Regression in Calamari breaks Windows Service deploy with custom account password bound to empty string

[ArturDorochowicz]

Severity

No response

Version

2023.3

Latest Version

None

What happened?

I'm currently migrating from a very old Octopus version to a recent one. I've noticed that something in the deployment process that worked earlier doesn't work anymore.

We are deploying a Windows Service using Octopus's Deploy a Windows Service step. In general we use virtual service accounts (i.e. NT Service\[service name], for which you don't specify a password). But in some environments we want to use regular user accounts with password. User name and password are set via Octopus variables. For the regular user account case - both are set and scoped to the relevant environment. For the virtual service account - the password variable is not defined. This works in the old Octopus, but in the new one binding a custom account password property which resolves to empty string fails during deployment.

The issue was introduced in commit OctopusDeploy/Calamari@d2a83df in
source/Calamari/Scripts/Octopus.Features.WindowsService_BeforePostDeploy.ps1

Previous code did not attempt to set the password when it was empty:
OctopusDeploy/Calamari@d2a83df#diff-6e50016a01588ba50a2f8e14e65e2c7b20e84fff0aa04c829ec9973141287c50L107-L111

Current code has no such filtering and passes an empty password to the WMI call. Empty password here fails.
OctopusDeploy/Calamari@d2a83df#diff-6e50016a01588ba50a2f8e14e65e2c7b20e84fff0aa04c829ec9973141287c50R148-R151

As far as I see a solution is to coalesce empty string to null in the script. Passing $null there works correctly.

Reproduction

See above.

Error and Stacktrace

No response

More Information

No response

Workaround

No response

[susanpann]

Hey @ArturDorochowicz, thanks for raising this with us. I've had a quick look and have tried this in Powershell, but it seems to be working as expected for me.

$wmiService.change($null, $null, $null, $null, $null, $null, ".\LocalSystem", "", $null, $null, $null)
ReturnValue : 0

Are you able to provide any logs or any more details about the error you're seeing? Alternatively, it may be helpful to contact our support team as we are able to respond faster and may resolve your issue a lot quicker. (Support)

[ArturDorochowicz]

Interesting. But it does break in the scenario that I described, i.e. a virtual account (NT Service\xxx) [1].

Here's a log fragment:

12:11:02   Info     |       The test-ws service does not exist. It will be created.
12:11:02   Info     |       sc.exe create "test-ws" binPath= \"[REDACTED]\"  depend= "/" start= "disabled"
12:11:02   Info     |       [SC] CreateService SUCCESS
12:11:02   Error    |       OperationStopped: Unable to set custom service credentials for service 'test-ws'. Wmi returned 22.
12:11:02   Error    |       At [REDACTED]\Octopus.Features.WindowsService_BeforePostDeploy.ps1:154 char:3
12:11:02   Error    |       +         throw "Unable to set custom service credentials for service ' ...
12:11:02   Error    |       +         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
12:11:02   Error    |       at <ScriptBlock>, [REDACTED]\Octopus.Features.WindowsService_BeforePostDeploy.ps1: line 154

[1] https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-service-accounts#virtual-accounts

To reproduce outside of Octopus:

sc.exe create "test-notepad" binPath= \"C:\Windows\notepad.exe\" depend= "/" start= "disabled"
$wmiService = Get-WmiObject win32_service -filter "name='$("test-notepad" -replace "'", "\'")'" -computer "."
$wmiService.change($null, $null, $null, $null, $null, $null, 'NT Service\test-notepad', '', $null, $null, $null)

[octoreleasebot]

Release Note: Deploy Windows Services now bind empty account passwords correctly

[Octobob]

🎉 The fix for this issue has been released in:

Release stream	Release
2024.2	2024.2.5440
2024.3+	all releases