Can Build Forge run a step with elevated permissions?
I have recently taken on some new responsibility at work to do .net build & deploys with Rational Build Forge 7.1.3. I did it at a previous job with Win2003 & Visual Build Pro but our new servers are Win2008R2SP1 but they have had some security settings applied to them, hardening the machine. I want to use the APPCMD tool to manipulate IIS and I have run into some challenges. When I try to use the RUNAS command, Build Forge doesn't like the immediate password prompt. When escalating my issue to a corporate web team, they said I could right click on a command prompt and run as an administrator. That works when I manually try it but I don't think I can reproduce that in a Build Forge step. Its exactly as described in this article, http://technet.microsoft.com/en-us/library/cc947813(v=ws.10).aspx
Is there a way for Build Forge to run a Step like that, as an Administrator with elevated privileges? While testing my Build Forge project, my admin account and the service account BF is using has local admin rights to the Windows server. |
4 answers
Hello,
As I understand it. You need to launch a command prompt window as an administrator using Build Forge. The only way I can think to launch a command prompt in administrator is to create a cmd.exe shortcut. Then right click on the shortcut click the tick "Run As Administrator" and then assign it a link or location to launch from. Then you can tell build forge to launch that specific cmd. So instead of say %windir%\system32\cmd.exe it would be %SPE%%/AdminPrompt/cmd.exe. I would also check the permissions for TrustedInstaller and or advanced in the cmd.exe properties. You can fine tune what the comman can do not ran as administrator per user or group basis.
The build forge agent, can do anything you can do in command line. It's just a command shell. Unfortunately the agent can't right click and select run as administrator nor interact with prompts.
Let us know know if this helps.
Thanks!
|
|
Thank you for the reply, I am just trying to run a command line command, for example, appcmd list sites. That command should give me some info about my IIS server. APPCMD has a number of other switches where I can add a site, a web app, a virtual directory, delete them, set settings, etc…. This link gives more info, http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe I know the errors I have gotten with APPCMD is due to the server hardening that the security team applied but I was hoping if there was a way with Build Forge to get around that. The right click and run as Administrator is the solution I keep finding when googling. That would be fine if I was trying to do this step manually but I am trying to automate it. I have been in a number of emails talking about the server hardening, loosening certain settings would probably work. I just don’t know if that will be allowed. I have seen this elevate.exe command line tool that might do what I want but since it is 3rd party, I don’t know if that is allowed. http://jpassing.com/2007/12/08/launch-elevated-processes-from-the-command-line/ Finally I opened a PMR to ask IBM support to see if they have a solution/workaround. |
|
That's great.
Only other thing I could mention would be running the agent in stand alone mode under the administrative user. This means that any commands the agent runs, it runs those commands with the privileges of the user it's running under. So maybe open a command window as administrator. Start the agent as bfagent -s in that terminal. Then try to run your commands. Might work but I haven't tested it.
|
|
I opened a PMR and IBM Support gave me a work around. Its ugly because I have to setup the command as a Windows Task but as long as I click run elevated, it works. In Build Forge, I have to call that scheduled task, it doesn't show what happens in the step, just that the task happened but I am using another command to query that it happened.
http://www.sevenforums.com/tutorials/11949-elevated-program-shortcut-without-uac-prompt-create.html |
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.