Install-ChocolateyWindowsService fails to run remotely due to double-hop authentication

[sync-by-unito]

What You Are Seeing?

Several users have attempted to install Chocolatey Agent with a specific domain service account, and it's failed during the installation due to Kerberos double-hop. This has been using Ansible, or PowerShell remoting. The failure is not due to the account being incorrectly created, but instead because the logic used to validate the account fails to authenticate to the domain when checking the account is in groups, etc.

There is, I think, no current way to simply pass an existing domain account to a remote system and have it succeed installation.

This will likely also fail if business customers attempt to use the Install-ChocolateyWindowsService in their own packages in a similar fashion.

What is Expected?

Users should be able to install this package remotely / with an account that exists and has all the right permissions, even if we can't validate that.

How Did You Get This To Happen? (Steps to Reproduce)

1. Create a domain controller, and a second Windows machine linked to that domain
2. Create a domain account with the correct permissions for use as a Chocolatey Agent service account
3. Install prerequisite packages chocolatey and chocolatey.extension on the second machine
4. Use Ansible to remotely install Chocolatey Agent on the second Windows machine using a domain account, passing the username and password of the created service account (see example below).
5. See a message similar to ERROR: Unable to ensure user 'domain\choco_local_admin_account' is part of the Administrators group (S-1-5-32-544). Please run again with '--trace' and file an issue with [email protected] (attach a zipped copy of the detailed chocolatey.log file).

  - name: Install Chocolatey Agent
    chocolatey.chocolatey.win_chocolatey:
      name: chocolatey-agent
      state: latest
      package_params: '/Username:choco_local_admin_account'
      choco_args:
      - --package-parameters-sensitive
      - /Password:'PasswordGoesHere123!'

System Details

• Operating System: Windows, multiple
• Windows PowerShell Version: 5
• Chocolatey CLI Version: 2+
• Chocolatey Licensed Extension version:
• Chocolatey License type (Professional / Business / ?): Business
• Terminal/Emulator:

Output Log

chocolatey.log

2024-03-06 11:51:20,836 11900 [ERROR] - ERROR: Unable to ensure user 'bluelizard\exec_choco_local_adm' is part of the Administrators group (S-1-5-32-544). Please run again with '--trace' and file an issue with [email protected] (attach a zipped copy of the detailed chocolatey.log file). 2024-03-06 11:51:20,839 11900 [DEBUG] - Built-in PowerShell host called with ['[System.Threading.Thread]::CurrentThread.CurrentCulture = '';[System.Threading.Thread]::CurrentThread.CurrentUICulture = '';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::SystemDefault; & import-module -name 'C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1'; & 'C:\ProgramData\chocolatey\helpers\chocolateyScriptRunner.ps1' -packageScript 'C:\ProgramData\chocolatey\lib\chocolatey-agent\tools\chocolateyinstall.ps1' -installArguments '' -packageParameters '/Username:bluelizard\exec_choco_local_adm' -preRunHookScripts $null -postRunHookScripts $null'] exited with '-1'. 2024-03-06 11:51:20,842 11900 [DEBUG] - Calling command ['"C:\WINDOWS\System32\shutdown.exe" /a'] 2024-03-06 11:51:20,913 11900 [DEBUG] - Command ['"C:\WINDOWS\System32\shutdown.exe" /a'] exited with '1116' 2024-03-06 11:51:21,106 11900 [DEBUG] - Capturing package files in 'C:\ProgramData\chocolatey\lib\chocolatey-agent' ~~~ </p></details>

Similarly, during PowerShell remoting:

    [Env] setting licensed environment variables.
    Ensuring user 'MITLL\svc-g38-software' exists in group 'S-1-5-32-544'
    Error: System.DirectoryServices.DirectoryServicesCOMException (0x80072020): An operations error occurred.
    
    at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
       at System.DirectoryServices.DirectoryEntry.Bind()
       at System.DirectoryServices.DirectoryEntry.get_AdsObject()
       at System.DirectoryServices.PropertyValueCollection.PopulateList()
       at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
       at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
       at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer()
       at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
       at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
       at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
       at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
       at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue)
       at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue)
       at chocolatey.licensed.infrastructure.app.utility.LocalSecurityUtility.EnsureLocalGroupMembership(String userName, String groupName)
       Unable to ensure 'S-1-5-32-544' local group membership for 'MITLL\svc-g38-software':
    An operations error occurred.
    
    ERROR: Unable to ensure user 'MITLL\svc-g38-software' is part of the Administrators group (S-1-5-32-544). Please run again with '--trace' and file an issue with [email protected] (attach a zipped copy of the detailed chocolatey.log file).## Related Issues and Tickets
* [Zendesk Ticket 19071](https://chocolatey.zendesk.com/agent/tickets/19071)
* [Zendesk Ticket 21277](https://chocolatey.zendesk.com/agent/tickets/21277)
* [Zendesk Ticket 21942](https://chocolatey.zendesk.com/agent/tickets/21942)
* [Chocolatey Agent](https://gitlab.com/chocolatey/collaborators/choco-licensed-services/-/issues/122).



┆Issue is synchronized with this [Gitlab issue](https://gitlab.com/chocolatey/collaborators/choco-licensed/-/issues/714) by [Unito](https://www.unito.io)