0

I have a WiX MSI installer for an ASP.NET website that runs on my_server. The package is installed via a very simple Powershell script install.ps1 that just calls msiexec with some parameters.

The problem

When I run install.ps1 directly on my_server, everything is fine. But when I want to run install.ps1 on my_server from a remote machine (e.g. build_server), the installation fails with error code 1603 and the MSI install log reveals the the following error:

Action start 14:22:30: ConfigureUsers.

ConfigureUsers: Error 0x80070005: failed to add/remove User actions

CustomAction ConfigureUsers returned actual error code 1603

Any suggestions?

Extra information

  • I run install.ps1 remotely with the following command:

    Invoke-Command -ComputerName my_server -ScriptBlock { path\to\install.ps1 } -Authentication Negotiate

  • I use the same user credentials on both my_server and build_server.

  • In the WiX definition, the website is set up with a specific user account for the app pool, like this:

    <Component Id="AppPoolCmp"
           Guid="a-fine-looking-guid"
           KeyPath="yes">
  <util:User Id="AppPoolUser"
             CreateUser="no"
             RemoveOnUninstall="no"
             Name="[APP_POOL_IDENTITY_NAME]"
             Password="[APP_POOL_IDENTITY_PWD]"
             Domain="[APP_POOL_IDENTITY_DOMAIN]">
  </util:User>
  <iis:WebAppPool Id="AppPool"
                  Name="[APP_POOL_NAME]"
                  ManagedPipelineMode="Classic"
                  ManagedRuntimeVersion="v4.0"
                  Identity="other"
                  User="AppPoolUser">
    <iis:RecycleTime Value="5:00" />
  </iis:WebAppPool>
</Component>
dlebech
  • 1,817
  • 14
  • 27

1 Answers1

1

This is likely to be the double hop issue, your credentials are not valid beyond the scope of the first server.

Can you do the command with the option:

-Authentication CredSSP

Rather than Negotiate.

You will also need to specify credentials manually using the -Credentials flag as well as set up the client and server for CredSSP:

Enable-WSManCredSSP -Role Client -DelegateComputer HOSTNAME -Force
Enable-WSManCredSSP -Role Server -Force

The steps are explained in more detail here.

dlebech
  • 1,817
  • 14
  • 27
David Martin
  • 11,764
  • 1
  • 61
  • 74
  • Ok, so after setting the server and client up for CredSSP, the installation script now seems to run without the error. However, I do get a popup asking for my password which I did not using negotiate. Since the script is supposed to run by itself on a build-server using a service account, is it possible to use CredSSP without having to write the password inline? – dlebech Oct 14 '13 at 14:39
  • It seems [storing the password as a secure string](http://stackoverflow.com/questions/6239647/using-powershell-credentials-without-being-prompted-for-a-password) is my only option. I will appreciate any other tips but I'll go ahead and mark your answer as accepted. – dlebech Oct 14 '13 at 14:46
  • I've not found a way to achieve this without storing the password in some form. – David Martin Oct 15 '13 at 07:46