Open marshalexander99 opened 7 months ago
After some more troubleshooting, how foolish of me for thinking that the runaspassword would take a secure variable input for the password... So I now have the following script that works, what I can't do is perform get-addomain, which is a key step to automating the domain join of storage accounts.
Set-AzVMRunCommand -ResourceGroupName $vmrg -VMName $vm -RunCommandName getdomaininfo -Location "uksouth" -RunAsUser 'company.local\scriptadmin' -RunAsPassword 'PlainTextPassword' -SourceScriptUri $script -ErrorBlobUri $errorblob -OutputBlobUri $outputblob -TimeoutInSecond 30
Here is the error output from the errorblob stream
C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandHandlerWindows\2.0.8\Downloads\Script_getdomaininfo_0.ps1 : Unable
to contact the server. This may be because this server does not exist, it is currently down, or it does not have the
Active Directory Web Services running.
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Script_getdomaininfo_0.ps1
The server is not a domain controller, it does have AD PowerShell installed and running the script locally works fine. I can see the kerberos auth service and kerberos service ticket operations requesting access but it gets rejected.
Have followed this to try and get it working but to no avail Resource-Based Kerberos Constrained Delegation. I can only assume this is what the issue is as to why this AD error occurs
The Get-AdDomain
cmdlet works locally but failed when using Set-AzVMRunCommand
. Let me involve Compute team.
Hello @marshalexander99 have you successfully ran this PowerShell script successfully in the local machine when using a PowerShell shell window that is running as "scriptadmin@company.local"?
Hello @marshalexander99 have you successfully ran this PowerShell script successfully in the local machine when using a PowerShell shell window that is running as "scriptadmin@company.local"?
Yes. No issues doing that as you don't have the double hop issue.
Hello @marshalexander99 have you successfully ran this PowerShell script successfully in the local machine when using a PowerShell shell window that is running as "scriptadmin@company.local"?
Yes. No issues doing that as you don't have the double hop issue.
Thank you for the quick confirmation. I am reviewing this with the dev team.
@marshalexander99, does the command Get-AdDomain work when RunAsUser parameter is not used ? If so, could you possibly use that workaround until the issue is investigated and fixed ? We've had similar issues reported in past with other commands when RunAsUser paramter is used. We are tracking the issue using Bug 24542208: RC2W RunAsUser - Some commands not working when RunAsUser parameter is used
Hi That would only work if we grant the computer account the run as commands run on permissions to create the necessary objects in AD (the commands run as system I do believe) which I don't believe to be a suitable solution at this moment in time. While the get-addomain command would work as all AD objects can read, none of the others which actually perform any actions on AD would without appropriate permission delegation
is there any update on this? We're seeing more and more requests to domain join storage accounts and being able to do this as part of a IaC deployment without significant additional work would be advantageous
@marshalexander99, This looks expected to me. Set-AzVmRunCommand would not provide any necessary permissions to RunAsUser to perform AD operations. We won't be able to do that. It is on the user/owner of VM to provide necessary permissions to RunAsUser before running Set-AzVMRunCommand.
That's what the error message provided by you highlights:
Debugging option:
Are you able to accomplish same AD operations without using Run Command and RunAsUser (using Set-AzVMRunCommand) ? Say remote into that VM as that user (
@marshalexander99, This looks expected to me. Set-AzVmRunCommand would not provide any necessary permissions to RunAsUser to perform AD operations. We won't be able to do that. It is on the user/owner of VM to provide necessary permissions to RunAsUser before running Set-AzVMRunCommand.
That's what the error message provided by you highlights:
Debugging option: Are you able to accomplish same AD operations without using Run Command and RunAsUser (using Set-AzVMRunCommand) ? Say remote into that VM as that user () and execute AD operations ? If you are not able to do so using , Set-AzVMRunCommand just mirrors the permissions held by on VM just similar to what you can do after logging in as RunAsUser directly on VM.
I have provided the necessary permissions to the user specified in the run as command... All domain user accounts have permissions to run get-addomain and view domain info. I can do everything required logging in directly, the run as command is the issue here
@marshalexander99, Could you confirm this - Are you able to accomplish the desired operations as that RunAsUser without using any RunCommand ? Say execute a PowerShell script as that
@marshalexander99, Could you confirm this - Are you able to accomplish the desired operations as that RunAsUser without using any RunCommand ? Say execute a PowerShell script as that on that VM directly ?
Yes
@marshalexander99, Could you let me know the steps you used to install ActiveDirectory module ? I'll try to repro on my end.
Installed via server manager as part of rsat tools.
On Wed, 12 Jun 2024 at 16:29, Viv Lingaiah @.***> wrote:
@marshalexander99 https://github.com/marshalexander99, Could you let me know the steps you used to install ActiveDirectory module ? I'll try to repro on my end.
— Reply to this email directly, view it on GitHub https://github.com/Azure/azure-powershell/issues/24369#issuecomment-2163328662, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANEPKHTNHWBJGFWQNZKTXWLZHBSL7AVCNFSM6AAAAABEWNFIEGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNRTGMZDQNRWGI . You are receiving this because you were mentioned.Message ID: @.***>
Description
When running a simply script of:
I constantly get an error stating username or password is incorrect on the VM when run via the Set-AzVMRunCommand.
When running via bicep deployment I get constant errors about not being able to find the domain when trying to perform something.
Error from the runcommandhandler status output with PowerShell
This is the error which is generated in the blob when running the bicep for the same script and credentials
How do I perform simple domain activities using the runcommand functionality?
Issue script & Debug output
Environment data
Module versions
Error output
No response