Bamboo Task throwing error when running under a specific User account

Comments (11)

1. 

   Sergey Podobry

   • changed status to open

   • 2020-10-19T09:24:26+00:00
2. 

   Sergey Podobry

   Hi Daniel!

   Could you provide some additional info:

   • what is OS version?
   • is the agent running as service?
   • under what user account the agent is running?
   • are you using the latest PowerShell Task?

   ‌

   • 2020-10-19T09:27:23+00:00
3. 

   daniel ramazani reporter

   1. The Agent is Windows Server 2016
   2. Yes, its running as a service
   3. I don’t want to share the specific service account name, but the Agent is running under one specific service account which is different from the service account that the team is trying to use
   4. Yes, I’m on 1.2.2 of the Plugin, and our Bamboo Server version is 7.1.2

   ‌

   • 2020-10-19T18:44:11+00:00
4. 

   Sergey Podobry

   Ok, thank you. We’re investigating this.

   • 2020-10-20T17:21:58+00:00
5. 

   daniel ramazani reporter

   Thanks you!! I can reproduce the issue in my UAT environment, so if you’d like me to try any crazy experimenst let me know!

   I noticed that if I input the same account that runs the Bamboo Agent Service, then the RunAs feature works.

   No real surprise there. This makes me think that the error is being caused by some folder permissions of some kind that the RunAs account needs just to execute the most basic of powershell commands.

   Interestingly, I tried doing the RunAs for an account which has local admin on the Agent, and it failed.

   That might not rule out folder permission. Even though the account is an admin, it could still be hitting UAC when it tries to access some resource.

   I’ll probably try granting ownership to pieces of the Bamboo Agent plumbing on the Agent host to see if I can gather any evidence for my hypothesis.

   Let me know if you have any other troubleshooting steps you’d like me to try.

   • 2020-10-22T05:50:59+00:00
6. 

   Sergey Podobry

   Unfortunately the issue is not as simple as it seems, so it will take some more time.

   • 2020-10-29T21:49:05+00:00
7. 

   daniel ramazani reporter

   No problem. If you’d like to work with me via a coordinated session just let me know.

   For now I’ll wait patiently for your response.

   • 2020-10-30T07:41:11+00:00
8. 

   Sergey Podobry

   Hi Daniel!

   We’ve updated the RunAs engine and released a new version of the addon. Could you try the new version and post back results here?

   • 2020-11-09T10:59:33+00:00
9. 

   daniel ramazani reporter

   You’re a genius

   I installed this new version in our UAT environment and tried it. This is what I get now.

   Text: Precondition failed (You should enable 'replace a process level token' privilege in group policies for the current user: ****)
   Error: hasAssignPrimaryTokenPrivilege (PRECOND)
   Source: CreateAsUserStrategy::create:19
   
   HINT: It seems that the current user has no necessary privileges to run a process under another user. Go to a group policy editor and enable them.
   Failing task since return code of [D:\builds\1\AD00000000-TES1-JOB1-32-PowerShellTask-1098285920415994961.exe runconfig D:\builds\1\AD00000000-TES1-JOB1-32-PowerShellTask-5530794359402940662.tmp] was 1 while expected 0
   

   Googling this group policy explains what I need to do to get this working.

   I need some time to get the permission to make this work, but I think its fair to say you can consider this ticket resolved.

   I will report back in a week or two once I’m able to get it fully working.

   • 2020-11-09T18:58:55+00:00
10. 

    Sergey Podobry

    Ok, it seems we are on the right track!

    • 2020-11-09T19:39:15+00:00
11. 

    Sergey Podobry

    • changed status to resolved

    I'm assuming that everything is fine so I'm closing the issue.

    • 2020-12-06T16:59:34+00:00
12. Log in to comment