Tested on our test servers. Running icinga 2.14.8. Framework 1.14.1, Plugins 1.14.0
Upgraded from Framework from 1.14.1 to 1.14.2 and plugins from 1.14.0 to 1.14.1. Didn't notice any issue. Uninstalled with Uninstall-IcingaForWindows and did a "clean" install. Got some permission errors. And didn't find the icinga-powershell-plugins module. The Icinga Powershell Service was missing. Did another test, and upgrade works. But a uninstall-reinstall is not possible. Both to same version and to the previous version.
The error message when running Test-IcingaAgent:
PowerShell DSC resource DSC_xScriptResource failed to execute Set-TargetResource functionality with error message: Sys
tem.InvalidOperationException: The set script threw an error. ---> System.Management.Automation.RuntimeException: Unabl
e to fetch system permission information:
Access is denied.
The task has completed with an error.
See log %windir%\security\logs\scesrv.log for detail info.
scesrv.log was not written to even though it says so in the error message.
Tried running: New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LocalAccountTokenFilterPolicy" -Value 1 -PropertyType DWORD -Force
Then the errormessage dissapeared, plugins was installed. But the Powershell service is not installed. And the following command returns the following:
PS C:\Program Files\WindowsPowerShell\Modules> Test-IcingaAgentServicePermission
Unable to fetch system permission information:
Access is denied.
The task has completed with an error.
See log %windir%\security\logs\scesrv.log for detail info.
At C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\cache\framework_cache.psm1:5292 char:9
+ throw ([string]::Format('Unable to fetch system permission in ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (Unable to fetch...r detail info.:String) [], RuntimeException
+ FullyQualifiedErrorId : Unable to fetch system permission information:
Access is denied.
The task has completed with an error.
See log %windir%\security\logs\scesrv.log for detail info.
Tried to roll back to 1.14.1, but still same issues, no icinga powershell service.
Tried to uninstall icinga on another windows machine that was not upgraded. Did a clean install. No error messages, but icinga powershell service was not installed. Tried to roll back to 1.14.1, service still not installed.
> Test-IcingaForWindows
[Notice]: Collecting Icinga for Windows environment information
[Passed]: The Icinga Agent service and the Icinga Agent are installed on the system
[Warning]: The Icinga for Windows service seems not to be installed
Exception calling "Substring" with "2" argument(s): "Length cannot be less than zero.
Parameter name: length"
At C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\cache\framework_cache.psm1:4293 char:5
+ [string]$ServicePath = $ServiceConfig.ServicePath.SubString(0, $S ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ArgumentOutOfRangeException
You cannot call a method on a null-valued expression.
At C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\cache\framework_cache.psm1:4295 char:9
+ if ($ServicePath.Contains('"')) {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
[Passed]: Your service installation is properly referring to "icinga-powershell-framework.psd1" for module imports.
[Passed]: The Icinga Agent service user "NT AUTHORITY\NetworkService" is matching the Icinga for Windows service user "NT Authority\NetworkService"
[Passed]: It seems the provided SID "S-1-5-20" is a system SID. Skipping permission check
[Passed]: Directory "C:\ProgramData\icinga2\etc" is accessible and writable by the Icinga Service User "NT AUTHORITY\NetworkService"
[Passed]: Directory "C:\ProgramData\icinga2\var" is accessible and writable by the Icinga Service User "NT AUTHORITY\NetworkService"
[Passed]: Directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\cache" is accessible and writable by the Icinga Service User "NT AUTHORITY\NetworkService"
[Passed]: Directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\config" is accessible and writable by the Icinga Service User "NT AUTHORITY\NetworkService"
[Passed]: Directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\certificate" is accessible and writable by the Icinga Service User "NT AUTHORITY\NetworkService"
[Passed]: The Icinga Agent state file does not exist
[Passed]: Icinga Agent configuration is valid
[Passed]: Icinga Agent debug log is disabled
[Passed]: The Icinga for Windows REST-Api is configured to start with the daemon
[Passed]: The Icinga for Windows REST-Api is configured to allow API checks
[Failed]: The Icinga for Windows certificate seems to be not signed by our Icinga CA yet. Re-Creating the certificate might resolve this issue [IWKB000013]
[Warning]: Icinga for Windows is configured without a JEA-Profile. It is highly recommended to use JEA for advanced security and easier permission handling
[Failed]: The Icinga for Windows service is currently not running
[Failed]: The Icinga for Windows REST-Api responded with an error on this machine, which is expected when using the default NetworkService account [IWKB000018]: "Unable to connect to the remote server"
(Please disregard the windows certificate erros, as it was not approved while testing.)
Test-IcingaAgentServicePermission works here though:
[Passed]: It seems the provided SID "S-1-5-20" is a system SID. Skipping permission check
True
Tested on our test servers. Running icinga 2.14.8. Framework 1.14.1, Plugins 1.14.0
Upgraded from Framework from 1.14.1 to 1.14.2 and plugins from 1.14.0 to 1.14.1. Didn't notice any issue. Uninstalled with Uninstall-IcingaForWindows and did a "clean" install. Got some permission errors. And didn't find the icinga-powershell-plugins module. The Icinga Powershell Service was missing. Did another test, and upgrade works. But a uninstall-reinstall is not possible. Both to same version and to the previous version.
The error message when running Test-IcingaAgent:
scesrv.log was not written to even though it says so in the error message.
Tried running: New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LocalAccountTokenFilterPolicy" -Value 1 -PropertyType DWORD -Force
Then the errormessage dissapeared, plugins was installed. But the Powershell service is not installed. And the following command returns the following:
Tried to roll back to 1.14.1, but still same issues, no icinga powershell service.
Tried to uninstall icinga on another windows machine that was not upgraded. Did a clean install. No error messages, but icinga powershell service was not installed. Tried to roll back to 1.14.1, service still not installed.
(Please disregard the windows certificate erros, as it was not approved while testing.)
Test-IcingaAgentServicePermission works here though:
[Passed]: It seems the provided SID "S-1-5-20" is a system SID. Skipping permission check
True