JEA username and domain

[Kaliumiodid]

During environment setup in the "Icinga for Windows Management Console" I was selecting the option "Install JEA Profile with managed user "icinga"". This basically runs fine for all checks, but during the checks of MSSQL I found the following issue.
When running the MSSQL checks with IntegratedSecurity on, the login attempt fails. During my investigations I saw Icinga using the server's name as username and the domain as domain (so, login attempt is done with "[domain][server name]$", but it should be [server name]\icinga; this local user has all needed permissions in the database).

Expected Behavior

The check should be green.

Current Behavior

The check fails due to DB connection error.

Steps to Reproduce (for bugs)

1. Start JEA test environment
2. Execute an MSSQL check (in my case, it's either invoke-IcingaCheckMSSQLHealth -IntegratedSecurity true -warning 1s -critical 2s (which returns DB connection error and is red) or Invoke-IcingaCheckMSSQLBackupStatus -IntegratedSecurity (which returns an Icinga error with the above mentioned user credentials and is violet)
3. Besides that, typing $env:username shows the server name together with the $ sign and $env:userdomain shows the domain name. So it's at least not an issue of the MSSQL plugins.

Your Environment

• PowerShell Version used ($PSVersionTable.PSVersion): 7.3.0
• Windows Server 2022 (10.0.20348)

[Kaliumiodid]

A small addition: When I start powershell as icinga-user, the checks mentioned run fine. Typing $env:username returns icinga and $env:userdomain the server name. Doing the same in the test environment (powershell.exe -ConfigurationName 'IcingaForWindowsTest';) I get the mentioned results (DB connection error).
Looking through the scripts, I see that by default IcingaUser is set by ((Get-IcingaServices).icinga2.configuration.ServiceUser) which returns the expected .\icinga, but at some point it seems to be replaced.

[Kaliumiodid]

I was just curious: Are there any news on this topic?

Edit: I had some time to investigate this. When I created a small test configuration, I also get the device name when entering $env:username. But, when I set RunAsVirtualAccount to false, I get the username as expected.
But I was still not able to make the checks work again. After doing the same in the template file and recreating JEA via management console, the checks are all unknown. In the event viewer I saw error 1501.

[audiocoach]

I have the same problem.

[LordHepipud]

Thank you for the issue.

There is nothing we can fix here. MSSQL with IntegratedSecurity will not work while running JEA-Profiles. Once the JEA-Session is established, you will leave the "user" context of the Icinga user and run as local computer.

You will have to run username/password in such cases, as IntegratedSecurity and JEA on the same time will not work. I'm pretty sure, Microsoft didn't expect users to run both scenarios when they designed this.

To make this work properly, we would require to somehow "offload" the checks from within the JEA-Session to another session, which is running in the icinga user context still. Then both scenarios would work, as the MSSQL checks would not require specific system permissions, just database access for the queries.

How ever, right now there are just some lose concepts flying around on how this could look like.