Installing a win32 service using MSBuild and Microsoft.Sdc.Tasks - msbuild

I'm trying to install windows service using the Microsoft.Sdc.Tasks library.
<ControlService Action="Install"
ServiceName="Service1"
User="XXX
Password="XXX"
ServiceExePath="$(DeployFolder)\XXX.exe"/>
But I keep getting prompted for the user and password! This will not work as I'd like to have it as an automated build on the build server. I mean, the user and password that I want to run the service under are in the actual target. How do I get it to install the service using the configured user and password and not prompt for it?

Found this post and since all my service does is writing and reading from local file I should be OK running under the Local Service account instead of a specific user. Even after updated the service installer the ControlService-target requires a user and password to run but then I actually doesn't prompt me for the user and password. But then I don't want to run a specific user and the target fails when not provided with a user and password in the config ... Strange.
I solved by shelling out to the InstallUtil.exe instead. That works fine after set the I set service installer to run as a Local Service account.
<Exec WorkingDirectory="C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727"
Command="InstallUtil.exe -i XXX.exe" />

Just an FYI, to install to a remote server, you should use the SericeController task listed here:
http://weblogs.asp.net/scottgu/archive/2006/02/12/438061.aspx

Related

How to reset WebSphere wasadmin password

I have tried following this tutorial but the new password doesn't take effect after security is enabled again, still have to use old password to login as wasadmin:
http://weblogic-wonders.com/weblogic/2014/03/27/reset-websphere-admin-console-password/
I even tried the guide from IBM:
http://www-01.ibm.com/support/docview.wss?uid=swg21392427
But I'm lost at this step:
_Navigate via command prompt to /ConfigEngine
Because in my WebSphere it doesn't have this ConfigEngine folder in order the run the rest of the commands.
Can anyone help me?
EDIT: This is WebSphere 7 for Maximo 7.5
Have you tried the following?
To disable security, please perform the following steps via wsadmin:
/bin/> wsadmin -conntype NONE
wsadmin> securityoff
wsadmin> exit
Restart the servers.
Enable the security from administrative console.
Once the needed corrections are made, you can re-enable security in the admin console and then restart WebSphere.
NOTE: To restart the servers, you will first need to manually kill the java process since security is still enabled in the currently running process.
Or editing the xml file
Following this link you have 2 optiont:
This is for the standalone version
Make a backup of the security.xml file:
/config/cells/cellname/security.xml
Edit the security.xml file by searching for the first instance of " enabled= ". You should see enabled="true" as in:
Change to enabled="false".
Save the security.xml file.
Restart server1 and the WebSphere_Portal servers. If you get authentication exceptions while trying to stop the servers, you may have to manually kill the server processes and then restart them.
In the wpconfig.properties file, make the following changes:
PortalAdminId=wpsadmin
PortalAdminGroupId=wpsadmins
Refer to the Information Center link for specific instructions.
Save the wpconfig.propeties file.
Try to disable security again using the disable-security task:
./WPSconfig.sh disable-securit y
At this point, security should be disabled. You can verify by accessing the WebSphere Application Server admin console. You should be prompted for only a user name, not a password.
Follow these instructions for a clustered version:
Make a backup of the security.xml file on the Deployment Manager machine:
/config/cells/cellname/security.xml
Edit the security.xml file by searching for the first instance of "enabled= ". You should see enabled="true" as in:
Change to enabled="false".
Save the security.xml file.
Copy the security.xml file to the nodes:
/config/cells/cellname/security.xml
/config/cells/cellname/security.xml
Restart DMGR, NodeAgents, and WebSphere_Portal servers. If you get authentication exceptions while trying to stop the servers, you may have to manually kill the server processes and then restart them.
In wpconfig.properties, make the following changes:
PortalAdminId=wpsadmin
PortalAdminGroupId=wpsadmins
Refer to the Information Center link for specific instructions.
Save the wpconfig.propeties file.
Try to disable security again using the disable-security task. Note that the DMGR and the nodeagent should be running:
./WPSconfig.sh disable-security
At this point, security should be disabled. You can verify by accessing the DMGR AdminConsole. You should be prompted for only a user name, not a password.
Or more option is explained here
Note: I haven't tried this myself yet
Goto DMGR bin directory and follow the below process.
[root#localhost bin]# ./wsadmin.sh -connType NONE -lang jython
wsadmin>AdminTask.changeFileRegistryAccountPassword('-userId saddam -password saddamm')
wsadmin>AdminConfig.save()
Please restart dmgr.
If you have forgotten the password, then you have to directly kill the dmgr process id and start dmgr.
Login to WebSphere Console -> Users and Groups -> Manage Users -> click on <user_name> -> change the password value -> save the configuration.

