Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ADManagedServiceAccount: The Resource will Incorrectly have an Ensure state of 'Absent' if any of its 'PrincipalsAllowedToRetrieveManagedPassword' no longer exist #512

Closed
X-Guardian opened this issue Sep 24, 2019 · 1 comment · Fixed by #517
Closed

ADManagedServiceAccount: The Resource will Incorrectly have an Ensure state of 'Absent' if any of its 'PrincipalsAllowedToRetrieveManagedPassword' no longer exist #512

X-Guardian opened this issue Sep 24, 2019 · 1 comment · Fixed by #517
Labels
bug The issue is a bug.

Comments

@X-Guardian
Copy link
Contributor

X-Guardian commented Sep 24, 2019
edited
Loading

Details of the scenario you tried and the problem that is occurring

For an ADManagedServiceAccount resource , if any of the PrincipalsAllowedToRetrieveManagedPassword identities on a Group Managed Service Account no longer exist. (A server is decommissioned for example), the Get-TargetResource function will return an Ensure state of Absent for the whole resource. This will cause the LCM to attempt to create the account again, and produce an error as the account already exists.

Verbose logs showing the problem

{"time": "2019-09-24T16:25:15.475+00:00", "type": "verbose", "message": "[ADFS01-EUW1-SRV]:                            [[ADManagedServiceAccount]AdfsGmsa] Retrieving AD Managed Service Account 'AdfsGmsa'. (MSA0006)"},
  {"time": "2019-09-24T16:25:17.115+00:00", "type": "verbose", "message": "[ADFS01-EUW1-SRV]:                            [[ADManagedServiceAccount]AdfsGmsa] Retrieving Principals Allowed To Retrieve Managed Password based on 'SamAccountName' property. (MSA0013)"},
  {"time": "2019-09-24T16:25:17.459+00:00", "type": "verbose", "message": "[ADFS01-EUW1-SRV]:                            [[ADManagedServiceAccount]AdfsGmsa] AD Managed Service Account 'AdfsGmsa' was not found. (MSA0005)"},
  {"time": "2019-09-24T16:25:17.615+00:00", "type": "verbose", "message": "[ADFS01-EUW1-SRV]:                            [[ADManagedServiceAccount]AdfsGmsa] AD Managed Service Account 'AccountType' is not correct. Expected 'Group', actual ''. (MSA0008)"},
  {"time": "2019-09-24T16:25:17.615+00:00", "type": "verbose", "message": "[ADFS01-EUW1-SRV]:                            [[ADManagedServiceAccount]AdfsGmsa] AD Managed Service Account 'Ensure' is not correct. Expected 'Present', actual 'Absent'. (MSA0008)"},
  {"time": "2019-09-24T16:25:17.631+00:00", "type": "verbose", "message": "[ADFS01-EUW1-SRV]:                            [[ADManagedServiceAccount]AdfsGmsa] AD Managed Service Account 'AdfsGmsa' is NOT in the desired state. (MSA0010)"},
  {"time": "2019-09-24T16:25:17.631+00:00", "type": "verbose", "message": "[ADFS01-EUW1-SRV]: LCM:  [ End    Test     ]  [[ADManagedServiceAccount]AdfsGmsa]  in 2.2490 seconds."},
  {"time": "2019-09-24T16:25:17.631+00:00", "type": "verbose", "message": "[ADFS01-EUW1-SRV]: LCM:  [ Start  Set      ]  [[ADManagedServiceAccount]AdfsGmsa]  "},
  {"time": "2019-09-24T16:25:17.709+00:00", "type": "verbose", "message": "[ADFS01-EUW1-SRV]:                            [[ADManagedServiceAccount]AdfsGmsa] Retrieving AD Managed Service Account 'AdfsGmsa'. (MSA0006)"},
  {"time": "2019-09-24T16:25:17.814+00:00", "type": "verbose", "message": "[ADFS01-EUW1-SRV]:                            [[ADManagedServiceAccount]AdfsGmsa] Retrieving Principals Allowed To Retrieve Managed Password based on 'SamAccountName' property. (MSA0013)"},
  {"time": "2019-09-24T16:25:17.824+00:00", "type": "verbose", "message": "[ADFS01-EUW1-SRV]:                            [[ADManagedServiceAccount]AdfsGmsa] AD Managed Service Account 'AdfsGmsa' was not found. (MSA0005)"},
  {"time": "2019-09-24T16:25:17.918+00:00", "type": "verbose", "message": "[ADFS01-EUW1-SRV]:                            [[ADManagedServiceAccount]AdfsGmsa] Adding AD Managed Service Account 'AdfsGmsa'. (MSA0001)"},
  {"time": "2019-09-24T16:25:18.528+00:00", "type": "verbose", "message": "[ADFS01-EUW1-SRV]: LCM:  [ End    Set      ]  [[ADManagedServiceAccount]AdfsGmsa]  in 0.8980 seconds."},
  {"time": "2019-09-24T16:25:18.528+00:00", "type": "error", "message": "PowerShell DSC resource MSFT_ADManagedServiceAccount  failed to execute Set-TargetResource functionality with error message: System.InvalidOperationException: Error adding AD Managed Service Account 'AdfsGmsa'. (MSA0012) ---> Microsoft.ActiveDirectory.Management.ADIdentityAlreadyExistsException: The specified account already exists ---> System.ServiceModel.FaultException: The supplied entry already exists.\r\n   --- End of inner exception stack trace ---\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForExtendedError(String extendedErrorMessage, Exception innerException)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForErrorCode(String message, String errorCode, String extendedErrorMessage, Exception innerException)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForFaultDetail(FaultDetail faultDetail, FaultException faultException)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(AdwsFault adwsFault, FaultException faultException)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.Create(ADAddRequest request)\r\n   at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADSyncOperations.Add(ADSessionHandle handle, ADAddRequest request)\r\n   at Microsoft.ActiveDirectory.Management.ADActiveObject.Create()\r\n   at Microsoft.ActiveDirectory.Management.Commands.ADNewCmdletBase`3.ADNewCmdletBaseProcessCSRoutine()\r\n   at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()\r\n   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()\r\n   --- End of inner exception stack trace --- "},

