question

AMARRISNolanLEPAPE-8620 avatar image
0 Votes"
AMARRISNolanLEPAPE-8620 asked AdamsJeremy-5890 published

Azure Automation Hybrid Worker Sandbox process creation failed

Hi,
I am trying to setup an Azure automation runbook with an hybrid worker, the goal is to delete computers from our on premises AD.
The problem is that I can't even test my runbook as I have errors on the server in the event viewer (error ID 15180 and 15106) saying "Sandbox process creation failed on the hybrid worker server".

I get this two errors, updating the runbook job from "Queued" to "Suspended".

Error | ID 15180
Sandbox process creation failed [SandboxId={JOB_ID}][Reason=Failed to grant access to Windows Station and Desktop][Exception=System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.]

Error | ID 15106
Hybrid sandbox manager failed to create sandbox. [AccountId=account id] [RunbookWorkerGroup=GroupName] [MachineName=computername] [MachineId={machineid}] [SandboxId={sandboxid}] [SandboxHubEndpoint=] [Exception=System.AggregateException: One or many errors have happened. ---> Orchestrator.Runtime.SandboxCreationException: Failed to grant access to Windows Station and Desktop ---> System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.]

The Log Analytics workspace is ok with my server showing in the "Agent Management".
In my azure automation account, in "hybrid worker groups", the hybrid worker group is showing 1 computer.

In the event viewer on the server I can see "Hybrid runbook worker started successfully".

But right after this event:

Info | ID 15157
Sandbox access settings completed - [User='scrubbed' [SandboxId={sandboxid}]] [SandboxId={sandboxid}]

It fails with the two errors



I used thoose websites to setup all of this:
https://shehanperera.com/2021/07/06/az-automation/
https://practical365.com/how-to-manage-on-premises-infrastructure-using-azure-automation-hybrid-worker/

If someone has a solution, I'm all ears.

Thanks,
Nolan

azure-active-directoryazure-automation
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AMARRISNolanLEPAPE-8620 , Apologies for the delay in handling this one. I am checking this internally and will update on this . It may be possible that the user account mentioned may not have rights to delete the account . Or there may be a group policy preventing the deletion of device objects in the container in Local AD .

0 Votes 0 ·

Hi @AMARRISNolanLEPAPE-8620, did you manage to fix this issue? I'm having the exact same issue but unable to fix it.

0 Votes 0 ·

Hi @Josie-8846, sorry no. I switched to a local server based solution (we have a Jenkins server, used it too. Works for now). But it only works in the local network, so chance are if you need it for online purpose it is not the best solution. good luck

0 Votes 0 ·
Josie-8846 avatar image Josie-8846 AMARRISNolanLEPAPE-8620 ·

Thanks @AMARRISNolanLEPAPE-8620, I just managed to fix this issue! Hopefully sharing the solution will help you and others solve it too... I spent hours troubleshooting it, and then it turns out the issue was caused by the automation account credentials. If you go to the Azure Automation account, click on Shared Resources / Credentials, if you created an account in the UPN format "first.last@domain.com", the @ symbol is the culprit! If you change it to domain\first.last (or domain\username), it should work. I hope this helps you, let me know how you go if you manage to test it.
Josie.

1 Vote 1 ·
Show more comments

0 Answers