Installing Teamcity build agent as a user: failed to install the service. selected account does not have enough rights

I want to install a TeamCity BuildAgend as a user. When entering my user credentials here:
I always get this error:
NOTE: My account (user) is Administrator with full permission!
How can I do this?
The error message says it does not have "enough rights to run as a service",
this is slightly different from just being an administrator.
Go to Control Panel> Administrative Tools> Local Security Policy.
Select Local Policies> User Rights Assignment.
Scroll down through the list of policies and look for Log on as a service.
Add the account you're using to the list of accounts with this right.
That should in theory be all you need to allow the service to run under that user.
The best powershell command that I have found for this is:
Grant-Privilege -Identity $SERVICE_USERNAME -Privilege SeServiceLogonRight
Requires use of the Carbon framework.
I'm a Windows 10 Home user and the steps above did not work for me, but the following did:
Enable gpedit.msc by running the batch file as explained here under Method 1: https://www.askvg.com/how-to-enable-group-policy-editor-gpedit-msc-in-windows-7-home-premium-home-basic-and-starter-editions/
Run gpedit.msc
Go to Local Computer Policy / Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment
Double-click Log on as a service
On the window that appears, click Add User or Group...
Enter your username and click the Check Names button
Your name will be modified, adding the machine name as the prefix. Click OK
Click OK on the Log on as a service Properties window to apply the change.
It is a little bit of a pain, but after doing that, I was able to continue installing TeamCity

msdeploy returning unauthorized when using the admin account and correct username / password

I am trying to use msdeploy on my web servers using the /MSDEPLOYAGENTSERVICE method and it is continually saying i am not an admin and not authorized but i am using the administrator account and am using the correct password. Internally if i try the webdeploy.axd it works but that method is not an option for me due to port concerns.
Here is one of the command strings i use
"%ProgramFiles(x86)%\MSBuild\12.0\Bin\amd64\msbuild.exe" ..\mysolution.sln /t:Clean;Rebuild /p:Configuration=%CONFIG% /verbosity:m /fileLogger /maxcpucount:4 /p:DeployOnBuild=true /p:PublishProfile=%CONFIG% /p:MSDeployServiceURL=http://%SERVER% /p:UserName=Administrator /p:Password=%PWORD%
Here is another one that is returning the same issue:
msdeploy -verb:sync -source:webserver,computername=%MACHINE%,username=Administrator,password=%PASSWORD% -dest:webserver 2<&1
This happened after i updated msdeploy to version 3.5 and moved my development environment to vs2013. Unfortunately i can not downgrade either of these. Aside from those changes nothing else has been changed.
As always asking the question has reveled the answer.
If this group policy key is set to 'Guest Only' msdeploy will NOT work.
I switched it back to 'Classic' and now it works properly.
Computer Configuration\Windows Settings\ Security Settings\Local Policies\Security Options\Network Access: Sharing and security model for local accounts.
I know i said nothing changed but my admin seemed to have forgotten about that change. He has since been feed to the sharks with laser beams on their foreheads.

Can't run vb.net application as administrator across network

I have created a small application that auto elevates as administrator using the command:
requestedExecutionLevel level="highestAvailable" uiAccess="false"
This works fine if I run the application locally on the computer. However, if the computer tries to run my execuatable across the netork, it simply crashes on startup with a message "Do you want to send more information about the problem?" error. If I right click and run as administrator, my application will work and will prompt for admin credentials.
The folder I am running my application from (across the network) has full read/write permissions for 'everyone'.
My question is: Is there something I've missed? Why can I run my application locally and not get prompted but across the network crashes or requires admin?
Can anyone help explain what might be causing this issue?
UPDATE
I have checked my event viewer log and it shows the following:
Application: AutoUpdater.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.Net.Sockets.SocketException
Stack:
at System.Net.Sockets.Socket..ctor(System.Net.Sockets.AddressFamily, System.Net.Sockets.SocketType, System.Net.Sockets.ProtocolType)
at System.Net.Sockets.TcpListener..ctor(System.Net.IPAddress, Int32)
at System.Runtime.Remoting.Channels.Tcp.TcpServerChannel.SetupChannel()
at System.Runtime.Remoting.Channels.Tcp.TcpServerChannel..ctor(System.Collections.IDictionary, System.Runtime.Remoting.Channels.IServerChannelSinkProvider, System.Runtime.Remoting.Channels.IAuthorizeRemotingConnection)
at Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.RegisterChannel(ChannelType, Boolean)
at Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.Run(System.String[])
at AutoUpdater.My.MyApplication.Main(System.String[])
I don't understand why it is making reference to System.Net.Sockets?? But that is what seems to be crashing my app.
Make sure that the other computers attempting to run your application have the correct .Net framework versions installed. If users are able to open the executable, there shouldn't be any other issues with permission.
If you have verified the framework versions, see if there is anything in the error report that might point to a reason for the crash. A lot of times there may be something in there that can point you in the right direction.
.NET applications don't like to run from the intranet by default.
Try this:
Go to Control Panel -> Administrative Tools -> Microsoft .NET Framework 2.0 Configuration
Click Configure Code Access Security Policy link
Click Adjust Zone Security
Set the My Computer and Local Intranet to Full Trust
If this works, then it is a local security issue. If you need it scripted out, you can use the caspol exe that is in the framework. Sample
C:
cd %windir%\Microsoft.NET\Framework\v2.0.50727
CasPol.exe -pp off -m -ag 1. -URL Z:\folder\EXEName.exe FullTrust -n FriendlyNameOfEXE