Suggested solution to the issue

There is currently a single try/catch block around all the code in the Get-TargetResource function, which is catching errors from both Get-ADObjectParentDN as well as Get-ADObject. There should be separate try/catch blocks around each of these functions, with appropriate error handling for each one.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

ADManagedServiceAccount AdfsGmsa {
    ServiceAccountName = $ServiceAccountName
    AccountType        = 'Group'
    Credential         = $Credential
    Description        = 'ADFS Server Farm Group Managed Service Account'
}

The operating system the target node is running

OsName               : Microsoft Windows Server 2019 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 1809
WindowsBuildLabEx    : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Version and build of PowerShell the target node is running

PSVersion                      5.1.17763.592
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.592
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version of the DSC module that was used ('dev' if using current dev branch)

4.0.0.0
@X-Guardian
Copy link
Contributor Author

I'm working on a PR for this.

@johlju johlju added bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community. labels Sep 25, 2019
This was referenced Oct 5, 2019
Closed
Merged
@johlju johlju added in progress The issue is being actively worked on by someone. and removed help wanted The issue is up for grabs for anyone in the community. labels Nov 2, 2019
johlju pushed a commit that referenced this issue Nov 2, 2019
@X-Guardian @johlju
BREAKING CHANGE: ADManagedServiceAccount: Add KerberosEncryptionType …
7df133d 
…Property and Refactor (#517)

