Merge pull request #703 from Icinga:fix/ifw_managed_user_pass_handling

Fix: Icinga for Windows managed user password handling Fixes Icinga for Windows password management for the managed user `icinga`, which could fail in some cases because of ambiguous characters or complexity errors and will now retry up to 10 times before giving up
2026-02-17 09:38:59 -05:00 · 2024-03-25 20:50:55 +01:00 · 2024-03-25 20:50:55 +01:00 · ce03447404
commit ce03447404
parent f636b98dff 877d2366dc
3 changed files with 17 additions and 4 deletions
--- a/doc/100-General/10-Changelog.md
+++ b/doc/100-General/10-Changelog.md
@ -20,6 +20,7 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic
 * [#685](https://github.com/Icinga/icinga-powershell-framework/pull/685) Fixes an issue while trying to stop the JEA process in certain cases, which results in an error during installation but has no other effect on the environment
 * [#686](https://github.com/Icinga/icinga-powershell-framework/pull/686) Fixes certutil error handling and message output in case the icingaforwindows.pfx could not be created
 * [#687](https://github.com/Icinga/icinga-powershell-framework/pull/687) Fixes Icinga for Windows port handling on installation, which will now use the proper defined port for communicating with the Icinga CA
 * [#699](https://github.com/Icinga/icinga-powershell-framework/issues/699) Fixes Icinga for Windows password management for the managed user `icinga`, which could fail in some cases because of ambiguous characters or complexity errors and will now retry up to 10 times before giving up
 * [#702](https://github.com/Icinga/icinga-powershell-framework/pull/702) Fixes an issue with Icinga Director Self-Service API, which ignored the defined service user
 ### Enhancements
--- a/lib/core/windows/Get-IcingaRandomChars.psm1
+++ b/lib/core/windows/Get-IcingaRandomChars.psm1
@ -2,7 +2,7 @@ function Get-IcingaRandomChars()
 {
    param (
        [int]$Count      = 10,
-        [string]$Symbols = 'abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!§$%&/()=?}][{@#*+'
+        [string]$Symbols = 'abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!§$%()=?}][{@#*+'
    );
    $RandomChars = '';
--- a/lib/core/windows/New-IcingaWindowsUser.psm1
+++ b/lib/core/windows/New-IcingaWindowsUser.psm1
@ -33,9 +33,22 @@ function New-IcingaWindowsUser()
        # User already exist -> override password - but only if the user is entirely managed by Icinga
        if ($UserConfig.IcingaManagedUser) {
-            $Result = Start-IcingaProcess -Executable 'net' -Arguments ([string]::Format('user "{0}" "{1}"', $IcingaUser, (ConvertFrom-IcingaSecureString -SecureString (New-IcingaWindowsUserPassword))));
+            # In case the password set fails, we need to try again
            [int]$Attempts = 0;
            [bool]$Success = $FALSE;
-            if ($Result.ExitCode -ne 0) {
+            while ($Attempts -lt 10) {
                $Result = Start-IcingaProcess -Executable 'net' -Arguments ([string]::Format('user "{0}" "{1}"', $IcingaUser, (ConvertFrom-IcingaSecureString -SecureString (New-IcingaWindowsUserPassword))));
                if ($Result.ExitCode -eq 0) {
                    $Success = $TRUE;
                    break;
                }
                $Attempts += 1;
            }
            if ($Success -eq $FALSE) {
                Write-IcingaConsoleError 'Failed to update password for user "{0}": {1}' -Objects $IcingaUser, $Result.Error;
                return @{
@ -43,7 +56,6 @@ function New-IcingaWindowsUser()
                    'SID'  = $UserConfig.SID;
                };
            }
            Write-IcingaConsoleNotice 'User updated successfully.';
        } else {
            Write-IcingaConsoleWarning 'User "{0}" is not managed by Icinga for Windows. No changes were made.' -Objects $IcingaUser;