Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Server & Application Monitor (SAM) > Server Configuration Failed: Incorrect user name and/or password (Error code: -2147467259)

Server Configuration Failed: Incorrect user name and/or password (Error code: -2147467259)

Created by Brian Stern, last modified by MindTouch on Jun 23, 2016

Views: 43 Votes: 0 Revisions: 5

Overview

When configuring the IIS Server for Monitoring, getting the error Server Configuration Failed: Incorrect user name and/or password (Error code: -2147467259) when trying to add an AppInsight for IIS monitor.

Environment

  • SAM 6.2.X

Cause 

A security rule or firewall is blocking the configuration of AppInsight for IIS on the target node. 

 

Resolution

  1. Copy the following script to the IIS/target server:

param([String]$targetIP = "__LOCALIPADDRESS__") #Changes for doc
### Exit codes declaration ###
<# Every handled exception in this script has unique exit code. 
It because remote installation libraries allow us to return as result only exit code(not error message) and after configuration process the exit code is parsed into message.
All exit codes you can find here: SolarWinds.APM.Common\RemoteExecutableConstants.cs
Error parsing here: IisServerConfiguratorServices.asmx -> GetConfiguratorErrorMessage()#>

$CantReuseAlreadyExistedListener = 16022;
$CantCreateSelfSignedCertificate = 16023;
$CantCreateWsManListener = 16024;
$ExitCodeOk = 0 ;

### Default ports declaration ###
$DefaultWinRMPort = "5986"

### Functions declaration ###
        
function ExitWithCode {
    param ($exitcode);
    #Changes for doc
    if($exitcode -eq 0){
        Write-Output "---------------------------------";
        Write-Output "Configuring finished successfully";
        Write-Output "---------------------------------";
    }
    else
    {
        Write-Output "---------------------";
        Write-Output "Configuration failed:";
    }
    #Changes for doc

function Create-SelfSignedCertificate {
    param ($hostname, $lifeTimeDays);

    $name = new-object -com "X509Enrollment.CX500DistinguishedName.1";
    $name.Encode("CN=$hostname", 0);

    $key = new-object -com "X509Enrollment.CX509PrivateKey.1";
    $key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider";
    $key.KeySpec = 1;
    $key.Length = 2048;
    $key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)";
    $key.MachineContext = 1;
    $key.Create();

    $serverauthoid = new-object -com "X509Enrollment.CObjectId.1";
    $serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1");
    $ekuoids = new-object -com "X509Enrollment.CObjectIds.1";
    $ekuoids.add($serverauthoid);
    $ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1";
    $ekuext.InitializeEncode($ekuoids);

    $cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1";
    $cert.InitializeFromPrivateKey(2, $key, "");
    $cert.Subject = $name;
    $cert.Issuer = $cert.Subject;

    # We subtract one day from the start time to avoid timezone or other 
    # time issues where cert is not yet valid
    $SubtractDays = New-Object System.TimeSpan 1, 0, 0, 0, 0;
    $curdate = get-date;
    $cert.NotBefore = $curdate.Subtract($SubtractDays);
    $cert.NotAfter = $cert.NotBefore.AddDays($lifeTimeDays);

    $cert.X509Extensions.Add($ekuext);
    $cert.Encode();

    $enrollment = new-object -com "X509Enrollment.CX509Enrollment.1";
    $enrollment.InitializeFromRequest($cert);
    $certdata = $enrollment.CreateRequest(0);
    $enrollment.InstallResponse(2, $certdata, 0, "");
}

function Get-FireWallRule {
    param ($name, $direction, $enabled, $protocol, $profile, $action, $grouping);
    
    $rules = (New-object -comObject HNetCfg.FwPolicy2).rules;

    if ($name) { $rules = $rules | where-object { $_.name -like $name } }
    if ($direction) { $rules = $rules | where-object { $_.direction -eq $direction } }
    if ($enabled) { $rules = $rules | where-object { $_.Enabled -eq $enabled } }
    if ($protocol) { $rules = $rules | where-object { $_.protocol -eq $protocol } }
    if ($profile) { $rules = $rules | where-object { $_.Profiles -bAND $profile } }
    if ($action) { $rules = $rules | where-object { $_.Action -eq $action } }
    if ($grouping) { $rules = $rules | where-object { $_.Grouping -like $grouping } }

    $rules
}

function Add-FirewallRule {
    param($name, $tcpPorts, $appName = $null, $serviceName = $null);
        
