Generally I don’t plan to talk too much about specific programming problems. There’s too many blogs out there about how to solve particular problems; and most of them are generally good and even better, accurate.
I’m going to bore most of you, so if you want to jump to the summary, that’s fine. I won’t be insulted (heck I won’t even know!)
That said, last night I spent a lot of time debugging a particular PowerShell script I had written for a client.
I want to talk a bit about what was going on and how I approached the problem.
So, first the setup: It’s really rather simple
- Log into an SFTP site
- Download a zip file
- Expand the zip file
- Run an SSIS package to import the files in the zip package to a SQL Server
I had written the script several months ago and it’s been in production since then. It’s worked great except for one detail. When it was put into production, we didn’t yet have the service account to run it under, so I set it up to run as a scheduled task using my account information. Not ideal, but workable for now.
Since then, we received the service account. So, I had made several accounts to move to the service account, but it wasn’t working. Yesterday was the first time in awhile I had time to work on it so I started looking at it in more detail.
Permissions Perhaps?
So, the first problem I had was, I’d run the scheduled task and nothing would happen. Ok, that’s not entirely accurate. The script would start, but never run to completion. It just sort of sat there. And it certainly was NOT downloading the zip file.
My first thought was it might be a files permission or other security issue. So the first thing I did was write a really simply script.
get-date | out-file “D:\foo\timetest.text”
Then I setup a scheduled task and ran it manually. And sure enough, timetest.txt showed up exactly where it was supposed to.
So much for security in the OS.
out-file to the Rescue!
So, my next step is probably one of the oldest debug techniques ever: I put in statements in the code to write to a file as I hit various steps in the code. Not quite as cool as a debugger, but hey, it’s simple and it works.
It was simple stuff like:
“Path $SftpPath Set” | out-file ftp_log.txt -append
BTW, if you’re not familiar with Powershell, one of the nice things is in the above statement, it’ll automatically insert the variable $SftpPath into the string it’s printing out.
This started to work like a charm. And then… jackpot!
“Setting Session using $sftpURL and Password: $password and credentials: $Credential” | out-file ftp_log.txt -append
When I ran it, I’d get a line in the log like:
Setting Session using secureftp.example.com and Password: System.Security.SecureString and Credentials: System.Management.Automation.PSCredentials
Not the most informative, but useful. And it’s nice to know that one can’t easily just print out the password!
But, when I ran it as the service I was getting something VERY different.
Setting Session using secureftp.example.com and Password: and Credentials:
HUGE difference. What the heck was happening to the password and credentials?
That’s when the first lightbulb hit.
Secure credentials in PowerShell
Let’s take a slight side trip here. We all know (right, of course you do) that we should never store passwords in cleartext in our scripts. So I did some digging and realized that PowerShell actually has a nice way to handle this. You can pass a plaintext string to a cmdlet and write that out to a file. Then when you need credentials, you read from the file and it gets parsed and handed to whatever needs it.
$password = get-content $LocalFilePath\cred.txt | ConvertTo-SecureString
Of course first you have to get the password INTO that cred.txt file.
That’s easy!
if (-not (test-path $LocalFilePath\cred.txt))
{
read-host -AsSecureString | ConvertFrom-SecureString | Out-File $LocalFilePath\cred.txt
}
So, the first time the program is run, if the cred.txt file isn’t found, the user is prompted for it, they enter the password, it gets put into a secure string and written out. From then on, the cred.txt file is used and the password is nice and secure.
And I confirmed that the service account could actually see the cred.txt file.
So what was happening?
The Key!
It took me a few minutes and when I hit a problem like this I do what I often do, step away from the keyboard. I had to stop and think for a bit. Then it dawned on me. “How does Powershell know how to encrypt and decrypt the password in a secure fashion. I mean at SOME point it needs to have a clear-text version of to pass to the various cmdlets. It wouldn’t be very secure if just anyone could decrypt it. That’s when it struck me! The encryption key (and decryption key) has to be based on the USER running the cmdlet!
Let me show some more code
$password = get-content $LocalFilePath\cred.txt | ConvertTo-SecureString
$Credential = New-Object System.Management.Automation.PSCredential (‘ftp_example’, $Password)
$sftpURL = ‘secureftp.example.com’
$session = New-SFTPSession -ComputerName $sftpURL -Credential $Credential
So first I’d get the password out of my cred.txt file and then create a Credential Object with a username (ftp_example) and the aforementioned password.
Then I’d try to open a session on the SFTP server using that credential. And that’s exactly where it was hanging when I ran this under the service account. Now I was on to something. Obviously the $password and $Credential wasn’t getting set as we saw from my debug statements. It wasn’t able to decrypt cred.txt!
Great, now I just need to have the service create its own cred.txt. But, I can’t use the same technique where the first time the service runs it prompts the user for the password. This bothers me. I still don’t have a perfect solution.
