOWN_AUTHENTICATION_SERVICE or STATUS_INVALID_HANDLE.
+        // STATUS_INVALID_HANDLE is also returned for localhost connections.
+        if (result == NtStatus.RpcUnknownAuthenticationService || result == NtStatus.InvalidHandle)
         {
             // Try it again, but without the SPN, to force NTLM instead of Negotiate.
             result = SamConnectWithCreds(ref unicodeServerName, out serverHandle, accessMask, objectAttributes: IntPtr.Zero, ref authIdentity, servicePrincipalName: null, out bool _);