I'm using this article https://learn.microsoft.com/en-us/previous-versions/dynamicscrm-2016/administering-dynamics-365/mt703269(v=crm.8)?redirectedfrom=MSDN for configuring CRM on-premise server based authentication a.k.a SSS (Server Side Sync) to Exchange Online.
Under the section: Set up server-based authentication, Step 2 the first part of the command works fine.
Command:
$CertificateScriptWithCommand = â.\CertificateReconfiguration.ps1 -certificateFile c:\cert.pfx -password mypasswordhere -updateCrm -certificateType S2STokenIssuer -serviceAccount domain\serviceaccount -storeFindType FindBySubjectDistinguishedNameâ
It's the second part that fails with the error.
Command: Invoke-Expression -command $CertificateScriptWithCommand
Error:
D:\Program Files\Microsoft Dynamics CRM\tools\CertificateReconfiguration.ps1 : Cannot bind argument to parameter 'password' because it is an empty string.
Any ideas on what I need to investigate to resolve this problem would be greatly appreciated...thanks
I tried various things I found online such as:
granting service account access to certificate private key
granting service account local security policies for log on as a service and log on as a batch job
granting service account local administrator on CRM server
Related
Im using Open SSH and trying to use ssh-add on windows server 2012 but keep receiving the following error
Could not add identity "C:\Users\SERVICE_ACCOUNT/.ssh/id_rsa": agent refused operation
I have made sure all my permissions are intact with all files within C:\Users\SERVICE_ACCOUNT.ssh
Icacls C:\Users\SERVICE_ACCOUNT\
C:\Users\SERVICE_ACCOUNT\ NT AUTHORITY\SYSTEM:(OI)(CI)(F)
CP\SERVICE_ACCOUNT:(OI)(CI)(F)
Icacls C:\Users\SERVICE_ACCOUNT\.ssh
C:\Users\SERVICE_ACCOUNT\.ssh CP\SERVICE_ACCOUNT:(OI)(CI)(F)
I have tried ssh-add using a different user on my windows and im able to successfully do so without any issues, i have also made sure that the permissions for the other user match my service account as well
I am automating a build process. The process requires deployment of application to a server, after deployment a few scripts have to be executed to share and provide permissions on the server. The scripts run when I login via domain user through powershell.I am using Jenkins for the CI/CD process. I want to include my domain credentials to run the scripts on the server. I have also used the active directory plugin, and can login with my domain credentials but still I am not able to establish a remote connection with the server.
My script is
Enter-PSSession -ComputerName ATKT-WS-20
Invoke-Expression -Command .\FolderSharingScript.ps1
Enter-PSSession : Connecting to remote server ATKT-WS-20 failed with the following error message : WinRM cannot
process the request. The following error with errorcode 0x8009030e occurred while using Kerberos authentication: A
specified logon session does not exist. It may already have been terminated.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.<
I have also added the machine name in the trustedhosts. How can I include the domain credential in Jenkins jobs?
The solution turned out to be not to use PowerShell's remoting at all, but instead rely on the remoting built into Jenkins:
Connect the remote machine as a Jenkins agent to the Jenkins server, running the agent executable as the desired domain user.
On the Jenkins server, ensure that your job is configured to run on the remote machine, using a label expression.
Assuming the PowerShell plugin is installed, you can then send PowerShell code as-is to the remote machine - no need for PowerShell sessions, credentials, ...
I'm trying to assign a reserved IP to a VM using the CLI tools.
After running $: azure network nic set [
pawel#LAMP-Test:~$ azure network nic set LAMP-Test FirstReservedIP
info: Executing command network nic set
error: The current cmdlet requires you to log in using Azure Active Directory account, not from a .publishsettings file. Please run 'azure login' or use 'azure account set' to select a correct subscription.
info: Error information has been recorded to /home/pawel/.azure/azure.err
error: network nic set command failed
info: Executing command network nic set
error: The current cmdlet requires you to log in using Azure Active Directory account, not from a .publishsettings file. Please run 'azure login' or use 'azure account set' to select a correct subscription.
info: Error information has been recorded to /home/pawel/.azure/azure.err
error: network nic set command failed
azure network nic set LAMP-Test FirstReservedIP
]1 FirstReservedIp
I received following error:
The current cmdlet requires you to log in using Azure Active Directory
account, not from a .publishsettings file. Please run 'azure login' or
use 'azure account set' to select a correct subscription.
Is there a way to use .publishsettings file only to achieve this task?
No, at least not when you are in ARM mode. Using the .publishsettings file to authenticate from the CLI tools is only supported in the ASM mode.
More information available here.
You can still achieve a non-interactive login using CLI but it will require that you authenticate to Azure AD using a Work/School account (aka Organizational account). So, create an admin user (or service principal) in your Azure AD if you don't already have one. Then, add the azure login command to the top of your CLI script. For example...
azure login --username johndoe#contoso.onmicrosoft.com --password passw0rD!
azure network nic set LAMP-Test FirstReservedIP
I am having a problem with my server and so far couldn't find any solution for this. When I try to add a server from a server manager (windows server 2012) I can see only the kerberos security error. Both servers are in the same domain(i have tried from several servers from domain and got the same error).
The strange thing is when I unjoin the problematic server from domain and rejoin it with another name it works normally. But the problem is to make it work with existing name. Anyhelp will be highly appreciated
thanks in advance.
Late reply, but I've just encountered the same error and hope this solution proves useful to others.
Situation: I had to wipe and reinstall a virtual server on which I'd previously had to set some Service Principal Names, and some SPNs for a service account. Turns out the SPNs were still there for the old server/account and I had to remove them.
I recommend checking for and removing rogue SPNs to resolve this. Use the following commands in an elevated command prompt:
setspn -l <servername/username>
In my case I had problems with MBAM, the Bitlocker admin tool, so for example I used:
setspn -l mbam01
Which gave me the output (changed names to protect the innocent):
Registered ServicePrincipalNames for CN=MBAM01,OU=Member Servers,DC=corp,DC=domainname,DC=com:
termserv/mbam01.corp.domainname.com
termserv/mbam01
http/mbam01.corp.domainname.com
http/mbam01
HOST/MBAM01
HOST/mbam01.corp.domainname.com
This will list the SPNs associated with the server or user account. Then you remove the errant SPNs with this command:
setspn -d <listed service> <servername/username>
In my case it turned out the mbamapppool user had http/mbam01 and http/mbam01.corp.domainname.com associated with it, causing Server Manager to fail to poll the server. I removed the http/ refs from the user and then added them to the server with the following commands:
setspn -d http/mbam01 corp\mbamapppooluser
setspn -d http/mbam.corp.domainname.com corp\mbamapppooluser
setspn -s http/mbam01 mbam01
setspn -s http/mbam01.corp.domainname.com mbam01
I then refreshed Server Manager and it polled the server successfully, and the Kerberos Security Error had gone.
I have a build server that is not part of a Windows domain trying to connect to a VisualSVN server running HTTPS via apache with domain login via Active Directory. When I try to connect to the server using specifying a domain username I observe a client hang:
svn ls --username=domainuser https://subversion.mydomain/svn/repo1/
The logs on the server show Windows authentication failures using the login-name for the build-machine, and the build-machine's hostname in the Domain name field. The username provided on the command-line is completely ignored.
SVN Client: TortoiseSVN commandline tools: svn, version 1.8.1 (r1503906)
On a separate machine (on the domain) - I found that the --username would not be ignored if I used the cygwin svn instead.
The solution I found was to disable the http-auth-type 'negotiate'. This prevents Windows credentials being automatically shared.
I verified this using a command-line override, it asked for password for the user on the command-line:
svn ls --username=domainuser --config-option servers:global:http-auth-types=basic;digest https://subversion.mydomain/svn/repo1/
Authentication realm: <https://subversion.mydomain/svn/repo1/> VisualSVN Server
Password for 'domainuser':
(Note for Cygwin users: If you use SVN under Windows via Cygwin then you will need to add quotes to your command like this: $ svn ls --username=domainuser --config-option "servers:global:http-auth-types=basic;digest" https://subversion.mydomain/svn/repo1/ -- Otherwise the semicolon will be treated as a command delimiter.)
To configure this more permanently you can make a servers config file entry for all matching servers. For Win7 that's C:\Users\<User>\AppData\Roaming\Subversion\servers.
[groups]
mydomain = *.mydomain
[mydomain]
http-auth-types=basic;digest
Instead of disabling negotiate in client's config, I'd suggest using Windows Credential Manager to store the other account's credentials for Single Sign-On.
The following instruction shows how to put other domain credentials to access VisualSVN Server into Windows Credential Manager:
Start | Control Panel | Credential Manager,
Click 'Add a Windows Credential',
As 'Internet or network address' enter the FQDN of VisualSVN
Server's machine,
As 'Username' enter the <DOMAIN>\<username> of user account that
exists in domain and has access rights to VisualSVN Server,
Complete the password field and click OK,
Verify that you can authenticate to VisualSVN Server under the selected user account after completing the above steps.