- Changes to ADManagedServiceAccount
  - KerberosEncryptionType property added (issue #511).
  - BREAKING CHANGE: AccountType parameter ValidateSet changed from ('Group', 'Single') to ('Group', 'Standalone') - Standalone is the correct terminology (issue #515).
  - BREAKING CHANGE: AccountType parameter default of Single removed. - Enforce positive choice of account type.
  - BREAKING CHANGE: MembershipAttribute parameter ValidateSet member SID changed to ObjectSid to match result property of Get-AdObject. Previous code does not work if SID is specified.
  - BREAKING CHANGE: AccountTypeForce parameter removed - unnecessary complication.
  - BREAKING CHANGE: Members parameter renamed to ManagedPasswordPrincipals - to closer match Get-AdServiceAccount result property PrincipalsAllowedToRetrieveManagedPassword. This is so that a DelegateToAccountPrincipals parameter can be added later.
  - Common Compare-ResourcePropertyState function used to replace function specific Compare-TargetResourceState and code refactored (issue #512).
  - Resource unit tests refactored to use nested contexts and follow the logic of the module.
  - Resource Integration tests added.
@johlju johlju removed the in progress The issue is being actively worked on by someone. label Nov 2, 2019
X-Guardian added a commit that referenced this issue Jan 10, 2020
@X-Guardian
BREAKING CHANGE: ADManagedServiceAccount: Add KerberosEncryptionType …
a1526c2 
…Property and Refactor (#517)

- Changes to ADManagedServiceAccount
  - KerberosEncryptionType property added (issue #511).
  - BREAKING CHANGE: AccountType parameter ValidateSet changed from ('Group', 'Single') to ('Group', 'Standalone') - Standalone is the correct terminology (issue #515).
  - BREAKING CHANGE: AccountType parameter default of Single removed. - Enforce positive choice of account type.
  - BREAKING CHANGE: MembershipAttribute parameter ValidateSet member SID changed to ObjectSid to match result property of Get-AdObject. Previous code does not work if SID is specified.
  - BREAKING CHANGE: AccountTypeForce parameter removed - unnecessary complication.
  - BREAKING CHANGE: Members parameter renamed to ManagedPasswordPrincipals - to closer match Get-AdServiceAccount result property PrincipalsAllowedToRetrieveManagedPassword. This is so that a DelegateToAccountPrincipals parameter can be added later.
  - Common Compare-ResourcePropertyState function used to replace function specific Compare-TargetResourceState and code refactored (issue #512).
  - Resource unit tests refactored to use nested contexts and follow the logic of the module.
  - Resource Integration tests added.
johlju pushed a commit to johlju/ActiveDirectoryDsc that referenced this issue Jan 10, 2020
@X-Guardian @johlju
BREAKING CHANGE: ADManagedServiceAccount: Add KerberosEncryptionType …
4ab6e1b 
…Property and Refactor (dsccommunity#517)

- Changes to ADManagedServiceAccount
  - KerberosEncryptionType property added (issue dsccommunity#511).
  - BREAKING CHANGE: AccountType parameter ValidateSet changed from ('Group', 'Single') to ('Group', 'Standalone') - Standalone is the correct terminology (issue dsccommunity#515).
  - BREAKING CHANGE: AccountType parameter default of Single removed. - Enforce positive choice of account type.
  - BREAKING CHANGE: MembershipAttribute parameter ValidateSet member SID changed to ObjectSid to match result property of Get-AdObject. Previous code does not work if SID is specified.
  - BREAKING CHANGE: AccountTypeForce parameter removed - unnecessary complication.
  - BREAKING CHANGE: Members parameter renamed to ManagedPasswordPrincipals - to closer match Get-AdServiceAccount result property PrincipalsAllowedToRetrieveManagedPassword. This is so that a DelegateToAccountPrincipals parameter can be added later.
  - Common Compare-ResourcePropertyState function used to replace function specific Compare-TargetResourceState and code refactored (issue dsccommunity#512).
  - Resource unit tests refactored to use nested contexts and follow the logic of the module.
  - Resource Integration tests added.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug The issue is a bug.
Projects
None yet
Milestone
No milestone
2 participants
@johlju @X-Guardian