Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-63623

Windows agents fail to start on version 2.235.5

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      I am trying to connect a windows slave (windows 10 pro) to a windows master (windows server 2019) on jenkins and I always see the error below. I have tried everything but I still see the same error.

      Any resolution for this issue?

      ERROR: Message not found for errorCode: 0x80010111
      org.jinterop.dcom.common.JIException: Message not found for errorCode: 0x80010111
      at org.jinterop.dcom.core.JIComServer.init(JIComServer.java:550)
      at org.jinterop.dcom.core.JIComServer.initialise(JIComServer.java:458)
      at org.jinterop.dcom.core.JIComServer.<init>(JIComServer.java:427)
      at org.jvnet.hudson.wmi.WMI.connect(WMI.java:59)
      at hudson.os.windows.ManagedWindowsServiceLauncher.launch(ManagedWindowsServiceLauncher.java:208)
      at hudson.slaves.SlaveComputer.lambda$_connect$0(SlaveComputer.java:296)
      at jenkins.util.ContextResettingExecutorService$2.call(ContextResettingExecutorService.java:46)
      at jenkins.security.ImpersonatingExecutorService$2.call(ImpersonatingExecutorService.java:71)
      at java.util.concurrent.FutureTask.run(Unknown Source)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
      at java.lang.Thread.run(Unknown Source)
      Caused by: org.jinterop.dcom.common.JIRuntimeException: Message not found for errorCode: 0x80010111
      at org.jinterop.dcom.core.JIRemActivation.read(JIRemActivation.java:191)
      at ndr.NdrObject.decode(NdrObject.java:19)
      at rpc.ConnectionOrientedEndpoint.call(ConnectionOrientedEndpoint.java:138)
      at rpc.Stub.call(Stub.java:112)
      at org.jinterop.dcom.core.JIComServer.init(JIComServer.java:538)
      ... 11 more

       note: version java installed in server and slave : 8.261 / .net framework installed : 4.8

      thank you

        Attachments

          Activity

          mediss mohamed issaoui created issue -
          mediss mohamed issaoui made changes -
          Field Original Value New Value
          Description I am trying to connect a windows slave (windows 10 pro) to a windows master (windows server 2019) on jenkins and I always see the error below. I have tried everything but I still see the same error.

          Any resolution for this issue?

          ERROR: Message not found for errorCode: 0x80010111
          org.jinterop.dcom.common.JIException: Message not found for errorCode: 0x80010111
           at org.jinterop.dcom.core.JIComServer.init(JIComServer.java:550)
           at org.jinterop.dcom.core.JIComServer.initialise(JIComServer.java:458)
           at org.jinterop.dcom.core.JIComServer.<init>(JIComServer.java:427)
           at org.jvnet.hudson.wmi.WMI.connect(WMI.java:59)
           at hudson.os.windows.ManagedWindowsServiceLauncher.launch(ManagedWindowsServiceLauncher.java:208)
           at hudson.slaves.SlaveComputer.lambda$_connect$0(SlaveComputer.java:296)
           at jenkins.util.ContextResettingExecutorService$2.call(ContextResettingExecutorService.java:46)
           at jenkins.security.ImpersonatingExecutorService$2.call(ImpersonatingExecutorService.java:71)
           at java.util.concurrent.FutureTask.run(Unknown Source)
           at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
           at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
           at java.lang.Thread.run(Unknown Source)
          Caused by: org.jinterop.dcom.common.JIRuntimeException: Message not found for errorCode: 0x80010111
           at org.jinterop.dcom.core.JIRemActivation.read(JIRemActivation.java:191)
           at ndr.NdrObject.decode(NdrObject.java:19)
           at rpc.ConnectionOrientedEndpoint.call(ConnectionOrientedEndpoint.java:138)
           at rpc.Stub.call(Stub.java:112)
           at org.jinterop.dcom.core.JIComServer.init(JIComServer.java:538)
           ... 11 more

           

          thank you
          I am trying to connect a windows slave (windows 10 pro) to a windows master (windows server 2019) on jenkins and I always see the error below. I have tried everything but I still see the same error.

