PowerShell on Target Machine: Special Characters in password

[goofy78270]

I am running into an issue where my admin password contain special characters. As a result, when executing the script, the authentication fails.

password - %D0`H\vW'RUc?buZ5

While I could, and probably will, in the short term, update the password to remove special characters, I wanted to bring this issue to your attention. With password policies becoming more robust, it is only a matter of time, if not already, before this becomes an issue for others.

Error log excerpt:
2016-11-03T15:38:46.6387093Z Deployment status for machine 'ServerRemoved:5985' : 'Failed'
2016-11-03T15:38:46.6543337Z ##[debug]System.Exception: AuthorizationManager check failed.
2016-11-03T15:38:46.6699590Z ##[error]AuthorizationManager check failed.

[bryanmacfarlane]

Which task are you using?

[KrishnaAdityaB]

@goofy78270
Fixing this is already in our backlog and we are picking it up in the coming weeks.

[bryanmacfarlane]

What task?

[KrishnaAdityaB]

@goofy78270
This is fixed in "PowerShell on Target Machines" task. The password you provided works fine with task version 1.0.43.

Which version were you facing this issue with? Or is it some other task?

[goofy78270]

1.0.31 is the version we are currently using

[KrishnaAdityaB]

@goofy78270 Nothing changed in the task between these versions related to this. Please provide me below details for reproducing the issue

1. TFS version
2. OS version of the agent
3. OS version of the target machine
4. PS version on the agent
5. PS version on the target machine

Please try creating a remote PS Session from your agent box to target box just to confirm the setup is good, and task is failing to create remote session. You can use below script

$cimSessionOption = New-CimSessionOption -Protocol Wsman; $cimSessionOption.CertCACheck = $false; $cimSessionOption.UseSsl = $false

$securePassword = ConvertTo-SecureString "%D0`H\vW'RUc?buZ5" -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential('domain\username', $securePassword)

$cimSession = New-CimSession -ComputerName ServerRemoved -SessionOption $cimSessionOption -Credential $cred -Port 5985

[goofy78270]

Still not working...

1. TFS version = 2015 - Version 14.102.25423.0
2. OS version of the agent = 2012 R2
3. OS version of the target machine = 2012 R2
4. PS version on the agent = 4.0
5. PS version on the target machine = 4.0

Using the same code as above, but my credentials, I am able to login without issue.

NOTES:
The trouble account and myself are both members of the admin group on the target server.
Restriction policy is set to unrestricted.
The credential is accurate as I am able to login to the server using the credentials for the troubled account.

UPDATE: the actual password is %D0`H\vW'RUc?buZ5. I must have removed a \ in testing various things...but even the correct login does not work for the remote session.

[goofy78270]

Using the following appears to work in the test listed above.
$securePassword = ConvertTo-SecureString '%D0`H\vW''RUc?buZ5' -AsPlainText -Force

note that I changed the double quotes to a single quote and escaped the single quote within the password

[goofy78270]

Sorry, issue not closed

[KrishnaAdityaB]

@goofy78270
I tried with the same setup and things were working for me with 1.0.31 version of task too.
And, during build you were getting a different error than simple Access Denied.
Can we have a call where we can access your setup and debug? Please mail us at RM_Customer_Queries at Microsoft dot com.

Meanwhile please try again with below script:
When credential is hardcoded - the tick character (`) is treated as an escape character and script fails. Below version of the script doesn't hardcode the password - it takes input during execution

$cimSessionOption = New-CimSessionOption -Protocol Wsman; $cimSessionOption.CertCACheck = $false; $cimSessionOption.UseSsl = $false

$cred = Get-Credential

$cimSession = New-CimSession -ComputerName ServerRemoved -SessionOption $cimSessionOption -Credential $cred -Port 5985

[goofy78270]

By manually entering credentials during the test run, it works without issue, similar to changing the double quotes to a single quote and escaping the single quote as mentioned above.

I am unsure if it matters, but the password does not appear to be posting correctly. The are supposed to be 2 \ in the password not just one - %D0`H\\vW'RUc?buZ5
maybe this double \ has something to do with the issue

as for the ` escape character, that is only for double quoted strings, which the script appears to be using. For a single quoted string - Single-Quoted Strings (')

When you enclose a string in single quotation marks, any variable names in the string such as '$myVar' will appear exactly as typed when the command is processed. Expressions in single-quoted strings are not evaluated, not even escape characters or any of the Special characters. If the string contains any embedded single quotes, they must be doubled (replace ' with '').

