Skip to content

Commit

Permalink
Revert changes related to gMSA account support (#3883)
Browse files Browse the repository at this point in the history 
* Revert "Added gMSA accounts support  (#3791)"

This reverts commit 5d4ca9b.

* Revert "Added message - in case when account is not managed, but WindowsLogon… (#3845)"

This reverts commit f1cd4f4.
  • Loading branch information
@alexander-smolyakov
alexander-smolyakov authored Jun 24, 2022
1 parent f98a479 commit 98fc095
Show file tree
Hide file tree
Showing 4 changed files with 5 additions and 171 deletions.
76 changes: 3 additions & 73 deletions src/Agent.Listener/Configuration.Windows/NativeWindowsServiceHelper.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,10 +76,6 @@ public interface INativeWindowsServiceHelper : IAgentService
void GrantDirectoryPermissionForAccount(string accountName, IList<string> folders);

void RevokeDirectoryPermissionForAccount(IList<string> folders);

bool IsWellKnownIdentity(string accountName);

bool IsManagedServiceAccount(string accountName);
}

public class NativeWindowsServiceHelper : AgentService, INativeWindowsServiceHelper
Expand Down Expand Up @@ -374,10 +370,10 @@ public bool GrantUserLogonAsServicePrivilage(string domain, string userName)
}
}

public bool IsWellKnownIdentity(String accountName)
public static bool IsWellKnownIdentity(String accountName)
{
var ntaccount = new NTAccount(accountName);
var sid = (SecurityIdentifier)ntaccount.Translate(typeof(SecurityIdentifier));
NTAccount ntaccount = new NTAccount(accountName);
SecurityIdentifier sid = (SecurityIdentifier)ntaccount.Translate(typeof(SecurityIdentifier));

SecurityIdentifier networkServiceSid = new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null);
SecurityIdentifier localServiceSid = new SecurityIdentifier(WellKnownSidType.LocalServiceSid, null);
Expand Down Expand Up @@ -457,16 +453,6 @@ public void InstallService(string serviceName, string serviceDisplayName, string
{
Trace.Entering();

try
{
var isManagedServiceAccount = IsManagedServiceAccount(logonAccount);
Trace.Info($"Account '{logonAccount}' is managed service account: {isManagedServiceAccount}.");
}
catch (Win32Exception e)
{
Trace.Info($"Fail to check account '{logonAccount}' is managed service account or not due to error: {e.Message}");
}

string agentServiceExecutable = "\"" + Path.Combine(HostContext.GetDirectory(WellKnownDirectory.Bin), WindowsServiceControlManager.WindowsServiceControllerName) + "\"";
IntPtr scmHndl = IntPtr.Zero;
IntPtr svcHndl = IntPtr.Zero;
Expand Down Expand Up @@ -942,40 +928,6 @@ public void RevokeDirectoryPermissionForAccount(IList<string> folders)
Trace.Info(StringUtil.Format($"Delete the group {groupName}."));
DeleteLocalGroup(groupName);
}
/// <summary>
/// Checks if account is managed service
/// </summary>
/// <param name="accountName">account name</param>
/// <returns>Returns true if account is managed service.</returns>
/// <exception cref="Win32Exception">Throws this exception if there is some error during check.</exception>
public bool IsManagedServiceAccount(String accountName)
{
bool isServiceAccount;
accountName = SanitizeManagedServiceAccountName(accountName);
var result = this.CheckNetIsServiceAccount(null, accountName, out isServiceAccount);
if (result == 0)
{
return isServiceAccount;
}
else
{
var lastErrorCode = (int)GetLastError();
throw new Win32Exception(lastErrorCode);
}
}

/// <summary>
/// Checks if account is managed service
/// </summary>
/// <param name="ServerName"></param>
/// <param name="AccountName"></param>
/// <param name="isServiceAccount"></param>
/// <returns>Returns 0 if account is managed service, otherwise - returns non-zero code</returns>
/// <exception cref="Win32Exception">Throws exception if there's an error during check</exception>
public virtual uint CheckNetIsServiceAccount(string ServerName, string AccountName, out bool isServiceAccount)
{
return NativeWindowsServiceHelper.NetIsServiceAccount(ServerName, AccountName, out isServiceAccount);
}

private bool IsValidCredentialInternal(string domain, string userName, string logonPassword, UInt32 logonType)
{
Expand Down Expand Up @@ -1023,25 +975,6 @@ private byte[] GetSidBinaryFromWindows(string domain, string user)
}
}

/// <summary>
/// Removes '$' character from managed service account name
/// </summary>
/// <param name="accountName">account name</param>
/// <returns></returns>
private string SanitizeManagedServiceAccountName(string accountName)
{
// remove the last '$' for MSA
ArgUtil.NotNullOrEmpty(accountName, nameof(accountName));
if (accountName[accountName.Length - 1].Equals('$'))
{
return accountName.Remove(accountName.Length - 1);
}
else
{
return accountName;
}
}

// Helper class not to repeat whenever we deal with LSA* api
internal class LsaPolicy : IDisposable
{
Expand Down Expand Up @@ -1336,9 +1269,6 @@ private enum RecoverAction
RunCommand = 3
}