          Any resolution for this issue?

          ERROR: Message not found for errorCode: 0x80010111
           org.jinterop.dcom.common.JIException: Message not found for errorCode: 0x80010111
           at org.jinterop.dcom.core.JIComServer.init(JIComServer.java:550)
           at org.jinterop.dcom.core.JIComServer.initialise(JIComServer.java:458)
           at org.jinterop.dcom.core.JIComServer.<init>(JIComServer.java:427)
           at org.jvnet.hudson.wmi.WMI.connect(WMI.java:59)
           at hudson.os.windows.ManagedWindowsServiceLauncher.launch(ManagedWindowsServiceLauncher.java:208)
           at hudson.slaves.SlaveComputer.lambda$_connect$0(SlaveComputer.java:296)
           at jenkins.util.ContextResettingExecutorService$2.call(ContextResettingExecutorService.java:46)
           at jenkins.security.ImpersonatingExecutorService$2.call(ImpersonatingExecutorService.java:71)
           at java.util.concurrent.FutureTask.run(Unknown Source)
           at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
           at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
           at java.lang.Thread.run(Unknown Source)
           Caused by: org.jinterop.dcom.common.JIRuntimeException: Message not found for errorCode: 0x80010111
           at org.jinterop.dcom.core.JIRemActivation.read(JIRemActivation.java:191)
           at ndr.NdrObject.decode(NdrObject.java:19)
           at rpc.ConnectionOrientedEndpoint.call(ConnectionOrientedEndpoint.java:138)
           at rpc.Stub.call(Stub.java:112)
           at org.jinterop.dcom.core.JIComServer.init(JIComServer.java:538)
           ... 11 more

           note: version java installed in server and slave : 8.261 / .net framework installed : 4.8

          thank you
          ianw Ian Williams made changes -
          Issue Type Task [ 3 ] Bug [ 1 ]
          mediss mohamed issaoui made changes -
          Priority Blocker [ 1 ] Critical [ 2 ]
          mediss mohamed issaoui made changes -
          Attachment image-2020-09-17-09-54-59-182.png [ 52616 ]
          mediss mohamed issaoui made changes -
          Environment jenkins version 2.235.5, windows server 2019, windows 10 pro jenkins version 2.235.5/2.249.1, windows server 2019, windows 10 pro
          georgelinsdell2 George Linsdell made changes -
          Comment [ So there has been no change successful connection behavior with our dev ops manager rolling out the regular jenkins updates as and when they become available, There was a breaking change to support master controlled nodes and there has been no further investigation work. since from the activity on this ticket.

          Is it appropriate that the solution for "you broke it" is to "Change the method of control". And not investigate the scenario that you broke and fix it.
           The "Launch agent by connecting it to the master" is a much less stable mechanism that the master being able to control the node and required additional maintenance. I blanket removed "Launch agent by connecting to the master" as it was not suitable for my use case. May I ask what is required to go about getting this resolved.

          I have 6 jenkins nodes which all have the correct configuration and were working pre-jenkins update.
           I have correct fire wall instruction to permit traffic Infact I documented the entire approach from collated sources in order to allow consistent setup between the nodes (In the comment below)

          Can somebody advise how I can provide more information to get this looked into?
          h1. Jenkins Node Modifications

          There are known difficulties with using the slave mode "Let Jenkins control this Windows agent as a Windows service". Jenkins has a large support document located [here|https://github.com/jenkinsci/windows-slaves-plugin/blob/master/docs/troubleshooting.adoc#access-is-denied-error]. Below are the steps required to get a windows 10 node to be run in this way.
          ||Action||Description||Notes||
          ||1|Set up the connection details| |
          ||2|If a suitable user account is not present create one.| |
          ||3|Change/Add registry Key 1:
            |
          |h3. Access is denied error
          When you get an error like "Access is denied. [0x00000005]", apply the following patch to the registry: * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System * create or modify 32-bit DWORD: LocalAccountTokenFilterPolicy
           * set the value to: 1|

