PSDSC Upgrade: Error 28809 - Could not validate the credentials; Culprit is special characters in the password

pfoppe commented 3 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request

Module Version

3.1.1

Affected Resource(s)

ArcGIS_Server
ArcGIS_Portal
ArcGIS_DataStore (Relational)
(Possibly Others)

Configuration Files

For the relevant section of the .json file -

{   "ConfigData": {
        "Credentials": {
            "ServiceAccount": {
                "Password": "<my_password_with_special_char_like_^_or_&>",
                "UserName": "<domain>\\<username>",
                "IsDomainAccount": true
            },
            "ADServiceUser": {
                "Password": "<my_password_with_special_char_like_^_or_&>",
                "UserName": "<domain>\\<username>",
                "IsDomainAccount": true
            }
        }
    }
}

Expected Behavior

This occurred during an upgrade from v10.7.1 to v10.8.1.

Expect the product should have been upgraded from 10.7.1 to 10.8.1

Actual Behavior

The Powershell DSC execution failed with the following message:

Trace-DSCJob : 3/15/2021 1:21:31 PM: PowerShell DSC resource ArcGIS_Install  failed to execute Set-TargetResource functionality with error message: Failed to Install ServerWebAdaptor
At C:\Program Files\WindowsPowerShell\Modules\ArcGIS\3.1.1\ArcGIS.psm1:237 char:5
+     Trace-DSCJob -Job $Job -JobName $ConfigurationName -DebugMode $De ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Trace-DSCJob

Trace-DSCJob : 3/15/2021 1:21:31 PM: The SendConfigurationApply function did not succeed.
At C:\Program Files\WindowsPowerShell\Modules\ArcGIS\3.1.1\ArcGIS.psm1:237 char:5
+     Trace-DSCJob -Job $Job -JobName $ConfigurationName -DebugMode $De ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Trace-DSCJob

And the windows event log shows the following:

Steps to Reproduce

Setup a .json file with a special character in the password for "ServiceAccount" and "ADServiceUser".

Specifically... the "&" character is a problem. We suspect "^" is also a problem but that was not confirmed.

Important Factoids

My objective is: 1) At a minimum, Update the WIKI and document what special characters are not supported 2) Support these special characters (ideally)

We are running on premise. Our AD Service account passwords update every 60 days per our IT Security policies. Every-time we run a PSDSC execution, the .json file passwords are updated (prior to executing).

Many of our deployments use the same credentials. We update the passwords outside of PSDSC (we have scripts that take care of it). For this issue... we had to re-set the password and update it on all deployments before we could finish this upgrade.

I suspect the limitation is related to windows command line limitation. To reproduce some of this outside of PSDSC, we attempted a 'silent upgrade' from command line - https://enterprise.arcgis.com/en/portal/latest/administer/windows/upgrade-data-store.htm#ESRI_SECTION1_985D148F08A448F3AE0C2097DF617FCD

Basically - 1) Open cmd.exe as administrator 2) Navigate to the install directory 3) Attempted an upgrade from command line -

\Setup.exe /qb USER_NAME=myaccount PASSWORD=mypassword This also failed when we have "&" in the password. It appears that if you were to 'quote' the passwords it may fix the issue. EX - \Setup.exe /qb USER_NAME=myaccount PASSWORD="mypassword" REF - https://github.com/Esri/arcgis-powershell-dsc/blob/bd004e9b12fe31bf47918a9c1cf690e95640f414/Modules/ArcGIS/Configurations-OnPrem/Upgrades/DataStoreUpgradeInstall.ps1#L50 Although I'm not confident on that. ### References Related to this (but not the same) - https://github.com/Esri/arcgis-powershell-dsc/issues/258

cameronkroeker commented 3 years ago

Hi @pfoppe,

Your assumption is correct, the password should be being passed in within quotes, otherwise some special characters get escaped. To achieve this in powershell we need to add `" `" around the password.

This will be addressed in the next release of the ArcGIS Module. However, in the meantime here is a workaround that can be used. I recommend using v3.2.0 and making the following changes in 3 spots:

1. https://github.com/Esri/arcgis-powershell-dsc/blob/78e488fc0aac6f8f4cdf574e1bdb50a7d39ed350/Modules/ArcGIS/DSCResources/ArcGIS_Install/ArcGIS_Install.psm1#L215

Update to:

$Arguments += " PASSWORD=`"$($ServiceCredential.GetNetworkCredential().Password)`"";

2. https://github.com/Esri/arcgis-powershell-dsc/blob/78e488fc0aac6f8f4cdf574e1bdb50a7d39ed350/Modules/ArcGIS/DSCResources/ArcGIS_Service_Account/ArcGIS_Service_Account.psm1#L169

Update to:

$Arguments += " /password `"$($RunAsAccount.GetNetworkCredential().Password)`""

https://github.com/Esri/arcgis-powershell-dsc/blob/78e488fc0aac6f8f4cdf574e1bdb50a7d39ed350/Modules/ArcGIS/DSCResources/ArcGIS_Service_Account/ArcGIS_Service_Account.psm1#L174

Update to: $Arguments += " --password `"$($RunAsAccount.GetNetworkCredential().Password)`""

However, keep in mind if using module v3.1.1, there is likely other\additional changes required such as:

https://github.com/Esri/arcgis-powershell-dsc/blob/bd004e9b12fe31bf47918a9c1cf690e95640f414/Modules/ArcGIS/Configurations-OnPrem/Upgrades/DataStoreUpgradeInstall.ps1#L50

Update to:

Arguments = "/qb USER_NAME=$($ServiceAccount.UserName) PASSWORD=`"$($ServiceAccount.GetNetworkCredential().Password)`"";

Thanks, Cameron K.

pfoppe commented 3 years ago

Thanks for the response and including it in the product plan. We actually just ran into this again last week and we just updated the password to remove the special character.

For now, we will keep apprised of this and try to avoid the special characters. Thanks again!

scma-esrich commented 3 years ago

@cameronkroeker, your proposed fix would also work for https://github.com/Esri/arcgis-powershell-dsc/issues/258 (passwords containing | and '), I assume?

cameronkroeker commented 3 years ago

@cameronkroeker, your proposed fix would also work for #258 (passwords containing | and '), I assume?

Hi @scma-esrich,

The pipe | symbol may still cause issues during an install/upgrade even outside of DSC. I suspect it to be an issue with the setup.exe not being able to properly escape it. This is reproducible by manually running the Setup.exe via the GUI, as well as a manual silent install (including quotes doesn't help for |):

setup.exe /qb USER_NAME=arcgis PASSWORD="Pa$$w0rd|Pa$$w0rd"

The installation will complete, but the service account is set to LocalSystem rather than the specified USER_NAME.

However, I can confirm though that the following characters will work with above suggested workaround: &^)%$*@!

As for #258 additional testing still needs to be done to confirm if the above workaround will suffice or not.

Thanks, Cameron K.

cameronkroeker commented 2 years ago

Hello @pfoppe and @scma-esrich,

We have included a fix in v3.3.0 that will allow most special characters such as &^)%$*@!. However, there are still certain limitations that come from the actual Setup itself with using special characters like |.

Thanks, Cameron K.

Esri / arcgis-powershell-dsc