SPUserProfileServiceApp throws access denied when using the FarmAccount as the PsDscRunAsCredential #709
Comments
|
Hi @mariusv-msft, good point. Will check how we can fix this issue. |
…rProfileServiceApp introduced in SharePointDsc 2.0 - dsccommunity/SharePointDsc#709
|
Hello, I'm facing the same issue. |
|
This issue is a tricky one. Since v2.0 we require the PSRunAsCredentials or InstallAccount to be the farm account (so it wasn't required to use CredSSP). If the farm account is not local admin, in code we are trying to add these permissions to the account. But since the account isn't local admin, it is impossible to add local admin permissions......a true catch 22 :-( We are looking at the best way to solve this issue. If you have any suggestions, please share ;-) |
|
Actually I didn't know that v2 requires that PSRunAsCredentials or InstallAccount is set with the farm account. |
|
@Yvand, the farm account is only required for the User Profile Service App and Sync Connection resources, the rest should be run using an install account. The reason is that the User Profile requires this. Before v2.0 we already did that, but that method relied on CredSSP. Since we wanted to remove that requirement, we updated the resource unfortunately introducing this issue. |
|
@ykuijs, I believe SPAutoInstaller used to have an option to add the farm account to local admins while executing the script and would remove it from local admins when the script was finished (unless you specified the option to leave the user in the local admins group. On workaround would be to provide similar NonNodeData options like this and then use the Group resource to add (and optionally remove) the farm user to/from local admins. Not ideal, but just spitballin'. |
|
Time to bring in super @brianlalancette into the loop. |
|
Here's the AutoSPInstaller piece I'm talking about: https://github.com/brianlala/AutoSPInstaller/blob/master/AutoSPInstallerInput.xml#L80-L88 |
|
Yep that's correct AutoSPInstaller has that option. Feel free to reuse any code, if it makes sense to. |
|
Also, most users rely on @spencerharbar article to configure the UPS, and Spence makes the following recommendation: |
|
Haha, well there ya go. So maybe something like: |
|
And good news, no changes needed to SP DSC ;)... just some documentation and examples updated prob. |
|
Correct, the AutoSPInstaller method is based on this. I actually launch a new PS session as the Farm account |
|
That is what we did before 2.0: The resource ran with the Setup account permissions, which was local admin and was able to add the farm account to the local admin. Then UPS was provisioned and afterwards the farm account was removed again. However this method relied on CredSSP being configured and since CredSSP has some security issues we wanted to remove that dependency. I have thought about that Group resource option as well, but to prevent the farm account being present in the local administrators group for ever, we also need a resource to remove it again. And if we do that, the two resources are in conflict with each other, resulting in the farm account constantly being added and removed again each time the config is applied to the system. Personally I do not like that situation. |
|
Good point regarding the constant adding and removing of the farm account to/from local admins. However, that would only happen if LCM was set to ApplyAndAutoCorrect. Assuming most, if not all, people will be using either ApplyOnly or ApplyAndMonitor, this shouldn't be an issue. However, with ApplyAndMonitor, it would still report FirstAppServer as out of compliance after the 2nd run. This brings back up the ongoing question about which resources it makes sense to monitor for drift after initial deployment of the farm. Will people want to use this to ensure that a User Profile Service Application exists and automatically recreate it if it doesn't? Personally, if UPS goes missing, it's because I blew it away manually and would prefer to manually push the DSC config again or recreate it myself with powershell. |
|
I see many customers that are in the process of implementing DSC to make sure DTAP environments are really equal. They are planning to use DSC to deploy all types of changes and to monitor on a daily basis if the environments are still according to their baseline. That is why I would like to prevent a server constantly reporting it is out of compliance, which in this case it will. I have an alternative idea: |
ykuijs
added
the
needs investigation
