Unattended Visual Studio (SQL Server) install failing when running via Vagrant

Dave Casey

unread,

Jun 12, 2015, 11:22:56 AM6/12/15

to vagra...@googlegroups.com

Unattended install of Visual Studio fails during the installation of SQL Server. This appears to be due to the vagrant user not being able to use the CryptProtectData API when running via WinRM. Running the same unattended install while logged onto the guest as vagrant succeeds.

This appears to be related to CredSSP as discussed in https://tickets.opscode.com/browse/COOK-1172, which appears to have been fixed https://github.com/WinRb/vagrant-windows/issues/16

1) Do I have set CredSSP up on the guest box correctly? (see winrm config below)

2) Is there anything I need to specify in my Vagrantfile (or, preferalby .kitchen.yml) to get this to work?

Vagrant 1.7.2

kitchen-vagrant (0.16.0)

vagrant-cachier (1.2.0)

vagrant-share (1.1.3, system)

vagrant-vmware-fusion (3.2.5)

vagrant-winrm (0.7.0)

On Guest: (Guest is Windows Server 2008 R2 Enterprise Service Pack 1)

Windows PowerShell

PS C:\Users\vagrant> winrm get winrm/config

Config

MaxEnvelopeSizekb = 150

MaxTimeoutms = 1800000

MaxBatchItems = 32000

MaxProviderRequests = 4294967295

Client

NetworkDelayms = 5000

URLPrefix = wsman

AllowUnencrypted = false

Auth

Basic = true

Digest = true

Kerberos = true

Negotiate = true

Certificate = true

CredSSP = true [Source="GPO"]

DefaultPorts

HTTP = 5985

HTTPS = 5986

TrustedHosts = * [Source="GPO"]

Service

RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)

MaxConcurrentOperations = 4294967295

MaxConcurrentOperationsPerUser = 15

EnumerationTimeoutms = 60000

MaxConnections = 25

MaxPacketRetrievalTimeSeconds = 120

AllowUnencrypted = true

Auth

Basic = true

Kerberos = true

Negotiate = true

Certificate = false

CredSSP = true [Source="GPO"]

CbtHardeningLevel = Relaxed

DefaultPorts

HTTP = 5985

HTTPS = 5986

IPv4Filter = *

IPv6Filter = *

EnableCompatibilityHttpListener = false

EnableCompatibilityHttpsListener = false

CertificateThumbprint

Winrs

AllowRemoteShellAccess = true

IdleTimeout = 180000

MaxConcurrentUsers = 5

MaxShellRunTime = 2147483647

MaxProcessesPerShell = 15

MaxMemoryPerShellMB = 512

MaxShellsPerUser = 5

SQL Setup Error:

Loaded DLL:c:\867bf4eabd84ae7cf3790a83657144\xmlrw.dll Version:2.0.3609.0

Complete: ParseBootstrapOptionsAction at: 2015/5/11 22:42:11, returned false

Error: Action "ParseBootstrapOptionsAction" failed during execution. Error information reported during run:

Could not parse command line due to datastore exception.

Source File Name: utillib\persisthelpers.cpp

Compiler Timestamp: Wed Jun 14 16:30:14 2006

Function Name: writeEncryptedString

Source Line Number: 124

----------------------------------------------------------

writeEncryptedString() failed

Source File Name: utillib\persisthelpers.cpp

Compiler Timestamp: Wed Jun 14 16:30:14 2006

Function Name: writeEncryptedString

Source Line Number: 123

----------------------------------------------------------

Error Code: 0x80070005 (5)

Windows Error Text: Access is denied.

Source File Name: cryptohelper\cryptsameusersamemachine.cpp

Compiler Timestamp: Wed Jun 14 16:28:04 2006

Function Name: sqls::CryptSameUserSameMachine::ProtectData

Source Line Number: 50

Shawn Neal

unread,

Jun 13, 2015, 10:32:55 AM6/13/15

to vagra...@googlegroups.com

That's odd, I've had SQL Server 2008 R2 installing on Vagrant boxes via Chef for a while now without any issues. I just checked my CI build for our SQL Server cookbook and its running fine through Vagrant 1.6.5 and our custom Packer build that uses WinRM. Mind sharing your Vagrantfile?

Dave Casey

unread,

Jun 15, 2015, 3:02:28 PM6/15/15

to vagra...@googlegroups.com

Thanks for looking at this, we really appreciate it.

We are building inside test kitchen, this is the Vagrantfile being generated by test kitchen:

Vagrant.configure("2") do |c|

c.berkshelf.enabled = false if Vagrant.has_plugin?("vagrant-berkshelf")

c.vm.box = "local/windows-2008-r2-sp1-x64"

c.vm.communicator = "winrm"

c.vm.synced_folder ".", "/vagrant", disabled: true

c.vm.provider :vmware_fusion do |p|

end

We are doing an install from a local copy of en_visual_studio_team_system_2008_development_x86_dvd_x14-26382.iso. We are doing this from behind a firewall, but I'm not seeing an indication that we are running into a Windows Update access issue. (It is entirely possible that I am not looking in the right place, though.)

Thanks,

-Dave

Shawn Neal

unread,

Jun 15, 2015, 4:38:41 PM6/15/15

to vagra...@googlegroups.com

I'd have to look at the code, but IIRC doesn't test-kitchen use its own communicator to execute Chef? If so, then I doubt test-kitchen wraps Chef execution in a scheduled task like Vagrant does. Directly installing SQL Server over WinRM without breaking out of the process via a scheduled task does NOT work.

--
You received this message because you are subscribed to a topic in the Google Groups "Vagrant" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vagrant-up/evPJXmD0K-E/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vagrant-up+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Dave Casey

unread,

Jun 15, 2015, 7:12:31 PM6/15/15

to vagra...@googlegroups.com

It looks like chef is being called thusly:

D [WinRM] plaintext::http://redacted.ip.address:5985/wsman<{:disable_sspi=>true, :basic_auth_only=>true, :user=>"vagrant", :pass=>"redacted"}> (

$env:PATH = [System.Environment]::GetEnvironmentVariable("PATH","Machine")

& $env:systemdrive\opscode\chef\bin\chef-solo.bat --config $env:TEMP\kitchen\solo.rb --log_level debug --force-formatter --no-color --json-attributes $env:TEMP\kitchen\dna.json)

[2015-06-15T15:20:15-07:00] DEBUG: Creating directory C:/Users/vagrant/AppData/Local/Temp/kitchen/cache

Starting Chef Client, version 12.3.0

(where chef-solo.bat does not contain any scheduled task wrapping).

So short-term, wrap that install in a scheduled task, and long term, work with test kitchen to get it wrapped and/or wait for Windows SSH?