There are also other situations that need to be escaped when using double quoted strings. Here is a page I found that explains the escaping for single versus double quoted strings - http://www.rlmueller.net/PowerShellEscape.htm

[goofy78270]

Here is some further information:
I used the following to create a test to compare the results and while the password appears the same in both test, the results are different for the three test. After this testing, I am unsure if this is script related or just a bug in powershell as the password shows correctly in all 3 instances, but the first fails for some reason

[KrishnaAdityaB]

@goofy78270
Thanks for the info. I am not sure of the issue in 3 tests, but your target machine's WinRM settings are correctly set - the above script worked with Get-Credential.
But somehow the PowerShell on Target Machines task is failing. In the very first message I noticed that the error is not simple Access Denied. It is Authorization Manager check failed. We have to understand more - It will be helpful if we can set-up a 30min session where we can debug this together. (RM_Customer_Queries at Microsoft dot com)

[KrishnaAdityaB]

I am out of office for 2 weeks. adding @chshrikh and @rajatagrawal-dev

@chshrikh
At first it seemed like the special character issue. But now, I strongly believe it is not. If it is, it should have thrown Access Denied error. Not Authorization Manager check failed. We should check if it is the script issue.

1. Create this password as a non-secret variable in build. And try to print this in the PS on Target Machine task. Check if it is received correctly.
2. Use a hello-world script to see if this is a script issue

[chshrikh]

@goofy78270 please let us know if you are still blocked on this

[goofy78270]

I am unsure where the issue lies, but we have moved forward by simply removing special characters from our passwords. Everything seems to work great now. If there is a need for us to look into this again, I will reopen this case.

Thanks for all your help and sorry for running in circles.

[jdshkolnik]

PowerShell/PowerShell#4024

[praharshp]

Hi Team, I am working on a PS script to install VSTS agents on my Azure VMs through an Azure DevOps Release Pipeline.

Here in the below script, I am passing a Service Account Password, which is set by my customers. Below script fails whenever Password consist of special characters like

")';:(

Code:

 .\config.cmd --deploymentgroup --deploymentgroupname DeployGroupSQL --agent $env:COMPUTERNAME 
--runasservice 
--windowsLogonAccount $(ServiceAccountUser) 
--windowsLogonPassword "$(Service_Account_Password)" --work '_work' 
--adddeploymentgrouptags --deploymentgrouptags $SQL 
--url 'https://dev.azure.com/campusmgmt-product-development/' 
--projectname 'Student' --auth PAT --token u4bq6j******************************bhhyq; 

I have tried putting whole password into double quotes as well as single quotes but of no help.

This Service Account Password is a Pipeline variable and hence needs to be passed like $(Service_Account_Password).

Can you please suggest on how can I deal with this situation. I have already tried putting this as a here-string, Secure-String, or script parameter but has not proved of any help.

Hoping to hear back soon as this is urgent for my project release.

[praharshp]

Feel its my luck day today. After banging my head for past 8 hours on this I could finally work this through using Stop-Script character in PowerShell '--%'

Solution I tried:
.\config.cmd --deploymentgroup --deploymentgroupname DeployGroupCTS --agent $env:COMPUTERNAME --runasservice --work '_work' --adddeploymentgrouptags --deploymentgrouptags $CTS --url 'https://dev.azure.com/campusmgmt-product-development/' --projectname 'Student' --auth PAT --token u4bq6j************************************hhyq --windowsLogonAccount $(ServiceAccountUser) --windowsLogonPassword --% "$(Service_Account_Password)" %;%

Ref: https://stackoverflow.com/questions/18923315/using-in-powershell

Hope this might helps others.

[pmauri01]

Thanks @praharshp it was about 4 hours into it when I found your post. For me it worked with a combination of what you posted and the stackoverflow link you provided here is my solution (it just a powershell script in a local machine):

First I assigned the password to an environment variable
$env:password =$password
Then I use the %password% syntax with the '--%' in front of it:

& ".\config.cmd" --unattended --url "http://MyServer/Tfs" --auth "Integrated" --pool $PoolName --agent $agentName --runAsAutoLogon --windowsLogonAccount $user --windowsLogonPassword --% "%password%"

I hope this helps others as well.