PS Start-Job error with credentials

Hello,

I’m trying to run this script from Octopus on one of our servers:

$domainUsername = “domain\user”
$password = “domainpassword”

$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ($domainUsername, $securePassword)

$job = Start-Job -ScriptBlock { write-host “test” } -Credential $credential

Wait-Job $job
Receive-Job $job

I always get this error: OpenError: The background process reported an error with the following message: .

I’ve ran this script on the target server with the same user as the Tentacle is running with, and it worked fine. Do you have any clue what might cause this?

Thanks!

Geza

Hi @gszalai,

Thank you for contacting Octopus Support.

I hope don’t mind, I have a few clarifying questions:

  • Do any of these variables exist as variables in the project that this script step is part of?
  • Are you logging in as the same user used to install the tentacle or the same user that the tentacle service currently is running as?
  • Can you provide a raw task log with variable logging turned on?

I look forward to hearing back from you.

Regards,
Donny

Hello @donny.bell,

here is the raw Octopus log, with variable debugging turned on, I have altered the passwords, user names and server names: octoraw.log.txt (34.8 KB)

To answer your questions:

  • originally I’ve run this script in the script console, and the variables are just local ones, nothing coming from the project, tenant or variable set level, now I added it to a project to be able to turn on variable logging,
  • no, the tentacle user is different from the user I’m trying to run the command with, see: raw log,
  • attached the raw log with variable logging.

Thanks!
Geza

Hi @gszalai,

Thank you for getting back to me.

After a quick test, it looks like the default service account for tentacles, NT AUTHORITY\SYSTEM, does not carry high enough permissions to invoke System.Management.Automation. I was able to run the script as a different user on my tentacle in my test environment. See below:

I would recommend creating a dedicated user account for this tentacle and/or adjust permissions in accordance with your security policies.

Let me know if I can assist with anything else.

Regards,
Donny

hello @donny.bell,

as I mentioned before, my tenancle is running as a dedicated domain user, which is a member of the local Administrators group on the target server. Are there any other rights I might have forgotten to add?

Thanks
Geza

Hi @gszalai,

Thank you for getting back to me.

I did quite a bit of research and asked around internally. Unfortunately, was unable to find a definitive answer here. It may be worth checking the windows event logs to see if the “access denied” is logged in a way that is helpful. If all else fails, contacting Microsoft directly might be an option as well.

If I can assist with anything else, please let me know.

Regards,
Donny

Hi @donny.bell,

what bothers me is that I tried to run the script on the server with the tentacle user from a normal powershell and it is working. Whenever I run the script from Octopus I get the error and the below info logged in Windows System Log:

Application popup: powershell.exe - Application Error : The application was unable to start correctly (0xc0000142). Click OK to close the application.

Does it give any clue?

Thanks
Géza

Hi @gszalai,

Thank you for getting back to me.

There may be something going on with interactive PowerShell vs non-interactive.

Here’s a StackOverFlow post with a bit of information on this topic:

If you haven’t already, I still recommend contacting Microsoft directly to inquire about the permissions needed to prevent System.Management.Automation from throwing an Access is denied error.

If I can assist with anything else, please let me know.

Regards,
Donny