Several users have attempted to install Chocolatey Agent with a specific domain service account, and it's failed during the installation due to Kerberos double-hop. This has been using Ansible, or PowerShell remoting. The failure is not due to the account being incorrectly created, but instead because the logic used to validate the account fails to authenticate to the domain when checking the account is in groups, etc.
There is, I think, no current way to simply pass an existing domain account to a remote system and have it succeed installation.
This will likely also fail if business customers attempt to use the Install-ChocolateyWindowsService in their own packages in a similar fashion.
What is Expected?
Users should be able to install this package remotely / with an account that exists and has all the right permissions, even if we can't validate that.
How Did You Get This To Happen? (Steps to Reproduce)
Create a domain controller, and a second Windows machine linked to that domain
Install prerequisite packages chocolatey and chocolatey.extension on the second machine
Use Ansible to remotely install Chocolatey Agent on the second Windows machine using a domain account, passing the username and password of the created service account (see example below).
See a message similar to ERROR: Unable to ensure user 'domain\choco_local_admin_account' is part of the Administrators group (S-1-5-32-544). Please run again with '--trace' and file an issue with support@chocolatey.io (attach a zipped copy of the detailed chocolatey.log file).
Chocolatey License type (Professional / Business / ?): Business
Terminal/Emulator:
Output Log
chocolatey.log
~~~sh 2024-03-06 11:51:20,509 11900 [DEBUG] - ---------------------------Script Execution--------------------------- 2024-03-06 11:51:20,511 11900 [DEBUG] - Running 'ChocolateyScriptRunner' for chocolatey-agent v2.1.0 with packageScript 'C:\ProgramData\chocolatey\lib\chocolatey-agent\tools\chocolateyinstall.ps1', packageFolder:'C:\ProgramData\chocolatey\lib\chocolatey-agent', installArguments: '', packageParameters: '/Username:bluelizard\exec_choco_local_adm', preRunHookScripts: '', postRunHookScripts: '', 2024-03-06 11:51:20,521 11900 [DEBUG] - Running package script 'C:\ProgramData\chocolatey\lib\chocolatey-agent\tools\chocolateyinstall.ps1' 2024-03-06 11:51:20,559 11900 [DEBUG] - Running Get-PackageParameters 2024-03-06 11:51:20,563 11900 [DEBUG] - Parsing $env:ChocolateyPackageParameters and $env:ChocolateyPackageParametersSensitive for parameters 2024-03-06 11:51:20,565 11900 [DEBUG] - Sensitive parameters detected, no logging of parameters. 2024-03-06 11:51:20,603 11900 [DEBUG] - Running licensed 'Install-ChocolateyWindowsService' -Name 'chocolatey-agent' -DisplayName 'Chocolatey Agent' -StartupType 'Automatic' -Username 'bluelizard\exec_choco_local_adm' -ServiceExecutablePath 'C:\ProgramData\chocolatey\lib\chocolatey-agent\tools\service\chocolatey-agent.exe' 2024-03-06 11:51:20,631 11900 [DEBUG] - Found existing Windows service named 'chocolatey-agent' installed. 2024-03-06 11:51:20,633 11900 [DEBUG] - Windows service 'chocolatey-agent' is not installed 2024-03-06 11:51:20,641 11900 [DEBUG] - Ensuring 'bluelizard\exec_choco_local_adm' is a member of Administrators. 2024-03-06 11:51:20,649 11900 [DEBUG] - User is part of domain 'bluelizard'. Switching to domain principal context. 2024-03-06 11:51:20,828 11900 [ERROR] - Unable to ensure 'S-1-5-32-544' local group membership for 'bluelizard\exec_choco_local_adm': An operations error occurred.
2024-03-06 11:51:20,836 11900 [ERROR] - ERROR: Unable to ensure user 'bluelizard\exec_choco_local_adm' is part of the Administrators group (S-1-5-32-544). Please run again with '--trace' and file an issue with support@chocolatey.io (attach a zipped copy of the detailed chocolatey.log file). 2024-03-06 11:51:20,839 11900 [DEBUG] - Built-in PowerShell host called with ['[System.Threading.Thread]::CurrentThread.CurrentCulture = '';[System.Threading.Thread]::CurrentThread.CurrentUICulture = '';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::SystemDefault; & import-module -name 'C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1'; & 'C:\ProgramData\chocolatey\helpers\chocolateyScriptRunner.ps1' -packageScript 'C:\ProgramData\chocolatey\lib\chocolatey-agent\tools\chocolateyinstall.ps1' -installArguments '' -packageParameters '/Username:bluelizard\exec_choco_local_adm' -preRunHookScripts $null -postRunHookScripts $null'] exited with '-1'. 2024-03-06 11:51:20,842 11900 [DEBUG] - Calling command ['"C:\WINDOWS\System32\shutdown.exe" /a'] 2024-03-06 11:51:20,913 11900 [DEBUG] - Command ['"C:\WINDOWS\System32\shutdown.exe" /a'] exited with '1116' 2024-03-06 11:51:21,106 11900 [DEBUG] - Capturing package files in 'C:\ProgramData\chocolatey\lib\chocolatey-agent' ~~~
Similarly, during PowerShell remoting:
[Env] setting licensed environment variables.
Ensuring user 'MITLL\svc-g38-software' exists in group 'S-1-5-32-544'
Error: System.DirectoryServices.DirectoryServicesCOMException (0x80072020): An operations error occurred.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer()
at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue)
at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue)
at chocolatey.licensed.infrastructure.app.utility.LocalSecurityUtility.EnsureLocalGroupMembership(String userName, String groupName)
Unable to ensure 'S-1-5-32-544' local group membership for 'MITLL\svc-g38-software':
An operations error occurred.
