Installation of IfW on Windows Server 2025 fails in first run

Icinga 2
1

Hello,

we are trying to install the latest version of IfW on our systems. We have a wrapper script that sets the necessary parameters during installation and also registers the respective system in Director. In addition, we can choose between packages.icinga.com and a local repository as the source in the packages. Systems are Windows Server 2025.

The problem: The first attempt always fails.

[Error]: Unable to load the Icinga PowerShell Framework. Please check your PowerShell execution policies for possible problems. Error: System.Management.Automation.RuntimeException: Unable to configure system permission information

In %windir%\security\logs\scesrv.log:

----------------:<----------------

-—Benutzerrechte werden konfiguriert…
SeImpersonatePrivilege muss Administratoren zugewiesen werden. Die Einstellung wurde angepasst.
SeImpersonatePrivilege muss SERVICE zugewiesen werden. Die Einstellung wurde angepasst.
Konfigurieren von S-1-5-99-0.
Entfernen von SeServiceLogonRight.
Konfigurieren von S-1-5-19.
Konfigurieren von S-1-5-20.
Hinzufügen von SeServiceLogonRight.
Konfigurieren von S-1-5-99-216390572-1995538116-3857911515-2404958512-2623887229.
Konfigurieren von S-1-5-32-544.
Konfigurieren von S-1-5-32-551.
Konfigurieren von S-1-5-21-1757981266-1450960922-682003330-512.
Konfigurieren von S-1-1-0.
Konfigurieren von S-1-5-32-545.
Konfigurieren von S-1-5-6.
Konfigurieren von S-1-5-21-1757981266-1450960922-682003330-2184.
Konfigurieren von S-1-5-32-555.
Konfigurieren von S-1-5-80-0.
Konfigurieren von EINGESCHRÄNKTE DIENSTE\ALLE EINGESCHRÄNKTEN DIENSTE.
Fehler 1332: Zuordnungen von Kontennamen und Sicherheitskennungen wurden nicht durchgeführt.
EINGESCHRÄNKTE DIENSTE\ALLE EINGESCHRÄNKTEN DIENSTE wurde nicht gefunden.
Fehler 18: Es sind keine weiteren Dateien vorhanden.

Konfiguration der Benutzerrechte wurde mit einem oder mehreren Fehlern abgeschlossen.

----------------:<----------------

The problem also occurs when we explicitly set the ExecutionPolicy to Unrestricted with scope LocalMachine.

If the script is started a second time, the installation runs without errors. This sequence also occurs when we perform the actual installation without our wrapper and with manually set parameters:

[Net.ServicePointManager]::SecurityProtocol = ‘tls12, tls11’;
$ProgressPreference                         = ‘SilentlyContinue’;

Invoke-WebRequest -UseBasicParsing -Uri ‘https://packages.icinga.com/IcingaForWindows/IcingaForWindows.ps1’ -OutFile ‘C:\Users\Public\IcingaForWindows.ps1’;
& C:\Users\Public\IcingaForWindows.ps1     -ModuleDirectory 'C:\Program Files\WindowsPowerShell\Modules\'
-InstallCommand ‘{“IfW-AgentVersion”: {“Values”:[“2.15.1”]}, “IfW-ForceCertificateCreation”: {“Selection”: “1”}, “IfW-Hostname”: {“Selection”: “1”}, “IfW-Certificate”: {“Selection”: “2”}, “IfW-ParentZone”: {“Values”: [“master”]}, “IfW-Ticket”: {“Values”: [“xxxxxx”]}, “IfW-InstallApiChecks”: {“Selection”: “1”}, “IfW-Connection”: {“Selection”: “1”}, “IfW-ParentNodes”: {“Values”: [“xxxxxx”]}}’

It looks like something is happening in the wrong order with regard to permissions.

Regards

Berthold

2

Just checked with Windows Server 2022, Policy LocalMachine RemoteSigned:

Works in first run.

But: System was probably not ‘clean’ enough. I simply made an ‘uninstall-icingaforwindows -force’ and cleaned the filesystem. I don’t know if there are leftovers in the registry that allowed the installation. On the Windows 2025 is a ‘clean’ snapshot available.

I am a Linux administrator and received both systems from my Windows colleagues. I need to ask what differences there are apart from the version.

3

Maybe try splitting the installation.

First install the PowerShell Framework, then Agent and Plugins.

We also use a wrapper script, but not in the way you do.

