{"id":5155,"date":"2013-06-19T19:34:23","date_gmt":"2013-06-19T17:34:23","guid":{"rendered":"https:\/\/ingmarverheij.com\/?p=5155"},"modified":"2013-11-30T12:42:56","modified_gmt":"2013-11-30T11:42:56","slug":"unattended-res-wm2012-agent-does-not-store-relay-server-configuration","status":"publish","type":"post","link":"https:\/\/ingmarverheij.com\/en\/unattended-res-wm2012-agent-does-not-store-relay-server-configuration\/","title":{"rendered":"Unattended RES WM2012 agent does not store Relay Server configuration with UAC enabled"},"content":{"rendered":"

\"RES<\/a>When RES Workspace Manger 2012 is installed unattended and configured to connect to a Relay Server, and User Account Control (UAC) is enabled, the configuration is not stored. As a result the agent is unmanaged<\/em>.<\/p>\n

After extensive testing I found the solution to solve this issue.<\/p>\n

PS: This applies for both SR2 and SR3 (<\/em>release notes<\/a><\/em>).<\/em><\/p>\n

<\/p>\n

User Account Control (UAC)<\/h1>\n

\"User<\/a>When UAC is enabled (introduced since Windows Vista) a user has a token with only basic privileges, administrative privileges are filtered (removed). The administrative privileges are only available when a process is ran with elevated permissions. The user needs to confirm to run the process in elevated mode (and specify credentials)\u00a0 in a UAC prompt.<\/p>\n

In the environment where I\u2019m setting up RES Workspace Manager UAC is enabled with the default policy (notify only when programs try to make changes to the computer).<\/p>\n

 <\/p>\n

Windows Installer<\/h1>\n

Windows Installer is used to install RES Workspace Manager Agent (.msi extension). The user interface that\u2019s shown to the user (of hidden when running unattended) runs in the users context with a filtered token (without administrative privileges). Since the installation makes changes to the computer, elevation is required and the user is prompted by UAC.<\/p>\n

\"UAC<\/a><\/p>\n

In a verbose log you\u2019ll see the following line<\/p>\n

MSI (s) (B0:04) [13:54:53:463]: MSI_LUA: Elevation required to install product, will prompt for credentials<\/pre>\n
followed by the following lines after the user confirmed.<\/p>\n
MSI (s) (B0:04) [13:54:55:865]: MSI_LUA: Credential Request return = 0x0\r\nMSI (s) (B0:04) [13:54:55:865]: MSI_LUA: Elevated credential consent provided. Install will run elevated<\/pre>\n
 <\/p>\n
Custom Actions<\/h1>\n
Custom Actions<\/a> are used in Windows Installer to launch executables that are on the local machine or installed by the installation. A Custom Action named \u2018res.exe\u2019 is used to configure the RES service with the specified datastore connection.<\/p>\n
\"RES-WM-2012-Agent-SR3<\/a><\/p>\n
In a verbose log you\u2019ll see the following line<\/p>\n
MSI (s) (B0:04) [13:55:04:446]: Executing op: ActionStart(Name=res.exe,,)\r\nMSI (s) (B0:04) [13:55:04:446]: Executing op: CustomActionSchedule(Action=res.exe,ActionType=1618,Source=C:\\Program Files\\RES Software\\Workspace Manager\\svc\\res.exe,Target=\/msiparms=3||{18E874CB-DCEE-49F9-9EE4-D9133C58927D}||********||||NO||SAHPSXD6554;SAHPSXD6555;SAHPSXD6854;SAHPSXD6855||||YES||Hosted Private Machines||no||||||||||||||||||||,)<\/pre>\n
In the example above a list of Relay Servers is specified including the GUID and encryption password (********). However, as said in the introduction the configuration is not applied to the RES Workspace Manager service.<\/p>\n
 <\/p>\n
Impersonating the invoking user<\/span><\/h6>\n
By default Custom Actions impersonate the invoking user<\/a> (having a filtered token, without administrative privileges). As a result a machine-state changing task can fail, which indeed is the case for the datastore configuration. The default behavior of a Custom Action can be changed using value in the \u2018Type\u2019 field. When the msidbCustomActionTypeNoImpersonate<\/a> option flag is set the user is not impersonated,\u00a0 the action is executed by the user with elevated privileges (a non-filtered token).<\/p>\n
\"RES-WM-2012-Agent-SR3<\/a>To prove this theory I added two Custom Actions that call whoami <\/em>to read the users privileges.<\/p>\n
    \n
  1. WhoAmI_default<\/strong> with type 1058\n