ERROR: Unable to ensure user 'MITLL\svc-g38-software' is part of the Administrators group (S-1-5-32-544). Please run again with '--trace' and file an issue with support@chocolatey.io (attach a zipped copy of the detailed chocolatey.log file).## Related Issues and Tickets
What You Are Seeing?
Several users have attempted to install Chocolatey Agent with a specific domain service account, and it's failed during the installation due to Kerberos double-hop. This has been using Ansible, or PowerShell remoting. The failure is not due to the account being incorrectly created, but instead because the logic used to validate the account fails to authenticate to the domain when checking the account is in groups, etc.
There is, I think, no current way to simply pass an existing domain account to a remote system and have it succeed installation.
This will likely also fail if business customers attempt to use the
Install-ChocolateyWindowsServicein their own packages in a similar fashion.What is Expected?
Users should be able to install this package remotely / with an account that exists and has all the right permissions, even if we can't validate that.
How Did You Get This To Happen? (Steps to Reproduce)
chocolateyandchocolatey.extensionon the second machineERROR: Unable to ensure user 'domain\choco_local_admin_account' is part of the Administrators group (S-1-5-32-544). Please run again with '--trace' and file an issue with support@chocolatey.io (attach a zipped copy of the detailed chocolatey.log file).System Details
Output Log
chocolatey.log
~~~sh 2024-03-06 11:51:20,509 11900 [DEBUG] - ---------------------------Script Execution--------------------------- 2024-03-06 11:51:20,511 11900 [DEBUG] - Running 'ChocolateyScriptRunner' for chocolatey-agent v2.1.0 with packageScript 'C:\ProgramData\chocolatey\lib\chocolatey-agent\tools\chocolateyinstall.ps1', packageFolder:'C:\ProgramData\chocolatey\lib\chocolatey-agent', installArguments: '', packageParameters: '/Username:bluelizard\exec_choco_local_adm', preRunHookScripts: '', postRunHookScripts: '', 2024-03-06 11:51:20,521 11900 [DEBUG] - Running package script 'C:\ProgramData\chocolatey\lib\chocolatey-agent\tools\chocolateyinstall.ps1' 2024-03-06 11:51:20,559 11900 [DEBUG] - Running Get-PackageParameters 2024-03-06 11:51:20,563 11900 [DEBUG] - Parsing $env:ChocolateyPackageParameters and $env:ChocolateyPackageParametersSensitive for parameters 2024-03-06 11:51:20,565 11900 [DEBUG] - Sensitive parameters detected, no logging of parameters. 2024-03-06 11:51:20,603 11900 [DEBUG] - Running licensed 'Install-ChocolateyWindowsService' -Name 'chocolatey-agent' -DisplayName 'Chocolatey Agent' -StartupType 'Automatic' -Username 'bluelizard\exec_choco_local_adm' -ServiceExecutablePath 'C:\ProgramData\chocolatey\lib\chocolatey-agent\tools\service\chocolatey-agent.exe' 2024-03-06 11:51:20,631 11900 [DEBUG] - Found existing Windows service named 'chocolatey-agent' installed. 2024-03-06 11:51:20,633 11900 [DEBUG] - Windows service 'chocolatey-agent' is not installed 2024-03-06 11:51:20,641 11900 [DEBUG] - Ensuring 'bluelizard\exec_choco_local_adm' is a member of Administrators. 2024-03-06 11:51:20,649 11900 [DEBUG] - User is part of domain 'bluelizard'. Switching to domain principal context. 2024-03-06 11:51:20,828 11900 [ERROR] - Unable to ensure 'S-1-5-32-544' local group membership for 'bluelizard\exec_choco_local_adm': An operations error occurred. 2024-03-06 11:51:20,836 11900 [ERROR] - ERROR: Unable to ensure user 'bluelizard\exec_choco_local_adm' is part of the Administrators group (S-1-5-32-544). Please run again with '--trace' and file an issue with support@chocolatey.io (attach a zipped copy of the detailed chocolatey.log file). 2024-03-06 11:51:20,839 11900 [DEBUG] - Built-in PowerShell host called with ['[System.Threading.Thread]::CurrentThread.CurrentCulture = '';[System.Threading.Thread]::CurrentThread.CurrentUICulture = '';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::SystemDefault; & import-module -name 'C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1'; & 'C:\ProgramData\chocolatey\helpers\chocolateyScriptRunner.ps1' -packageScript 'C:\ProgramData\chocolatey\lib\chocolatey-agent\tools\chocolateyinstall.ps1' -installArguments '' -packageParameters '/Username:bluelizard\exec_choco_local_adm' -preRunHookScripts $null -postRunHookScripts $null'] exited with '-1'. 2024-03-06 11:51:20,842 11900 [DEBUG] - Calling command ['"C:\WINDOWS\System32\shutdown.exe" /a'] 2024-03-06 11:51:20,913 11900 [DEBUG] - Command ['"C:\WINDOWS\System32\shutdown.exe" /a'] exited with '1116' 2024-03-06 11:51:21,106 11900 [DEBUG] - Capturing package files in 'C:\ProgramData\chocolatey\lib\chocolatey-agent' ~~~
Similarly, during PowerShell remoting:
┆Issue is synchronized with this Gitlab issue by Unito