RE: Running ProGet with Group Managed Service Account

Hi Steve,

I'm not upgrading...I'm just trying to change the connection string in Inedo Hub in a way that it will use the group managed service account. When I do that, using integrated security or trusted_connection, it seems to be trying to use my logged on user.

Is the only way I'm going to be able to do that is if I run it through IIS instead of the integrated web server?

I cannot logon to the server with the group managed service account. The group managed service account has permissions on the server and in the database.

Thanks!

Hi,

I'm currently running ProGet 2024.0.26. I'm using the integrated web server and have a regular service account configured to run the INEDOPROGETSVC service and INEDOPROGETWEBSVC web server Windows services. I have a database user ID and password configured in the connection string.

This works great, but I'd like to switch to use a Windows group managed service account (gMSA). I'm able to use a gMSA as the account in the INEDOPROGETSVC service and INEDOPROGETWEBSVC web server Windows services. However, if I change the connection string to use "Integrated Security=true;", "Integrated Security=SSPI;", or "Trusted_Connection=true" and restart the Windows services, the services start, but the website doesn't load. When I open Inedo Hub, ProGet has a "View Error" button that has the following message:

"Product: ProGet
Version: 24.0.26

The Inedo Hub is unable to connect to the "MyDatabase" database: Login failed for user '<Domain>\MyLoggedInUser'.

The above username is the account you're currently logged-in to Windows with.
Please ask your database administrator to grant db_owner access to the above username.
Or, try logging-in to Windows with a different account."

I have granted "db_owner" and "ProGetUser_Role" to the group managed service account, but for whatever reason it appears it's attempting to connect using the user account I'm using to logon to the server. The group managed service account has been added to the "Logon as a service" policy. I also added it to the Administrators group in case that made a difference even though it didn't appear to be needed when I was using my regular service account.

I have used a group managed service account as the application pool identity for years in IIS, but I'm not using IIS since it's not really recommended according to the Inedo documentation. I tried to track down any guidance on using a group managed service account, including the "inedo-docs" GitHub repository, but it seems like I'm still missing something.

Any help is very much appreciated.

Thanks!

@atripp

Using a generic Git repository requires connecting to each individual repository instead of all projects/repositories in the workspace, correct? That's a bummer if the Bitbucket Server option doesn't work for cloud in pulling in all the repositories in a workspace instead of individually.

The BuildMaster documentation on Bitbucket mentions the cloud offering, but doesn't specifically exclude it as an option when using Bitbucket Server, so it seems like it would work for cloud, too. It's interesting that this wouldn't include/be geared more toward the cloud offering or at least be equal to the on-prem offering.

Thanks!

Hi,

I'm attempting to setup an application in BuildMaster using the "Git Repository" option and connect it to Bitbucket Cloud. When I select the "Git Repository" option, I enter my Bitbucket server and workspace, which matches what's in the documentation. Then, I enter my username in Bitbucket and I enter my app password that was setup in Bitbucket. Neither the username, nor the app password have any characters in them that would need to be encoded.

When I click "Select Bitbucket Server Repository", I get the following error message: "An error occurred during validation: '<' is an invalid start of a value. Path: $ | LineNumber: 0 | BytePositionInLine: 0."

I checked the logs and I'm not seeing anything related to this error. I have tried multiple iterations of the server (i.e. with workspace, without workspace, with username before "bitbucket.org" followed by an "@" symbol, tried with different users), but nothing appears to be working because it results in the same error message.

The Windows server where BuildMaster is installed has Git installed and the server has multiple credentials configured that work when cloning a repo using Git at the command line.

Any ideas on how to resolve this error so it will connect to my Bitbucket workspace? The note in BuildMaster says, "Let's connect to Bitbucket Server. This connection will be shared across all of your applications by default, so you'll only need to enter your credentials once. Note that your Password or token will be securely stored." so I'm not sure why it's not working.

Thanks!