Stop IIS 7 Application Pool from build script

How can I stop and then restart an IIS 7 application pool from an MSBuild script running inside TeamCity. I want to deploy our nightly builds to an IIS server for out testers to view.
I have tried using appcmd like so:
appcmd stop apppool /apppool.name:MYAPP-POOL
... but I have run into elevation issues in Windows 2008 that so far have stopped me from being able to run that command from my TeamCity build process because Windows 2008 requires elevation in order to run appcmd.
If I do not stop the application pool before I copy my files to the web server my MSBuild script is unable to copy the files to the server.
Has anybody else seen and solved this issue when deploying web sites to IIS from TeamCity?
This article describes using an htm file named App_offline.htm to take a site offline. Once the IIS detectes this file in the root of a web application directory,
ASP.NET 2.0 will shut-down the application, unload the application
domain from the server, and stop processing any new incoming requests
for that application.
In App_offline-htm, you can put a user-friendly message indicating that the site is currently under maintainance.
Jason Lee shows the MSDeploy calls you need to use (plus much more about integrating these steps in your build scripts!).
MSDeploy
-verb:sync
-source:contentPath="[absolute_path]App_offline-Template.htm"
-dest:contentPath="name_of_site/App_offline.htm",computerName="copmuter_name",
username=user_with_administrative priviliges,password=passwort
After deployment you can remove the App_offline.htm file using the following call:
MSDeploy
-verb:delete
-dest:contentPath="name_of_site/App_offline.htm",computerName="computer_name",
username=user_with_administrative_priviliges,password=passwort
The msbuild community tasks includes an AppPoolController that appears to do what you want (though as noted it is dated and at present only supports IIS6.) An example:
<AppPoolController ApplicationPoolName="MyAppPool" Action="Restart" />
Note that you can also provide a username and password if necessary.
Edit: Just noticed that the MSBuild Extension Pack has an Iis7AppPool task that is probably more appropriate.
this is the fairly hackey workaround I ended up using:
1) Set up a limited-access account for your service to run as. Since I'm running a CruiseControl.NET service, I'll call my user 'ccnet'. He does NOT have admin rights.
2) Make a new local user account, and assign to the Administrators group (I'll call him 'iis_helper' for this example). Give him some password, and set it to never expire.
3) Change iis_helper's access permissions to NOT allow local login or remote desktop login, and anything else you might want to do to lock down this account.
4) Log in (either locally or through remote desktop) as your non-admin user, 'ccnet' in this example.
5) Open a command terminal, and use the 'runas' command to execute whatever it is that needs to be run escalated. Use the /savecred option. Specify your new administrative user.
runas /savecred /user:MYMACHINE\iis_helper "C:\Windows\System32\inetsrv\appcmd.exe"
The first time it will prompt you for 'iis_helper's password. After that, it will be stored thanks to the /savecred option (this is why we're running it once from a real command prompt, so we can enter the password once).
6) Assuming that command executed OK, you can now log out. I then logged back in as a local admin and turned off the 'ccnet' user for local interactive login, and remote desktop. The account is only used to run a service, but no real logins. This isnt a mandatory step.
7) Set up your service to run as your user account ('ccnet').
8) Configure whatever service is running (CruiseControl.NET in my case) to execute the 'runas' command instead of 'appcmd.exe' directly, the same as before:
replace:
"C:\Windows\System32\inetsrv\appcmd.exe" start site "My Super Site"
with:
runas /savecred /user:MYMACHINE\iis_helper "\"C:\Windows\System32\inetsrv\appcmd.exe\" start site \"My Super Site\""
The thing to note there is that the command should be in one set of quotes, with all the inner quotes escaped (slash-quote).
9) Test, call it a day, hit the local pub.
Edit: I apparently did #9 in the wrong order and had a few too many before testing...
This method also doesn't completely work. It does attempt to run as the administrative account, however it still runs as a non-escalated process under the administrative user, so still no admin permissions. I didn't initially catch the failure because the 'runas' command spawns a separate cmd window then closes right away, so I wasn't seeing the failure output.
Its starting to seem like the only real possibility might be writing a windows service that will run as admin, and its only purpose is to run appcmd.exe, then somehow call that service to start/stop IIS.
Isn't it great how UAC is there to secure things, but in actuality just unsecures more servers, because anything you want to do you have to do as admin, so its easier to just always run everything as admin and forget it?
You can try changing the Build Agent Service settings to log-on as a normal user account instead of SYSTEM (the default), this can be done from the services control panel (Start | Run | services.msc).
If it doesn't help, you can also try configuring the appcmd to always run elevated, refer to this document for details.
In case such option is not available for appcmd or it still doesn't work, you can disable UAC completely for this user.
Here you go. You can use this from CC.NET with NAnt or just with NAnt:
http://nantcontrib.sourceforge.net/release/latest/help/tasks/iisapppool.html