Currently I am just starting out with Powershell Universal using the Visual Studio Code Extension on a Win 2016 Server… everything is fine and I’ve got a basic dashboard up and running. My question is around “Hosting”. In my case, do I just install the MSI on the server and the service will start automatically?
That’s the way I read it here on the hosting doc - https://docs.ironmansoftware.com/config/hosting
It runs under the system account by default, so let’s say I am creating an AD User creation form with Powershell Universal and I want my 1st line helpdesk team to use this to create the accounts. Do I need to update the account that service runs under to one that has the right level of access in Active Directory?
I’ve been using Sapien Powershell Studio in the past to achieve this and I’ve put together little GUI’s in there that run under the context of the user who is running the form. So when jobs are running, they run under the context of the user that has the right level of access in AD anyway.
How do we achieve that with Powershell Universal?
Hope that makes sense?
I have gone down the IIS route and followed all the steps but I’m receiving the following error when starting the site:
HTTP Error 502.5 - ANCM Out-Of-Process Startup Failure
Application ‘/LM/W3SVC/2/ROOT’ with physical root ‘C:\Program Files (x86)\Universal’ failed to start process with commandline ‘C:\Program Files (x86)\Universal\Universal.Server.exe C:\Program Files (x86)\Universal\Universal.Server.dll’ with multiple retries. Failed to bind to port ‘17340’. First 30KB characters of captured stdout and stderr logs from multiple retries:
Faulting application name: Universal.Server.exe, version: 184.108.40.206, time stamp: 0x5dcec899
Faulting module name: KERNELBASE.dll, version: 10.0.14393.2848, time stamp: 0x5c7f626e
Exception code: 0xe0434352
Fault offset: 0x0000000000034078
Faulting process id: 0x1854
Faulting application start time: 0x01d69b03f040350b
Faulting application path: C:\Program Files (x86)\Universal\Universal.Server.exe
Faulting module path: C:\Windows\System32\KERNELBASE.dll
Report Id: 5784a6a8-928b-417b-a8e0-408ff1394b13
Faulting package full name:
Faulting package-relative application ID:
Application ‘/LM/W3SVC/2/ROOT’ with physical root ‘C:\Program Files (x86)\Universal’ failed to start process with commandline ‘C:\Program Files (x86)\Universal\Universal.Server.exe C:\Program Files (x86)\Universal\Universal.Server.dll’ at stage ‘PostStartCheck’, ErrorCode = ‘0x8027025b’, assigned port 33027, retryCounter ‘0’.
when using IIS try first to set the apppool account to system in order to make sure that the site function properly then you can test with other account.
Yeah same error unfortunately!
Shall I provide the log from C:\Program Files (x86)\Universal\logs?
Yes. Also, there should be a file in your websites root in the /logs/ folder. It provides the stdout from the process in case the PSU logging hasn’t kicked in yet.
You have to make sure in the web.config that the logging is enabled for the stdout logging to function so just make sure that is set to true. I think it is by default.
What is the most efficient way to send this log file without just dumping a load of text in here?
You can throw them on paste bin if you are cool with that. https://pastebin.com/
Can you try to run unblock-file on the web site directory?
Get-ChildItem -Recurse | Unblock-File
Yeah that has done it many thanks for getting to the bottom of that for me! Maybe a silly question but what is Unblock-File actually doing under the hood? I mean, the user account that is being used to host the site does have more than enough permissions to the required directories sooo?
On Windows, when you download a file from the internet the browser sets an alternate data stream to indicate it was downloaded from the internet. If you were to right-click on a file like this it would show an option to unblock the file. It’s kind of a safety precaution and allows Windows to prompt the user with warnings when running exes and stuff. PowerShell will block PS1, PSM1s and DLLs from loading if they have this alternate data stream set; even if you’re an admin. The Unblock-File removes this data stream so that PS can load these files.
Ah well I never knew that! You live and learn.
@dank42 you need to do unlock-file command on the folder that hosts the psu files.
Yeah, the solution provided above, as you say, has fixed it.