          Credit to Arturas Sirvinskas|
          ||4|Modify the firewall to accept TCP and UDP traffic|h3. Firewall
          By default, Windows Firewall prevents the TCP connections necessary to make this mechanism work. The firewall on the agent must allow the following exceptions (see [List of TCP&UDP port numbers|http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers]): * TCP Port [135|http://www.speedguide.net/port.php?port=135] (DCE/RPC Locator service) * TCP Port [139|http://www.speedguide.net/port.php?port=139] (NetBIOS Session Service)
           * TCP Port [445|http://www.speedguide.net/port.php?port=445] (Windows shares)
           * C:\WINDOWS\system32\dllhost.exe (dllhost.exe seems to use a random port number)
           * C:\WINDOWS\system32\javaw.exe (Jenkins also uses a random port number)
           * File and Printer sharing (TCP 139, TCP 445, UDP 137, UDP 138 (possibly only a subset of these is required))|

          Example Firewall related issues: “Error 0x800706BA The RPC server is unavailable.”, “SocketTimeoutException: Accept timed out”, “TransportException: Connection timeout”.
           The easiest way to track down firewall issues is to use [tcpdump|http://www.tcpdump.org/]. Just run the following command on the Jenkins server, which is trying to connect to the slave:
           G:  TestComplete TCP Enable → 135 ,139 ,445
           TestComplete UDP Enable → 137 ,138|
          ||5|SMB Protocol Configuration|{color:#005cc5}Run the following lines in a administrator powershell window. Jenkins does not support SMB2{color}
           
           Enable-WindowsOptionalFeature {color:#d73a49}-{color}Online {color:#d73a49}-{color}FeatureName smb1protocol
           {color:#005cc5}Set-SmbServerConfiguration{color} {color:#d73a49}-{color}EnableSMB1Protocol {color:#005cc5}$true{color}|
          ||6|Remote Registry Access|{color:#24292e}Elevated Power shell command:{color}
           {color:#24292e}Enable-PSRemoting{color}|
          ||7|Enable remote registry service|{color:#24292e}If so, start the control panel, open "Administrative Tools" then "Services" Locate the Remote Registry service on the list, and click "Start this service"{color}|
          ||8|User in admin group|h3. Agent under domain account
          If your agent is running under a domain account and you get an error code 0x800703FA, change a group policy: * open the group policy editor (gpedit.msc) * go to Computer Configuration→Administrative Templates→System→ UserProfiles, "Do not forcefully unload the user registry at user logoff"
           * Change the setting from "Not Configured" to "Enabled", which disables the new User Profile Service feature ('DisableForceUnload' is the value added to the registry)|

          Credit to Oliver Walsh (see comments below)|
          ||9|from javawebstart|If java webstart has been use previously, there may be a conflict. so remove /move the old configuration and uninstall the java web start jenkins service.|
          ||10|Change Security Policy for MACHINENAME\Administrators|{color:#333333}TITLE{color}
           {color:#333333}How do I configure a user account to have ‘logon as a service’ permissions?{color}{color:#333333}QUESTION / PROBLEM{color}
           Please follow the KCS Knowledge Article guidelines to properly format your question or problem
           I am getting Service Logon Failure error 'This service account does not have the required user right "Log on as a service"' while starting server services. Can you please tell me the steps to configure my user account with Log On Service permission?{color:#333333}ANSWER / SOLUTION{color}
           Please follow the KCS Knowledge Article guidelines to properly format your answer/solution
           To add "Log on as a service" permissions: # Run *Start* > *Control Panel* > *Administrative Tools* > *Local Security Policy* # Select  *Local Policies* > *User Rights Assignment* > *Log on as a service*
           # Click *Add User or Group*, and then add the appropriate account to the list of accounts that possess the Log on as a service right.|

           h3. Local Security Settings # Start the control panel, go to "Administrative Tools", then "Local Security Policy". This will open up the "local security settings" window
           # Go to "Local Policies" > "Security Options" > "Network access: Sharing and security model for local accounts." Change that to "Classic."|
          ||11|Set Registry Key Permissions to Administrators not trusted installers|This can exhibit a [0x00000005] codeh3. WBEM Scripting Locator
           On current Windows systems, Jenkins requires access to the "WBEM Scripting Locator". The following steps allow that: # Launch 'regedit' (as Administrator)|