[DllImport("Logoncli.dll", SetLastError = true, CharSet = CharSet.Auto)]
private static extern uint NetIsServiceAccount(string ServerName, string AccountName, [MarshalAs(UnmanagedType.Bool)] out bool IsServiceAccount);

[DllImport("Netapi32.dll")]
private extern static int NetLocalGroupGetInfo(string servername,
string groupname,
Expand Down
15 changes: 2 additions & 13 deletions src/Agent.Listener/Configuration.Windows/WindowsServiceControlManager.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,22 +67,11 @@ public void ConfigureService(AgentSettings settings, CommandSettings command)
Trace.Info("LogonAccount after transforming: {0}, user: {1}, domain: {2}", logonAccount, userName, domainName);

string logonPassword = string.Empty;
if (!defaultServiceAccount.Equals(new NTAccount(logonAccount)) &&
!_windowsServiceHelper.IsWellKnownIdentity(logonAccount) &&
!_windowsServiceHelper.IsManagedServiceAccount(logonAccount))
if (!defaultServiceAccount.Equals(new NTAccount(logonAccount)) && !NativeWindowsServiceHelper.IsWellKnownIdentity(logonAccount))
{
while (true)
{
try
{
logonPassword = command.GetWindowsLogonPassword(logonAccount);
}
catch (ArgumentException e)
{
Trace.Warning("LogonAccount {0} is not managed service account, although you did not specify WindowsLogonPassword - maybe you wanted to use managed service account? Please see https://aka.ms/gmsa for guidelines to set up sMSA/gMSA account.", logonAccount, userName, domainName);
throw;
}

logonPassword = command.GetWindowsLogonPassword(logonAccount);
if (_windowsServiceHelper.IsValidCredential(domainName, userName, logonPassword))
{
Trace.Info("Credential validation succeed");
Expand Down
29 changes: 0 additions & 29 deletions src/Test/L0/Listener/Configuration/Mocks/MockNativeWindowsServiceHelper.cs
View file

This file was deleted.

56 changes: 0 additions & 56 deletions src/Test/L0/Listener/Configuration/NativeWindowsServiceHelperL0.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,6 @@
using System.Security.Principal;
using Microsoft.VisualStudio.Services.Agent;
using Microsoft.VisualStudio.Services.Agent.Tests;
using Test.L0.Listener.Configuration.Mocks;
using System.ComponentModel;

namespace Test.L0.Listener.Configuration
{
Expand Down Expand Up @@ -56,59 +54,5 @@ public void EnsureGetDefaultAdminServiceAccountShouldReturnLocalSystemAccount()
Assert.True(defaultServiceAccount.ToString().Equals(@"NT AUTHORITY\SYSTEM"), "If agent is getting configured as deployment agent, default service accout should be 'NT AUTHORITY\\SYSTEM'");
}
}


[Fact]
[Trait("Level", "L0")]
[Trait("Category", "ConfigurationManagement")]
public void EnsureIsManagedServiceAccount_TrueForManagedAccount()
{
using (TestHostContext tc = new TestHostContext(this, "EnsureIsManagedServiceAccount_TrueForManagedAccount"))
{
Tracing trace = tc.GetTrace();

trace.Info("Creating an instance of the MockNativeWindowsServiceHelper class");
var windowsServiceHelper = new MockNativeWindowsServiceHelper();
windowsServiceHelper.ShouldAccountBeManagedService = true;
var isManagedServiceAccount = windowsServiceHelper.IsManagedServiceAccount("managedServiceAccount$");

Assert.True(isManagedServiceAccount, "Account should be properly determined as managed service");
}
}

[Fact]
[Trait("Level", "L0")]
[Trait("Category", "ConfigurationManagement")]
public void EnsureIsManagedServiceAccount_FalseForNonManagedAccount()
{
using (TestHostContext tc = new TestHostContext(this, "EnsureIsManagedServiceAccount_TrueForManagedAccount"))
{
Tracing trace = tc.GetTrace();

trace.Info("Creating an instance of the MockNativeWindowsServiceHelper class");
var windowsServiceHelper = new MockNativeWindowsServiceHelper();
windowsServiceHelper.ShouldAccountBeManagedService = false;
var isManagedServiceAccount = windowsServiceHelper.IsManagedServiceAccount("managedServiceAccount$");

Assert.True(!isManagedServiceAccount, "Account should be properly determined as not managed service");
}
}

[Fact]
[Trait("Level", "L0")]
[Trait("Category", "ConfigurationManagement")]
public void EnsureIsManagedServiceAccount_ThrowsExceptionDuringCheck()
{
using (TestHostContext tc = new TestHostContext(this, "EnsureIsManagedServiceAccount_TrueForManagedAccount"))
{
Tracing trace = tc.GetTrace();

trace.Info("Creating an instance of the MockNativeWindowsServiceHelper class");
var windowsServiceHelper = new MockNativeWindowsServiceHelper();
windowsServiceHelper.ShouldErrorHappenDuringManagedServiceAccoutCheck = true;

Assert.Throws<Win32Exception>(() => windowsServiceHelper.IsManagedServiceAccount("managedServiceAccount$"));
}
}
}
}

0 comments on commit 98fc095

Please sign in to comment.