Icinga/icinga-powershell-framework

JEA username and domain

Kaliumiodid opened this issue · 3 comments

Kaliumiodid commented

During environment setup in the "Icinga for Windows Management Console" I was selecting the option "Install JEA Profile with managed user "icinga"". This basically runs fine for all checks, but during the checks of MSSQL I found the following issue.
When running the MSSQL checks with IntegratedSecurity on, the login attempt fails. During my investigations I saw Icinga using the server's name as username and the domain as domain (so, login attempt is done with "[domain][server name]$", but it should be [server name]\icinga; this local user has all needed permissions in the database).

Expected Behavior

The check should be green.

Current Behavior

The check fails due to DB connection error.

Steps to Reproduce (for bugs)

  1. Start JEA test environment
  2. Execute an MSSQL check (in my case, it's either invoke-IcingaCheckMSSQLHealth -IntegratedSecurity true -warning 1s -critical 2s (which returns DB connection error and is red) or Invoke-IcingaCheckMSSQLBackupStatus -IntegratedSecurity (which returns an Icinga error with the above mentioned user credentials and is violet)
  3. Besides that, typing $env:username shows the server name together with the $ sign and $env:userdomain shows the domain name. So it's at least not an issue of the MSSQL plugins.

Your Environment

  • PowerShell Version used ($PSVersionTable.PSVersion): 7.3.0
  • Windows Server 2022 (10.0.20348)
Kaliumiodid commented

A small addition: When I start powershell as icinga-user, the checks mentioned run fine. Typing $env:username returns icinga and $env:userdomain the server name. Doing the same in the test environment (powershell.exe -ConfigurationName 'IcingaForWindowsTest';) I get the mentioned results (DB connection error).
Looking through the scripts, I see that by default IcingaUser is set by ((Get-IcingaServices).icinga2.configuration.ServiceUser) which returns the expected .\icinga, but at some point it seems to be replaced.

Kaliumiodid commented

I was just curious: Are there any news on this topic?

Edit: I had some time to investigate this. When I created a small test configuration, I also get the device name when entering $env:username. But, when I set RunAsVirtualAccount to false, I get the username as expected.
But I was still not able to make the checks work again. After doing the same in the template file and recreating JEA via management console, the checks are all unknown. In the event viewer I saw error 1501.

audiocoach commented

I have the same problem.