Notifications

11 views

Description

After upgrading to Orlando version there is additional security feature added to restrict what folders/files can be accessed and by which user/group for the MID server's agent directory. You can read a little about it here:

File permission enforcement for Windows MID Servers

 For the "agent" folder and its sub-folders, the access control entries (or ACEs) are restricted
 to a whitelist of these groups:
 - SYSTEM
 - Builtin/Administrators (local Administrators)
 - if applicable, the specific user running the MID Server Windows service ("Log on as" user)

In some cases you may be running the MID server as a different user than the local administrator (The last point above). 

In such a case, after the upgrade you may encounter the following error:

An unexpected error occurred: Permission denied
Move-Item : Access to the path is denied.
At [PATH_TO_MID_INSTALL_DIR]\agent\bin\scripts\EnforceFilePermissions.psm1:135 char:9
+ Move-Item -Force -Path "$WHITELIST_HASH_FILE.temp" -Destinati ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: ([...]\Service...rm.grphash.temp:FileInfo) [Move-Item], UnauthorizedAccessException
+ FullyQualifiedErrorId : MoveFileInfoItemUnauthorizedAccessError,Microsoft.PowerShell.Commands.MoveItemCommand

Release or Environment

Orlando+

Cause

The cause is related to how folder permissions would need to be set before making the service run as the desired user. See below to resolve this error. 

Resolution

  1. Switch the MID server back to running as admin account.
    2. Add the non-admin user to whitelist (see doc below for format).
    3. Restart the MID Server.
    4. Once the new enforcement rules run, switch MID Server back to non-admin account.

Note: Even though you got the error message, the MID server will still function normally, it just won't lock down access to the agent dir.

Article Information

Last Updated:2020-03-04 06:52:53
Published:2020-03-04