           # Find (Ctrl+F) the following registry key: "\{76A64158-CB41-11D1-8B02-00600806D9B6}" (it’s in HKEY_CLASSES_ROOT\CLSID)
           # Right click and select 'Permissions'
           # Change owner to administrators group (Advanced…​).
           # Change permissions for administrators group. Grant Full Control.
           # Change owner back to TrustedInstaller (user is "NT Service\TrustedInstaller" on local machine)
           # Restart Remote Registry Service (Administrative Tools / Services)

          Credit to Florian Vogle [on the Hudson wiki|http://wiki.hudson-ci.org/display/HUDSON/Windows+slaves+fail+to+start+via+DCOM].|
          ||12|TEMPORARY STEP - Disable firewalls|Even with the noted ports opened for TCP and UDP traffic, there were still Access denied errors. Disabling the firewall solved this however|
          ||13|Install Microsoft .NET 2.0 |[https://shenxianpeng.github.io/2020/07/jenkins-windows-agent-connect-problem/]
           Link above contains instructions to enabling .Net 2.0 framework on a windows 10 machine. These are no longer installed in the default windows 10 installation|
          ||14|Set the domain specific element in user name|{color:#172b4d}Windows may try to block the action of starting a service if you do not put the prefix. Prefixing the username with "computername\" resolves this issue for me.{color}
           {color:#172b4d}e.g. anegada/jenkins_user
           Otherwise the user account needs to be an administrative user on both the server side and client side (which is hard to achieve as server side is linux...{color}| ]
          georgelinsdell2 George Linsdell made changes -
          Comment [ |*Action*|*Description*|*Notes*|
          |*1*|Set up the connection details| |
          |*2*|If a suitable user account is not present create one.| |
          |*3*|Change/Add registry Key 1:|*Access is denied error*
          When you get an error like "Access is denied. [0x00000005]", apply the following patch to the registry: * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
           * create or modify 32-bit DWORD: LocalAccountTokenFilterPolicy
           * set the value to: 1

          Credit to Arturas Sirvinskas|
          |*4*|Modify the firewall to accept TCP and UDP traffic|*Firewall*
          By default, Windows Firewall prevents the TCP connections necessary to make this mechanism work. The firewall on the agent must allow the following exceptions (see [List of TCP&UDP port numbers|http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers]): * TCP Port [135|http://www.speedguide.net/port.php?port=135] (DCE/RPC Locator service)
           * TCP Port [139|http://www.speedguide.net/port.php?port=139] (NetBIOS Session Service)
           * TCP Port [445|http://www.speedguide.net/port.php?port=445] (Windows shares)
           * C:\WINDOWS\system32\dllhost.exe (dllhost.exe seems to use a random port number)
           * C:\WINDOWS\system32\javaw.exe (Jenkins also uses a random port number)
           * File and Printer sharing (TCP 139, TCP 445, UDP 137, UDP 138 (possibly only a subset of these is required))

          Example Firewall related issues: “Error 0x800706BA The RPC server is unavailable.”, “SocketTimeoutException: Accept timed out”, “TransportException: Connection timeout”.
          The easiest way to track down firewall issues is to use [tcpdump|http://www.tcpdump.org/]. Just run the following command on the Jenkins server, which is trying to connect to the slave:
          G:  TestComplete TCP Enable → 135 ,139 ,445
          TestComplete UDP Enable → 137 ,138|
          |*5*|SMB Protocol Configuration|Run the following lines in a administrator powershell window. Jenkins does not support SMB2
          Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol
           Set-SmbServerConfiguration -EnableSMB1Protocol $true|
          |*6*|Remote Registry Access|Elevated Power shell command:
          Enable-PSRemoting|
          |*7*|Enable remote registry service|If so, start the control panel, open "Administrative Tools" then "Services" Locate the Remote Registry service on the list, and click "Start this service"|
          |*8*|User in admin group|*Agent under domain account*
          If your agent is running under a domain account and you get an error code 0x800703FA, change a group policy: * open the group policy editor (gpedit.msc)
           * go to Computer Configuration→Administrative Templates→System→ UserProfiles, "Do not forcefully unload the user registry at user logoff"
           * Change the setting from "Not Configured" to "Enabled", which disables the new User Profile Service feature ('DisableForceUnload' is the value added to the registry)