* Added dedicated configuration for Front End and Updated to SqlServerDsc 10.0.0.0 - Updated to SqlServerDsc 10.0.0.0 (initial release renamed from xSqlServer) - Added dedicated configuration for Front End * Updated template to handle FrontEnd * Fixed SQL DSC config and updated parameters description * Fixed DSC parameters * Fixed DSC parameters * Set HTTPS certificate * Updated SharePointDsc to v2.0 and updated test to detect Azure context * Bypass an bug in SPWebAppAuthentication in SharePointDsc 2.0 * Updated parameters * Fixed SPUserProfileServiceApp to run as farm account * Temporarily add farm account to admin group to deal with bug in SPUserProfileServiceApp introduced in SharePointDsc 2.0 - dsccommunity/SharePointDsc#709 * Fixed MembersToInclude in Group resource * Updated FE to SharePointDsc v2.0 * Updated script to handle managed disks * Added ping of intranet zone before FE joins the farm * Now first SP server creates a file to indicate DSC finished * Reenabled CredSSP * Moved SPSite to avoid update conflict in SPAppDomain ConfigureLocalFarmAppUrls * Modifier location of file when DSC completes * Fixed certificate path in TrustCACertAsTrustedRootAuthority * Fixed path of DSC completion file * Fixed access denied to create DSC completion file * Updated information * Updated parameters
|
Just to reinforce the mindset that adding/removing to/from admins using the Group resource is NOT the way to go, DSC doesn't let us do this anyway. It throws an error when building the mof that a conflict exists between resources. ;) Is it really such a bad thing to use CredSSP? Is the main concern eliminating dependencies or reducing security vulnerabilities? If security, maybe we could further limit the delegate computers allowed from the client management box? This seems like a pretty crippling issue for the current production release, and I'm assuming the only current workaround is to manually add the farm account to the local admins of all boxes? Just thinking out loud. |
|
The reason why we wanted to remove CredSSP is security, as described in this article. But the more I investigate this issue, the less options we seem to have. Depending on CredSSP looks like the only option we have. |
|
It appears that our only option (if we keep CredSSP out of the equation), is to modify the Set-TargetResource function of the SPUserProfileServiceApp with additional logic to handle the following flow:
This way, we would not have any conflicting resource blocks, and the Test-TargetResource would not always report it as not compliant. When you really think about it, the provisioning portion ABSOLUTELY requires the Farm admin to be local admin for it to work, therefor it makes sense that this resource handles the add/remove process as well instead of depend on other resources to do stuff it requires. |
|
Actually, to add to my point, a colleague just pointed out to me that we are doing the same thing in the SPUserProfileSyncService resource. We call Add-SPDSCUserToLocalAdmin, start the service and then call Remove-SPDSCUserToLocalAdmin once everything has been provisioned. We should be reusing the same logic here. |
|
We have two issues with this solution:
This leads me to believe that re-adding a farm account parameter again, running the resource as the install account, adding the farm account and then executing the service application provision using CredSSP is the only option that will work. |
2 - Wouldn't calling into a separate Invoke-SPDSCCommand script block pick up the new permissions without having to log out/on? How are we doing it in the User Profile Sync Service? Thanks |
|
@NikCharlebois I could certainly be wrong, but on first glance, it looks to me like the difference is that the sync service doesn't try to run any process AS the farm account. Instead, it looks up the farm account name and password and passes those values to $ups.SetSynchronizationMachine where $ups is the object returned from Get-SPServiceApplication. So the DSC module isn't trying to create a new process using different credentials, which would violate the 2-hop rule that CredSSP was being used for previously. On the other hand, the SPUserProfileServiceApp resource needs to run New-SPProfileServiceApplication under the context of the farm credential. Assuming we run the resource as the setup account (because of local admin), the resource would then need to invoke another process under the farm credential in order to do this. I think that, at least in the near term, @ykuijs is right in that re-enabling CredSSP is the best/only way to get this working again. Maybe we can figure out a way to get around this in the future, but I think the minimal risk tied to CredSSP is acceptable to get this high profile functionality working again. Maybe we could CYA by linking to articles/documentation about CredSSP that explains the risks and how to set it up properly to only allow delegating across secure channels/servers. |
|
The Sync Service resource does two things:
@ronx: |
ykuijs
removed
the
needs investigation
|
Closed via PR #775 |
Details of the scenario you try and problem that is occurring:
I've executed the SPUserProfileServiceApp resource with the SharePoint Setup account as the PsDscRunAsCredential, also the account used in the examples. When the resource executes it thows an error that it should be the farm account.