    $fw = New-Object -ComObject hnetcfg.fwpolicy2;
    $rule = New-Object -ComObject HNetCfg.FWRule;
            
    $rule.Name = $name;
    if ($appName -ne $null) { $rule.ApplicationName = $appName };
    if ($serviceName -ne $null) { $rule.serviceName = $serviceName };
    $rule.Protocol = 6; # NET_FW_IP_PROTOCOL_TCP
    $rule.LocalPorts = $tcpPorts;
    $rule.Enabled = $true;
    $rule.Grouping = "@firewallapi.dll,-23255";
    $rule.Profiles = 7; # all
    $rule.Action = 1; # NET_FW_ACTION_ALLOW
    $rule.EdgeTraversal = $false;
        
    $fw.Rules.Add($rule);
}

function Update-WsMan-Limits {
    [int]$MaxConcurrentUsersDefaultValue = 5;
    [int]$MaxShellsPerUserDefaultValue = 5;
    [int]$MaxMemoryPerShellMBDefaultValue = 150;
    $serviceRestartRequired = $false;
    
    $winRM = Get-Item WSMan:\localhost\Shell\* | Select-Object Name,Value;

    [int]$maxUsers = $WinRM | Where-Object {$_.Name -eq "MaxConcurrentUsers"} | Select -ExpandProperty Value;
    Write-Output "PowerShell quota management - 'MaxConcurrentUsers' current value: $($maxUsers)";

    if ($maxUsers -le $MaxConcurrentUsersDefaultValue) {
        $maxUsers = $maxUsers + 20;
        Set-Item WSMan:\localhost\Shell\MaxConcurrentUsers $maxUsers -WarningAction SilentlyContinue;
        Write-Output "PowerShell quota management - has increased 'MaxConcurrentUsers' value up to: $($maxUsers)";
        $serviceRestartRequired = $true;
    }

    [int]$maxShells = $winRM | Where-Object {$_.Name -eq "MaxShellsPerUser"} | Select -ExpandProperty Value;
    Write-Output "PowerShell quota management - 'MaxShellsPerUser' current value: $($maxShells)";

    if ($maxShells -le $MaxShellsPerUserDefaultValue) {
        $maxShells = $maxShells + 20;
        Set-Item WSMan:\localhost\Shell\MaxShellsPerUser $maxShells -WarningAction SilentlyContinue;
        Write-Output "PowerShell quota management - has increased 'MaxShellsPerUser' value up to: $($maxShells)";
        $serviceRestartRequired = $true;
    }

        [int]$maxMemory = $WinRM | Where-Object {$_.Name -eq "MaxMemoryPerShellMB"} | Select -ExpandProperty Value;
        Write-Output "PowerShell quota management - 'MaxMemoryPerShellMB' current value: $($maxMemory)";

    If ($maxMemory -le $MaxMemoryPerShellMBDefaultValue) {
        $maxMemory = 512;
        Set-Item WSMan:\localhost\Shell\MaxMemoryPerShellMB $maxMemory -WarningAction SilentlyContinue;
        Write-Output "PowerShell quota management - has increased 'MaxMemoryPerShellMB' value up to: $($maxMemory)";
        $serviceRestartRequired = $true;
    }

    if ($serviceRestartRequired) {
        # Once the changes have been made, we should stop and restart the WinRM service
        Write-Output "PowerShell quota management - restarting WinRM service...";
        Restart-Service WinRM -force;
    }
}

### ### ### ### ### ### ###

#Changes for doc Write-Output "##############";

$agentMode = $false; #Changes for doc
#Changes for doc Write-Output "AGENTMODE macro: $agentMode";

 

#Changes for doc Write-Output "##############";

if($agentMode)
{
    Write-Output "Skipping WSMAN limits settings (AgentMode)";
}
else
{
    try {
        Update-WsMan-Limits;

    } catch {
        Write-Output "Unable to increase PowerShell quota settings. ERROR: $($Error[0])";
    }
}

Write-Output "##############";

Write-Output $("Ip Address: " + $targetIP); #Changes for doc
$hostname = $targetIP + "_Solarwinds_Zero_Configuration";
$lifeTimeDays = 365 * 50;

if($agentMode)
{
    Write-Output "Skipping configuration of WSMAN listener (AgentMode)";
}
else
{
    $reusableListener = $null;
    try {
        $existedListeners = Get-WSManInstance winrm/config/listener -selectorset @{Address="*";Transport="HTTPS"} | Where-Object {$_.Port -eq $DefaultWinRMPort};
        if ($existedListeners -ne $null) {
            Write-Output "Some HTTPS listener has already existed on 5986 port: ";
            Write-Output $existedListeners | out-string;

            $listeningOn = $existedListeners.ListeningOn | out-string;

            $reusableListener = $existedListeners | Where-Object {$listeningOn.Contains($targetIP)};
            if ($reusableListener -eq $null) {
                ExitWithCode -exitcode $CantReuseAlreadyExistedListener; #Changes for doc
                Write-Output "Some HTTPS listener has already existed on port 5986, but we can't reuse it because it's not configured to listen on target IIS server IP: $targetIP";
                Write-Output "Customer has to check wsMan listeners configuration on IIS server and fix wsMan URL for IIS application accordingly";
            }
        }
    }
    catch {
        Write-Output "Cannot locate HTTPS listeners. Will create one...";
    }

    Write-Output "##############";    

    if ($reusableListener -eq $null) {
        $existedCertificates = Get-Childitem -path cert:\LocalMachine\My | Where-Object { $_.Subject -eq "CN=$hostname" };
        if ($existedCertificates -eq $null) { 
            Write-Output "Cannot locate Solarwinds self-signed certificate, will create one...";
            try{
                Create-SelfSignedCertificate $hostname $lifeTimeDays;
            } catch {
                ExitWithCode -exitcode $CantCreateSelfSignedCertificate; #Changes for doc
                Write-Output "Unable to create self-signed certificate. ERROR: $($Error[0])";
            }
        } else {
            Write-Output "Solarwinds self-signed certificate exists: ";
            Write-Output $existedCertificates | out-string;
        }

        try{
            # Get the thumbprints of the SSL certificates that match the hostname
            $thumbprints = Get-Childitem -path cert:\LocalMachine\My | Where-Object {$_.Subject -eq "CN=$hostname"} | Select-Object -Property Thumbprint;

            # PowerShell magic to retrieve the first matching thumbprint (there'll probably only be one anyway)
            $thumbprint = @($thumbprints)[0].Thumbprint;

            # Create a WinRM listener, identifying the SSL certificate by the thumbprint
            New-WSManInstance WinRM/Config/Listener -SelectorSet @{Address = "*"; Transport = "HTTPS"} -ValueSet @{Hostname = $hostname; CertificateThumbprint = $thumbprint};
        } catch {
            ExitWithCode -exitcode $CantCreateWsManListener; #Changes for doc
            Write-Output "Unable to create wsMan listener. ERROR: $($Error[0])";
        }
    }
}

Write-Output "##############";

if($agentMode)
{
    Write-Output "Skipping configuration of firewall rule (AgentMode)";
}
else
{
    try {
        Write-Output "Checking firewall rule existence...";

        $firewallRuleName = "Windows Remote Management HTTP/SSL";
        $firewallRules = Get-firewallRule -name $firewallRuleName -enabled $true;

        Write-Output "Firewall rule exists:";
        Write-Output $firewallRules | out-string;

        if ($firewallRules -eq $null) {
            Write-Output "Unable to detect firewall rule. Will create one...";
            Add-FirewallRule $firewallRuleName $DefaultWinRMPort $null $null;
        }
    } catch {
        ExitWithCode -exitcode 16025; #Changes for doc
        Write-Output "Unable to check or enable firewall rule. ERROR: $($Error[0])";
    }
}

ExitWithCode -exitcode $ExitCodeOk;

 

2. Then run through the following commands:

Powershell.exe
Set-ExecutionPolicy Unrestricted
{Path}\ConfigureWsManScript.ps1 -targetIP {IP}
 
***Replace {Path} with path of script file.
***Replace {IP} with IP address specified within the Node the Appinsight for IIS has been assigned to.

 

3. This script will manually run the Configure Server button. Please correct any errors that appear. 

Note: One of the most common error that comes up is:

Configuration failed:
Unable to check or enable firewall rule. ERROR: Exception calling "Add" with "1" argument(s): "CertEnroll::CX509Private
Key::put_Certificate: Invalid type specified. 0x8009000a (-2146893814)"

 

This is usually the result of a firewall that is blocking the SolarWinds server from connecting to the node AppInsight for IIS is trying to be installed on. Please check the firewall for any rules that might be blocking the connection or create one if necessary. 

 

 

 

Last modified

Tags

Classifications

Internal Use Only