          Credit to Oliver Walsh (see comments below)|
          |*9*|from javawebstart|If java webstart has been use previously, there may be a conflict. so remove /move the old configuration and uninstall the java web start jenkins service.|
          |*10*|Change Security Policy for MACHINENAME\Administrators|TITLE
           How do I configure a user account to have ‘logon as a service’ permissions?
          QUESTION / PROBLEM
           Please follow the KCS Knowledge Article guidelines to properly format your question or problem
          I am getting Service Logon Failure error 'This service account does not have the required user right "Log on as a service"' while starting server services. Can you please tell me the steps to configure my user account with Log On Service permission?
          ANSWER / SOLUTION
           Please follow the KCS Knowledge Article guidelines to properly format your answer/solution
          To add "Log on as a service" permissions: # Run *Start* > *Control Panel* > *Administrative Tools* > *Local Security Policy*
           # Select  *Local Policies* > *User Rights Assignment* > *Log on as a service*
           # Click *Add User or Group*, and then add the appropriate account to the list of accounts that possess the Log on as a service right.

           
          *Local Security Settings* # Start the control panel, go to "Administrative Tools", then "Local Security Policy". This will open up the "local security settings" window
           # Go to "Local Policies" > "Security Options" > "Network access: Sharing and security model for local accounts." Change that to "Classic."|
          |*11*|Set Registry Key Permissions to Administrators not trusted installers|This can exhibit a [0x00000005] code
          *WBEM Scripting Locator*
          On current Windows systems, Jenkins requires access to the "WBEM Scripting Locator". The following steps allow that: # Launch 'regedit' (as Administrator)
           # Find (Ctrl+F) the following registry key: "\{76A64158-CB41-11D1-8B02-00600806D9B6}" (it’s in HKEY_CLASSES_ROOT\CLSID)
           # Right click and select 'Permissions'
           # Change owner to administrators group (Advanced…​).
           # Change permissions for administrators group. Grant Full Control.
           # Change owner back to TrustedInstaller (user is "NT Service\TrustedInstaller" on local machine)
           # Restart Remote Registry Service (Administrative Tools / Services)

          Credit to Florian Vogle [on the Hudson wiki|http://wiki.hudson-ci.org/display/HUDSON/Windows+slaves+fail+to+start+via+DCOM].|
          |*12*|TEMPORARY STEP - Disable firewalls|Even with the noted ports opened for TCP and UDP traffic, there were still Access denied errors. Disabling the firewall solved this however|
          |*13*|Install Microsoft .NET 2.0 |[https://shenxianpeng.github.io/2020/07/jenkins-windows-agent-connect-problem/]
          Link above contains instructions to enabling .Net 2.0 framework on a windows 10 machine. These are no longer installed in the default windows 10 installation|
          |*14*|Set the domain specific element in user name|So there has been no change successful connection behavior with our dev ops manager rolling out the regular jenkins updates as and when they become available, There was a breaking change to support master controlled nodes and there has been no further investigation work. since from the activity on this ticket.
          Is it appropriate that the solution for "you broke it" is to "Change the method of control". And not investigate the scenario that you broke and fix it.
           The "Launch agent by connecting it to the master" is a much less stable mechanism that the master being able to control the node and required additional maintenance. I blanket removed "Launch agent by connecting to the master" as it was not suitable for my use case. May I ask what is required to go about getting this resolved.
          I have 6 jenkins nodes which all have the correct configuration and were working pre-jenkins update.
           I have correct fire wall instruction to permit traffic Infact I documented the entire approach from collated sources in order to allow consistent setup between the nodes (In the comment below)
          Can somebody advise how I can provide more information to get this looked into?| ]

            People

            Assignee:
            mediss mohamed issaoui
            Reporter:
            mediss mohamed issaoui
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated: