Skip to content
This repository has been archived by the owner on Oct 4, 2024. It is now read-only.

Deployment Fails - Cannot disable CredSSP #47

Open
thetechbender opened this issue Jan 27, 2022 · 2 comments
Open

Deployment Fails - Cannot disable CredSSP #47

thetechbender opened this issue Jan 27, 2022 · 2 comments

Comments

@thetechbender
Copy link

thetechbender commented Jan 27, 2022
edited
Loading

There is a weird bug the deployment fails on Step 11 InstallSubCA of the SSM Automation document. These are the logs:

Getting AD domain information
Getting a Domain Controller to perform actions against
Adding computer account to elevated permission group for install
Sleeping to ensure replication of group membership has completed
Clearing all SYSTEM Kerberos tickets
Enabling CredSSP
Enabling CredSSP
Setting CredSSP registry entries
Creating PKI CNAME record
Disabling CredSSP
Disabling CredSSP
Failed to disable CredSSP This command cannot be executed because the setting cannot be disabled.

The deployment fails, and the CloudFormation stack rolls back.

Sometimes we are able to get around the issue by deleting the CloudFormation stack and redeploying. Right now we are deploying the quickstart to a brand new environment using AWS-provided Windows AMI, and it has failed three times.

I'm confused about what this step is doing.

Disabling CredSSP
Disabling CredSSP

Are there any workarounds to get this working? Has anyone else seen this issue?
@girvenj
Copy link
Contributor

girvenj commented Mar 29, 2022

I have some updates for this QS. I will update the CredSSP section to hopefully resolve this issue. So far I have not been able to reproduce this.

@ljbrusta
Copy link

This still seems to be an issue. 1st attempt failed with this error.

Getting AD domain information
Getting a Domain Controller to perform actions against
Adding computer account to elevated permission group for install
Sleeping to ensure replication of group membership has completed
Clearing all SYSTEM Kerberos tickets
CA A record missing.
CA A record missing.
CA A record missing.
CA A record missing.
Enabling CredSSP
Setting CredSSP registry entry CredentialsDelegation
Setting CredSSP registry entry AllowFreshCredentials
Setting CredSSP registry entry AllowFreshCredentialsWhenNTLMOnly
Creating PKI CNAME record
Disabling CredSSP
Failed to disable CredSSP This command cannot be executed because the setting cannot be disabled.

Second attempt failed from a timeout no errors. I'll have to look at that one a little closer next week.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@thetechbender @girvenj @ljbrusta