Providing farm account doesn't work

[KoenZomers]

Details of the scenario you try and problem that is occurring: Running SharePointDSC.Reverse.ps1 prompts me for an account with SharePoint farm credentials. When I provide the SharePoint farm account it soon runs into this error:

Specified PSDSCRunAsCredential (contosoltd\student) isn't the Farm Account. Make sure the specified PSDSCRunAsCredential is the Farm Account and try again At C:\program files\windowspowershell\modules\sharepointdsc\2.0.0.0\DSCResources\MSFT_SPUserProfileServiceApp\MSFT_SPUs erProfileServiceApp.psm1:93 char:21

• ... throw ("Specified PSDSCRunAsCredential ($localaccount) is ...

• 
  + CategoryInfo          : OperationStopped: (Specified PSDSC...t and try again:String) [], RuntimeException
  + FullyQualifiedErrorId : Specified PSDSCRunAsCredential (contosoltd\student) isn't the Farm Account. Make sure th
  e specified PSDSCRunAsCredential is the Farm Account and try again

The account it reports is the account under which I'm logged in to the SharePoint 2016 environment. It's not the account that I provided in the credentials box. It seems to ignore whatever I enter in the credentials box and always take the currently logged on account.

Is it mandatory to connect through remote desktop to the SharePoint machine using the farm account? Just tested running the script while logging on to my test box with the SharePoint farm account and then it runs fine.

The DSC configuration that is using the resource: ?

Version of the Operating System and PowerShell the DSC Target Node is running: Windows 2016 RTM

Version of the DSC module you're using: Downloaded today (January 12, 2018)

[NikCharlebois]

@KoenZomers the user you are connected with needs to be a Shell Admin (Add-SPShellAdmin) for the snapin to load properly. I will be keeping this issue open for us to look at potential alternatives. we have added this to our backlog. Can you try connecting with such a user account and let me know of the outcome. Thanks

[KoenZomers]

@NikCharlebois that student account has full farm rights and is a local admin on this 1 box test farm. I even tried hardcoding in the PS1 that it should use contosoltd\sp-farm which is the farm account, but still it would switch to the current user somewhere down the line.

Did you yourself always log on to the SharePoint box with the farm account when you executed the script?

[KoenZomers]

I can provide you remote access to this test box by the way, if it helps in nailing down the problem.

[NikCharlebois]

@KoenZomers Do you know what steps fails? Is it at: Scanning Farm Administrator(s)... By Any chances?

[KoenZomers]

There's one error at the start:

[ SPDEV ] Scanning the SharePoint Farm...
VERBOSE: Executing as the local run as user contosoltd\student
VERBOSE: Leaving BeginProcessing Method of Get-SPFarm.
VERBOSE: Leaving ProcessRecord Method of Get-SPFarm.
VERBOSE: Leaving EndProcessing Method of Get-SPFarm.
VERBOSE: Leaving BeginProcessing Method of Get-SPDatabase.
VERBOSE: Leaving ProcessRecord Method of Get-SPDatabase.
VERBOSE: Leaving EndProcessing Method of Get-SPDatabase.
VERBOSE: Leaving BeginProcessing Method of Get-SPWebApplication.
VERBOSE: Leaving ProcessRecord Method of Get-SPWebApplication.
VERBOSE: Leaving EndProcessing Method of Get-SPWebApplication.
VERBOSE: Leaving BeginProcessing Method of Get-SPWebApplication.
VERBOSE: Leaving ProcessRecord Method of Get-SPWebApplication.
VERBOSE: Leaving EndProcessing Method of Get-SPWebApplication.
VERBOSE: Leaving BeginProcessing Method of Get-SPServiceInstance.
VERBOSE: Leaving ProcessRecord Method of Get-SPServiceInstance.
VERBOSE: Leaving EndProcessing Method of Get-SPServiceInstance.
VERBOSE: Leaving BeginProcessing Method of Get-SPServer.
VERBOSE: Leaving ProcessRecord Method of Get-SPServer.
VERBOSE: Leaving EndProcessing Method of Get-SPServer.
Exception calling "Add" with "2" argument(s): "Item has already been added. Key in dictionary: 'ServerRole'  Key being
added: 'ServerRole'"
At C:\Program Files\WindowsPowerShell\Scripts\SharePointDSC.Reverse.ps1:786 char:7
+       $results.Add("ServerRole", "`$Node.ServerRole")
+       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentException

And it halts at this section:

[ SPDEV ] Scanning User Profile Service Application(s)...
Scanning User Profile Service Application [1/1] {User Profile Service Application}
VERBOSE: Executing as the local run as user contosoltd\student
VERBOSE: Leaving BeginProcessing Method of Get-SPFarm.
VERBOSE: Leaving ProcessRecord Method of Get-SPFarm.
VERBOSE: Leaving EndProcessing Method of Get-SPFarm.
Specified PSDSCRunAsCredential (contosoltd\student) isn't the Farm Account. Make sure the specified
PSDSCRunAsCredential is the Farm Account and try again
At C:\program files\windowspowershell\modules\sharepointdsc\2.0.0.0\DSCResources\MSFT_SPUserProfileServiceApp\MSFT_SPUs
erProfileServiceApp.psm1:93 char:21
+ ...             throw ("Specified PSDSCRunAsCredential ($localaccount) is ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Specified PSDSC...t and try again:String) [], RuntimeException
    + FullyQualifiedErrorId : Specified PSDSCRunAsCredential (contosoltd\student) isn't the Farm Account. Make sure th
   e specified PSDSCRunAsCredential is the Farm Account and try again

[NikCharlebois]

First error is solved and will be included in my next PR.

The second one is related to a bug in the actual SharePointDSC 2.0.0.0 module: https://github.com/PowerShell/SharePointDsc/issues/709

The team is still evaluating the best course of action to get this fixed ASAP. In the meantime, please make sure you run the script using the Farm Account. Thanks @KoenZomers for reporting this.

[KoenZomers]

Thanks for picking this up so quickly.

It's probably a good idea to make mention of the "run as farm admin" requirement on the homepage. Do you want me to do a pull request with a suggestion for the updated text or will you update it yourself?

[NikCharlebois]

@KoenZomers everyone is welcomed and encouraged to make contributions. It'd be great if you had time to submit a PR. Thanks

[KoenZomers]

@NikCharlebois, done!

[NikCharlebois]

@KoenZomers PR merged. Thank you sir!

[JeffChristman]

Has this issue beed resolved ? I am having this issue also. Have logged in as farm account, made sure of shell access, still does not work

[NikCharlebois]

@JeffChristman me and the rest of the SharePointDSC team are still analyzing our options. The problem that currently remains is that if you are connecting as the farm account, then the SPUserProfileServiceApp resource complains. The best recommendation so far, is to run the script as an account that is not the Farm Account, but that has farm admin privileges, and to provide the farm account credentials when prompted at the beginning of the execution.

[JeffChristman]

Thanks for the feedback.

We got it working by RDP to the server as a regular user (Non-Admin, Non-Farm User)

1. Starting PowerShell in elevated privileges (Run As Admin)

2. Start the Reverse Script

3. When is asks for Authentication, I give it the Non-Farm account but local admin account to the server I am logged into.

I hope this make sense

Thanks