For now I fell back on:
if (-not (test-path $LocalFilePath\cred_$env:UserName.txt))
{
# after running once, remove password here!
“password_here” | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString | Out-File $LocalFilePath\cred_$env:UserName.txt
}
Note I changed the name of the cred.txt file to include the username, so I could have one when I ran it and another when the service account ran it. This makes testing far easier AND solves conflicts when debugging (i.e. “which credentials are currently being used).
So for now the documentation will be “after running the first time, remove the password”. I think more likely I’ll write one-time script that runs to setup a few things and then deletes itself. We’ll see.
Anyway, this worked much better. Now my debug lines were getting the password and all. BUT… things were STILL hanging. Talk about frustrating. I finally tracked it down to the line
$session = New-SFTPSession -ComputerName $sftpURL -Credential $Credential
Caving Blind
As you know, I love caving. And for caving, a headlamp is a critical piece of equipment. Without it you have no idea where you’re going. That’s how I felt here. Things were simply hanging and I was getting NO feedback.
I tried
$session = New-SFTPSession -ComputerName $sftpURL -Credential $Credential | out-file ftp_log.txt -append
But I still wasn’t getting anything. I tried a few other things, including setting parameters on how New-SFTPSession would handle errors and warnings. But still nothing. It was like caving blind. The cmdlet was being called, but I couldn’t see ANY errors. Of course when I ran it as myself, it ran fine. But when I ran it as a service, it simply hung.
I was getting frustrated I couldn’t get any feedback. I figured once I had feedback, the rest would be simple. I was mostly right.
I needed my headlamp! I needed to see what was going on!
Finally it dawned on me, “wrap it in an exception”. So now the code became:
try
{
$session = New-SFTPSession -ComputerName $sftpURL -Credential $Credential
}
catch
{
$exception = $_.Exception.Message
“Error in New-SFTPSession – $exception – ” | out-file ftp_log.txt -append
}
Now THIS got me somewhere. I was getting a timeout message! Ok, that confused me. I mean I knew I had the right username and password, and it never timed out when I ran it. Why was it timing out when the service ran it?
So again, I did what I do in cases like this. Got up, went to the fridge, got some semi-dark chocolate chips and munched on them and ran through my head, “why was the secure FTP session timing out in one case, but not the other?” At times like this I feel like Jack Ryan in Hunt for Red October, “How do you get a crew to want to get off a nuclear sub…”
Eureka!
DOH, it’s SECURE FTP. The first time it runs it needs to do a key exchange! I need to accept the key! At first I panicked though. How was I supposed to get the service to accept the key? Fortunately it turned out to be trivial. There’s actually a parameter -Acceptkey. I added that… and everything ran perfectly.
Except the SSIS package
That’s a separate issue and again probably related to security and that’s my problem to debug today. But, I had made progress!
Summary
Now, quite honestly, the above is probably more detail than most care to read. But let me highlight a couple of things I think that are important when debugging or trouble shooting in general.
First, simplify the problem and eliminate the obvious. This is what I did with my first script. I wanted to make sure it wasn’t something simple and obvious. Once I knew I could write to a file using the service account that ruled out a whole line of questions. So I could move on to the next step.
Often I use an example from Sesame Street of “one of these things is not like another.” In this case, I had to keep figuring out what was different between when I ran it and when the service account ran things. I knew up front that anything requiring keyboard input would be a problem. But, I thought I had that covered. Of course starting to compare and contrast the results of decrypting the cred.txt file showed that there was a problem there. And the issue with the initial acceptance of the SFTP key was another problem.
So, gather information and compare what works to what doesn’t work. Change one thing at a time until you narrow down the problem.
The other issue is being able to get accurate and useful information. Using debugging statements if often old school, and I know some developers look down on them, but often the quick and dirty works. So I had no problem using them. BUT, there are still cases where they won’t work. If for example a cmdlet hangs or doesn’t give output to standard output, they won’t work. Catching the exception definitely solved this.
The biggest problems I really ran into here is I’m still a beginner with PowerShell. I’m loving it, but I often still have to lookup things. But the basic troubleshooting skills are ones I’ve developed and honed over the years.
And quite seriously, sometimes don’t be afraid to walk away and do something else for a bit. It almost always brings a fresh perspective. I’ve been known to take a shower to think about a problem. Working from home that is easier for me than it might be for someone in an office. But even then, go take a walk. Or do something. Approach the problem with a fresh mind. All too often we start down the wrong path and just keep blindly going without turning around and reevaluating our position.
When we teach crack and crevice rescue in cave rescue we tell our students, “If you’re not making progress after 15 minutes, let someone else try. The fresh approach will generally help.”
Looking back on this, the problems seem pretty obvious. But it took a bit of work to get there. And honestly, I love the process of troubleshooting and/or debugging. It’s like being a detective, compiling one clue after another until you get the full picture.
So now on to comment some of the code and then figure out why the SSIS package isn’t executing now (I have ideas, we’ll see where I get to!)
greenmountainsoftware 