New-LocalUser with SecureString password throws CryptographicException The system cannot find the path specified. RRS feed

  • Question

  • My dockerfile builds from:

    FROM microsoft/aspnet

    When building, it runs a powershell script that attempts to create a local user:

    New-LocalUser $iisRemoteAdminUserName -Password $securePassword -FullName "$iisRemoteAdminUserName" -Description "IIS Remote Administrator."

    $securePassword is created like so:

    $securePassword = ConvertTo-SecureString "P@ssW0rD!" -AsPlainText -Force

    I can run this script fine on my local windows 10 machine, and it creates the local user.

    However when it runs within the container:

    Exception calling
    "Deserialize" with "1" argument(s): "The system cannot find the path specified.
    " ---> System.Security.Cryptography.CryptographicException: The system cannot
    find the path specified.
       at System.Security.Cryptography.ProtectedData.Unprotect(Byte[]
    encryptedData, Byte[] optionalEntropy, DataProtectionScope scope)
       at Microsoft.PowerShell.SecureStringHelper.Unprotect(String input)
       at System.Management.Automation.InternalDeserializer.ReadSecureString()
       at System.Management.Automation.InternalDeserializer.ReadPrimaryKnownType(Ty
    peSerializationInfo pktInfo)
       at System.Management.Automation.InternalDeserializer.ReadOneDeserializedObje
    ct(String& streamName, Boolean& isKnownPrimitiveType)
       at System.Management.Automation.InternalDeserializer.ReadOneObject(String&
       at System.Management.Automation.Deserializer.Deserialize(String& streamName)
       at System.Management.Automation.PSSerializer.DeserializeAsList(String
       at System.Management.Automation.PSSerializer.Deserialize(String source)
       at CallSite.Target(Closure , CallSite , Type , String )
       --- End of inner exception stack trace ---
       at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(F
    unctionContext funcContext, Exception exception)
       at System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(Inte
    rpretedFrame frame)
       at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.
    Run(InterpretedFrame frame)
       at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.
    Run(InterpretedFrame frame)
       --- End of inner exception stack trace ---
        + CategoryInfo          : InvalidOperation: (:) [], CimException
        + FullyQualifiedErrorId : ProviderOperationExecutionFailure
        + PSComputerName        : localhost

    It seems that there is some problem Unprotecting the secure string, perhaps it expects some key to exist somewhere that doesn't? However I am using plain text, no keys. Do I need to provision a key to the container somehow for this to work? If so where and how!

    Tuesday, April 10, 2018 10:11 AM

All replies

  • Check that your enviromental/build variables are actually passed to cmdlet but using "Write-Output" right before calling those functions in Dockerfile
    Tuesday, April 10, 2018 1:05 PM
  • Greetings,

    Would you mind to try net user instead?

    Docker file

    FROM microsoft/aspnet:4.7.1
    RUN ["net", "user", "iisadmin", "password01!", "/add"]


    PS C:\Users\greggu\repos\dow-playground\demo10> .\build.ps1
    Sending build context to Docker daemon  4.096kB
    Step 1/2 : FROM microsoft/aspnet:4.7.1
     ---> 816eb454dc15
    Step 2/2 : RUN ["net", "user", "iisadmin", "password01!", "/add"]
     ---> Using cache
     ---> 28bb190de55a
    Successfully built 28bb190de55a
    Successfully tagged greggu/demo10:latest
    PS C:\Users\greggu\repos\dow-playground\demo10> docker ps
    CONTAINER ID        IMAGE               COMMAND                   CREATED              STATUS              PORTS               NAMESbac63237e93e        greggu/demo10       "C:\\ServiceMonitor.e…"   About a minute ago   Up About a minute   80/tcp              demo10
    PS C:\Users\greggu\repos\dow-playground\demo10> docker exec demo10 net user
    User accounts for \\
    Administrator            DefaultAccount           Guest
    iisadmin                 WDAGUtilityAccount
    The command completed with one or more errors.

    Sic Parvis Magna

    Wednesday, April 11, 2018 2:01 AM