We install the Framework and Plugins first, then the Agent in a separate step (via the MSI, not via IfW)

function framework-installation {
	write-Host "Run Framework installation"

	$ProgressPreference                         = 'SilentlyContinue';
	[string]$ScriptFile                         = 'C:\tools\icinga-agent-installation\IcingaForWindows.ps1';
	# set security protocols for webrequests
	[Net.ServicePointManager]::SecurityProtocol = 'tls12, tls11';

	$webrequest_uri = "https://$repourl/monitoring/icingaforwindows/IcingaForWindows.ps1"
	Invoke-WebRequest `
	-UseBasicParsing `
	-Uri $webrequest_uri `
	-OutFile $ScriptFile;

	$installcommand_string = "{`"IfW-StableRepository`":{`"Values`":[`"https://$repourl/monitoring/icingaforwindows/stable`"]}}"

	& $ScriptFile `
	-ModuleDirectory 'C:\Program Files\WindowsPowerShell\Modules\' `
	-InstallCommand $installcommand_string `
	-IcingaRepository "https://$repourl/monitoring/icingaforwindows/stable/ifw.repo.json" `
	-FrameworkVersion $frameworkversion `
	-SkipWizard;

	# Add the local repository
	Add-IcingaRepository -Name 'Own Icinga Stable Repo' -RemotePath "https://$repourl/monitoring/icingaforwindows/stable/ifw.repo.json" -Force;

	# Install Plugins
	Install-IcingaComponent -Name "Plugins" -Version $pluginsversion -Confirm
}

function agent-installation {
	write-Host "Start Icinga Agent installation"
	# Downloading icinga agent installer
	$agent_installer = "C:\tools\icinga-agent-installation\Icinga2-v$agentversion-x86_64.msi"
	if (-not (Test-Path $agent_installer)) {
		# set security protocols for webrequests
		[Net.ServicePointManager]::SecurityProtocol = 'tls12, tls11';
		Invoke-WebRequest -UseBasicParsing -Uri "https://$repourl/monitoring/icingaforwindows/stable/agent/Icinga2-v$agentversion-x86_64.msi" -outfile $agent_installer
		Start-Sleep -Seconds 10
	}

	# run icinga agent installer
	msiexec /i $agent_installer /qn /norestart
	Start-Sleep -Seconds 30

	# configure agent
	& 'C:\Program Files\ICINGA2\sbin\icinga2.exe' pki save-cert --host $endpointConnections --trustedcert "C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted-parent.crt"
	if($secondsatellite -eq "yes"){
		& 'C:\Program Files\ICINGA2\sbin\icinga2.exe' node setup --cn ($env:COMPUTERNAME).ToLower() --zone ($env:COMPUTERNAME).ToLower() --parent_zone $parentZone --parent_host $endpointConnections --endpoint $endpoints,$endpointConnections,$caport --endpoint $secondsatendpoint,$secondendpointConnection,$caport --global_zones "global-windows" --ticket $ticket --trustedcert "C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted-parent.crt" --accept-commands --accept-config --disable-confd
	}
	else{
		& 'C:\Program Files\ICINGA2\sbin\icinga2.exe' node setup --cn ($env:COMPUTERNAME).ToLower() --zone ($env:COMPUTERNAME).ToLower() --parent_zone $parentZone --parent_host $endpointConnections --endpoint $endpoints,$endpointConnections,$caport --global_zones "global-windows" --ticket $ticket --trustedcert "C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted-parent.crt" --accept-commands --accept-config --disable-confd
	}
	# change logging severity of the Icinga2 agent
	if(Test-Path "C:\ProgramData\icinga2\etc\icinga2\features-available\windowseventlog.conf"){
		write-Host "Set logging severity to critical to avoid EventLog spam"
		(Get-Content "C:\ProgramData\icinga2\etc\icinga2\features-available\windowseventlog.conf") -Replace '"information"', '"critical"' | Set-Content "C:\ProgramData\icinga2\etc\icinga2\features-available\windowseventlog.conf"
	}
}
4

I’ve tried to remove all traces in the filesystem and the registry and the installation still works in server 2022. I will try next week with a fresh system to be sure.

5

Fresh Installation of Windows Server 2022:

Installation works with script from IfW Repository with executionpolicy LocalMachine/RemoteSigned.

6

Thanks, but I want to keep the entire procedure as close as possible to the official documentation so that even when I retire, my successor can maintain it.

7

Just found: Error while trying to setup Icinga Agent on German Windows Server 2025 · Issue #834 · Icinga/icinga-powershell-framework · GitHub