Start-Process with Credentials gives 'non-zero exit code: -1073741502'

kkalitowski · 23 May 2016 20:53

I am trying to use the suggested DbUp solution to deploy some database scripts but I need the DbUp exe to run as a different user. For corporate reasons I cannot give the tentacle permissions to write to a production database so I have to do some impersonation in script.

Below is the PowerShell script I am trying to run. I can successfully run it when I log onto the tentacle machine, open a PS console as my tentancle user account, and run it by typing in “.\Octopus.Action.CustomScripts.Deploy.ps1”. However when I let Octopus run it as a Deploy script I am returned: Script ‘E:\Octopus\Applications\QA\Database\16.3.74525-test\Octopus.Action.CustomScripts.Deploy.ps1’ returned non-zero exit code: -1073741502

Is there are a reason that Start-Process would work when run manually as the tentacle user on the tentacle machine but not when run from by the tentacle? I have tried gutting this script down to bare bones by removing things like the '-RedirectStandardOutput ’ with no luck. The tentacle is version 3.3.12.

Thank you,
Kevin

$user = $OctopusParameters['Administrator AD Account']
$password = $OctopusParameters['Administrator AD Password']

$securePassword = ConvertTo-SecureString -String $password -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, $securePassword

$exe = $OctopusParameters['Octopus.Action[Database Scripts].Output.Package.InstallationDirectoryPath'] + '\AJG.BSD.Pate.Database.exe'

$process = Start-Process $exe -Credential $credential -Wait -NoNewWindow -PassThru -LoadUserProfile -RedirectStandardOutput $env:windir\temp\databaseupdatestandard.log
$process.WaitForExit()

Get-Content -Path $env:windir\temp\databaseupdatestandard.log

exit $process.ExitCode

kkalitowski · 25 May 2016 18:32

I think this might have something to do with it.

I am running my tentacle as a service account (not as Local System) so that the tentacle can have access to other systems. I then need to run the DB upgrade as a second user but via the tentacle. That SO article indicates that a service account cannot run a process as another user.

While this doesn’t appear to be any sort of issue with Octopus itself, do you guys have any experience with a situation like this? My specific example is trying to run a DbUp executable as AdminA while the tentacle service is running as ServiceAccountA.

Thank you

Michael_Richardson · 26 May 2016 01:56

Hi Kevin,

I believe your diagnosis is correct.

I think you have a couple of options:

Run the Tentacle as a different account. Rather than trying to execute the DbUp process as a different account, run the whole Tentacle under an account with appropriate access. You could even create a dedicated Tentacle for running your DbUp scripts, which runs as an account with SQL Server rights.
Instead of using Windows authentication, use SQL Server authentication and supply the credentials in the database connection string. You can obviously managed these credentials using Octopus variables. I understand some environments won’t allow SQL authorization.
I think customers in the past have had success using WinRM to achieve this (example). Though I can’t personally confirm this works.

Could any of these options work for you?

Regards,
Michael

Rod · 6 June 2016 06:45

MS hotfix seems to have solved a similar problem for me: https://support.microsoft.com/en-us/kb/2701373