I then changed the PsDscRunAsCredential to the FarmAccount, i then get the following:
VERBOSE: [SPDFSP2]: [[SPUserProfileServiceApp]UserProfileServiceApp] Creating user profile service application User Profile Service Application
Exception calling "Add" with "1" argument(s): "Access is denied.
"
+ CategoryInfo : NotSpecified: (:) [], CimException
+ FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI
+ PSComputerName : SPDFSP2
Service 'SharePoint Timer Service (SPTimerV4)' cannot be stopped due to the following error: Cannot open SPTimerV4 service on computer '.'.
+ CategoryInfo : CloseError: (System.ServiceProcess.ServiceController:) [], CimException
+ FullyQualifiedErrorId : CouldNotStopService,Microsoft.PowerShell.Commands.RestartServiceCommand
+ PSComputerName : SPDFSP2
VERBOSE: [SPDFSP2]: [[SPUserProfileServiceApp]UserProfileServiceApp] Executing as the local run as user CONTOSO\spfarm
VERBOSE: [SPDFSP2]: [[SPUserProfileServiceApp]UserProfileServiceApp] Leaving BeginProcessing Method of Get-SPServiceApplication.
VERBOSE: [SPDFSP2]: [[SPUserProfileServiceApp]UserProfileServiceApp] Leaving ProcessRecord Method of Get-SPServiceApplication.
VERBOSE: [SPDFSP2]: [[SPUserProfileServiceApp]UserProfileServiceApp] Leaving EndProcessing Method of Get-SPServiceApplication.
VERBOSE: [SPDFSP2]: [[SPUserProfileServiceApp]UserProfileServiceApp] Leaving BeginProcessing Method of New-SPProfileServiceApplication.
VERBOSE: [SPDFSP2]: [[SPUserProfileServiceApp]UserProfileServiceApp] Performing the operation "New-SPProfileServiceApplication" on target "User Profile Service Application".
VERBOSE: [SPDFSP2]: [[SPUserProfileServiceApp]UserProfileServiceApp] Leaving ProcessRecord Method of New-SPProfileServiceApplication.
VERBOSE: [SPDFSP2]: LCM: [ End Set ] [[SPUserProfileServiceApp]UserProfileServiceApp] in 65.1490 seconds.
PowerShell DSC resource MSFT_SPUserProfileServiceApp failed to execute Set-TargetResource functionality with error message: Access denied. Only machine administrators are allowed to create administration service job definitions of type:
Microsoft.SharePoint.Administration.SPServiceApplicationInstanceProvisioningJobDefinition, Microsoft.SharePoint, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c.
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : ProviderOperationExecutionFailure
+ PSComputerName : SPDFSP2
I suspect the issue is that the FarmAccount cannot add itself to the Admin group. The FarmAccount is not an administrator on any of the SP Servers, only the SetupAccount.
The DSC configuration that is using the resource:
SPUserProfileServiceApp UserProfileServiceApp
{
Ensure = "Present"
Name = $ConfigurationData.NonNodeData.SharePoint.UserProfileService.Name
ApplicationPool = $ConfigurationData.NonNodeData.SharePoint.Services.ApplicationPoolName
MySiteHostLocation = $ConfigurationData.NonNodeData.SharePoint.UserProfileService.MySiteUrl
ProfileDBName = $ConfigurationData.NonNodeData.SharePoint.UserProfileService.ProfileDB
ProfileDBServer = $ConfigurationData.NonNodeData.SQLServer.ServiceAppDatabaseServer
SocialDBName = $ConfigurationData.NonNodeData.SharePoint.UserProfileService.SocialDB
SocialDBServer = $ConfigurationData.NonNodeData.SQLServer.ServiceAppDatabaseServer
SyncDBName = $ConfigurationData.NonNodeData.SharePoint.UserProfileService.SyncDB
SyncDBServer = $ConfigurationData.NonNodeData.SQLServer.ServiceAppDatabaseServer
PsDscRunAsCredential = $SPSetupAccount
DependsOn = @('[SPServiceAppPool]MainServiceAppPool', '[SPManagedMetaDataServiceApp]ManagedMetadataServiceApp', '[SPManagedAccount]WebPoolManagedAccount')
}
Version of the Operating System and PowerShell the DSC Target Node is running:
Windows 2016
Version of the DSC module you're using:
2.0.0.0
The text was updated successfully, but these errors were encountered: