Octopus Server not starting - HttpSysException from Microsoft.AspNetCore.Server.HttpSys.UrlGroup.RegisterPrefix

Hi,

I’ve just done a fresh install of 2020.1.15 onto Windows Server 2016. I created a new local account (with no additional permissions) to run the Octopus Server service. I followed the first 3 instructions from https://octopus.com/docs/installation/permissions-for-the-octopus-windows-service and set the account as sysadmin in the database server.
I could not find out how to set the remaining permissions using sc and netsh.
With these set the service will start and then immediately crash with this exception trace:

Microsoft.AspNetCore.Server.HttpSys.HttpSysException (5): Access is denied.
   at Microsoft.AspNetCore.Server.HttpSys.UrlGroup.RegisterPrefix(String uriPrefix, Int32 contextId)
   at Microsoft.AspNetCore.Server.HttpSys.UrlPrefixCollection.RegisterAllPrefixes(UrlGroup urlGroup)
   at Microsoft.AspNetCore.Server.HttpSys.HttpSysListener.Start()
   at Microsoft.AspNetCore.Server.HttpSys.MessagePump.StartAsync[TContext](IHttpApplication`1 application, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Hosting.WebHost.StartAsync(CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Hosting.WebHost.Start()
   at Octopus.Server.Web.WebServerInitializer.Start() in C:\buildAgent\work\47b5b27d3625d6ca\source\Octopus.Server\Web\WebServerInitializer.cs:line 61
   at Octopus.Server.OctopusServerEngine.Start() in C:\buildAgent\work\47b5b27d3625d6ca\source\Octopus.Server\OctopusServerEngine.cs:line 69
   at Octopus.Server.Commands.RunCommand.Start() in C:\buildAgent\work\47b5b27d3625d6ca\source\Octopus.Server\Commands\RunCommand.cs:line 79
   at Octopus.Shared.Startup.AbstractCommand.Start(String[] commandLineArguments, ICommandRuntime commandRuntime, OptionSet commonOptions)
   at Octopus.Shared.Startup.OctopusProgram.Start(ICommandRuntime commandRuntime)
   at Octopus.Shared.Startup.WindowsServiceHost.<>c__DisplayClass1_0.<Run>b__0()
   at Octopus.Shared.Startup.WindowsServiceAdapter.RunService()

Making the new account a member of the local Administrators group clears the issue but I would ideally like to restrict the access of this account.

Hey David,

First and foremost, welcome to the Octopus community!

This looks like a permissions issue on the octopus service account somewhere. That specific error looks to be caused by the netsh portion not being finished. We’ll need to check a few things and then do a few more since you said you needed help with steps 4-7.

First, Did you set the account to have “Logon as Service” rights? To ensure this go to Control Panel -> Administrative Tools -> Local Security Policy, then dig down into Local Policies -> User Rights Assignment and ensure that your Octopus account is in the Logon as Service entry. If it’s not please add it.

For the sc.exe commands, you have to open an administrative command prompt and do the following:
First we need to find the SID of your Octopus account. To do that type in WMIC useraccount get name, sid. This will give you a table with usernames and SIDs like this:

image

Find the user you created and copy down the SID, we’ll need this for a later command. Next, you’ll want to get the current permissions for the service. To do this you’ll run sc.exe sdshow OctopusDeploy. This will give us the current permissions for OctopusDeploy service. You will see something like this:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

What we want to do is put our Octopus account after the last D: entry and before the S: entry and give it complete rights.

So for me, the completed entry looks like this:
"D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWLOCRRCRPWPDT;;;S-1-5-21-3446007454-1029367083-545615579-1001)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The section you will add will be in this format:
(A;;CCLCSWLOCRRCRPWPDT;;;putyoursidhere)

You will then copy your version to the end of the command sc.exe sdset OctopusDeploy and run it. For example my full command is:
sc.exe sdset OctopusDeploy "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWLOCRRCRPWPDT;;;S-1-5-21-3446007454-1029367083-545615579-1001)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

You can check to make sure your permission has been added by running sc.exe sdshow OctopusDeploy again and check for the changes we just made.

The netsh commands are a bit easier. You will need to fill in the domain/username in the command, but other than that you can just copy/paste and run the 3 commands:

netsh http add urlacl url=https://+:443/ user=domain\username listen=yes
netsh http add urlacl url=http://+:80/ user=domain\username listen=yes
netsh http add urlacl url=http://+:10933/ user=domain\username listen=yes 

To check that they have been added you can run netsh.exe http show urlacl and take a look at the reserved URLs at the end.

With all of the above steps your service should start using the Octopus account you created. Please let me know if this was helpful or if you need any more help getting up and running.

Thanks,
Jeremy

Hi Jeremy,

I tried the instructions above but without success. My local account is GBRCAM-FPSDEV1\OctopusServer with SID S-1-5-21-4075294303-2904937176-822336628-1004.
The http URL permission has been added:

    Reserved URL            : https://+:8000/
        User: GBRCAM-FPSDEV1\OctopusServer
            Listen: Yes
            Delegate: No
            SDDL: D:(A;;GX;;;S-1-5-21-4075294303-2904937176-822336628-1004)

The service permissions have been set for the service:

sc.exe sdshow OctopusDeploy

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;S-1-5-21-4075294303-2904937176-822336628-1004)

The service query returns:

PS C:\Users\robinsond> sc.exe qc OctopusDeploy
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: OctopusDeploy
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\Octopus Deploy\Octopus\Octopus.Server.exe" run --instance="OctopusServer"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : OctopusDeploy
        DEPENDENCIES       : LanmanWorkstation
                           : TCPIP
                           : MSSQL$SQLEXPRESS
        SERVICE_START_NAME : .\OctopusServer

When I start the service I see this in the log:

2020-04-30 11:16:54.7448  10420      9  INFO  ==== RunCommand ====
2020-04-30 11:16:54.7448  10420      9  INFO  CommandLine: C:\Program Files\Octopus Deploy\Octopus\Octopus.Server.dll run --instance=OctopusServer
2020-04-30 11:16:54.7448  10420      9  INFO  Octopus.Server.dll version 2020.1.15 (2020.1.15+Branch.tags-2020.1.15.Sha.efcd087b21492bd8b3f1fbddd1830423f368cf99)
2020-04-30 11:16:54.7567  10420      9  INFO  Using instance OctopusServer, with config from C:\Octopus\OctopusServer.config
2020-04-30 11:16:54.7567  10420      6  WARN  There are 572 files in the Octopus directory. This is an unexpectedly high number - skipping listing the files and versions to the log file to avoid causing performance pain.
2020-04-30 11:16:54.7685  10420      9  INFO  Using database data source=(local)\SQLEXPRESS;initial catalog=OctopusDeploy-OctopusServer;integrated security=True
2020-04-30 11:16:54.9710  10420      9  INFO  Testing the built-in worker configuration.
2020-04-30 11:16:54.9724  10420      9  INFO  Testing the built-in worker configuration.
2020-04-30 11:16:54.9724  10420      9  INFO  Built-in worker: SUCCESS
2020-04-30 11:16:55.1840  10420      9  INFO  Checking the Octopus Master Key has been configured.
2020-04-30 11:16:55.1931  10420      9  INFO  Making sure it's safe to upgrade the database schema...
2020-04-30 11:16:55.1931  10420      9  INFO  Checking to see if database schema upgrade is required...
2020-04-30 11:16:55.2640  10420      9  INFO  Database already has the expected schema. No changes are required.
2020-04-30 11:16:55.2640  10420      9  INFO  Executing always run scripts...
2020-04-30 11:16:55.2722  10420      9  INFO  Executing TSQL Database Server script 'Octopus.Core.UpgradeScriptsAlways.Script0000 - Refresh Views.sql'
2020-04-30 11:16:55.3694  10420      9  INFO  Refreshing view dbo.Dashboard
2020-04-30 11:16:55.3694  10420      9  INFO  Refreshing view dbo.IdsInUse
2020-04-30 11:16:55.3694  10420      9  INFO  Refreshing view dbo.MultiTenancyDashboard
2020-04-30 11:16:55.3694  10420      9  INFO  Refreshing view dbo.Release_WithDeploymentProcess
2020-04-30 11:16:55.3694  10420      9  INFO  Refreshing view dbo.RunbookSnapshot_WithRunbookProcess
2020-04-30 11:16:55.3694  10420      9  INFO  Refreshing view dbo.TenantProject
2020-04-30 11:16:55.9581  10420      9 FATAL  The prefix 'http://+:8000/' is already registered.
Microsoft.AspNetCore.Server.HttpSys.HttpSysException (183): The prefix 'http://+:8000/' is already registered.
   at Microsoft.AspNetCore.Server.HttpSys.UrlGroup.RegisterPrefix(String uriPrefix, Int32 contextId)
   at Microsoft.AspNetCore.Server.HttpSys.UrlPrefixCollection.RegisterAllPrefixes(UrlGroup urlGroup)
   at Microsoft.AspNetCore.Server.HttpSys.HttpSysListener.Start()
   at Microsoft.AspNetCore.Server.HttpSys.MessagePump.StartAsync[TContext](IHttpApplication`1 application, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Hosting.WebHost.StartAsync(CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Hosting.WebHost.Start()
   at Octopus.Server.Web.WebServerInitializer.Start() in C:\buildAgent\work\47b5b27d3625d6ca\source\Octopus.Server\Web\WebServerInitializer.cs:line 61
   at Octopus.Server.OctopusServerEngine.Start() in C:\buildAgent\work\47b5b27d3625d6ca\source\Octopus.Server\OctopusServerEngine.cs:line 69
   at Octopus.Server.Commands.RunCommand.Start() in C:\buildAgent\work\47b5b27d3625d6ca\source\Octopus.Server\Commands\RunCommand.cs:line 79
   at Octopus.Shared.Startup.AbstractCommand.Start(String[] commandLineArguments, ICommandRuntime commandRuntime, OptionSet commonOptions)
   at Octopus.Shared.Startup.OctopusProgram.Start(ICommandRuntime commandRuntime)
   at Octopus.Shared.Startup.WindowsServiceHost.<>c__DisplayClass1_0.<Run>b__0()
   at Octopus.Shared.Startup.WindowsServiceAdapter.RunService()

If I add the service account to the Administrators group then it all works

Hey David,

I notice in your reservation you set it to https://+:8000 and the log is asking for http://+:8000. It feels like there’s some sort of mismatch going on between the reservations set and what the server is trying to bind to. Can you try deleting all reservations for port 8000 and recreating it with just http (no s) and try again?

You’ll want to use the command netsh http delete urlacl to delete. Let me know how it goes for you or if you have other questions.

I also believe your other thread might be caused by this as well. Lets see if it resolves both.

Thanks,
Jeremy

Hi Jeremy,

Correcting the reservation for port 8000 (the main Octopus server port) from https to http means the service now runs under the local (non-admin rights) account.

With this current configuration I still cannot push a package from my development PC to the Octopus server. I have also tried changing the service to run as Local System and as my own domain account. The latter is a member of the local administrators groups.

Thanks,

David

Hi David,

Were you able to push packages with an administrator account before we attempted these changes to make your service account work? And if so, did you make any other changes in that time-frame, or were these the only ones? Is it the same error that you reported in the other thread now that we’ve fixed the URL reservation? Are you able to try to push again, take a look at the server logs and see if any errors show up? I’m not seeing any errors in the server log that you attached in the other thread.

Thanks,

(Response posted to Package push from Octo.exe fails but package upload via web succeeds)

The service account issue was resolved. There was a separate issue that will be handled in the other thread. Package push from Octo.exe fails but package upload via web succeeds

Just wanted to comment in case it helps anyone else.The account Octopus Deploy was running as didn’t have enough permissioning for some directory action. Making account Octopus Deploy runs under a local administrator (Edit Local Users and Groups -> Administrators) resolved this issue for me.

1 Like