How to guarantee fresh 2.3.0.1 install with no past passwords?

I’m trying to reinstall on a Windows 10 21H2 IOT pc that previously had Duplicati 2.1 initial stable release. It took me a long time to get that to work a year ago, and after trying on another pc and having even more problems I went back to 2.0.1.8 for it and all the other pc’s around. [Am CrashPlan survivor, came to Duplicati back then, v. 1.x.]. I got 2.3 to work on the other pc yesterday without too much grief, doing a wipe and reload once, but then I knew its passphrase/password maybe? Importing the backup definitions/dbs is easy. It has a couple of other issues I’ll ask about separately (VSS, email). [BTW, I REALLY like what has been done with 2.3 and would like to get there. Thanks!]

However, on this pc I’ve done a wipe and reload twice now (procedure as shown below), and I’m still in password hell. The Tray Icon works on its own as port 8300 (no arguments), but will not connect to the server on 8200 with the added args - even though I gave the passphrase when prompted on initial (re-)install first window presentation. Or is this a procedural thing where I shouldn’t have allowed the GUI to start before doing the CMD for Service Install? Or ???

/*Correction

Seems the “other” pc isn’t doing what I expected either. It is (mostly) happily running with its imported job set, but even though the Tray Icon properties are set to connect to port 8200 with the long args and a password, the web page it builds is on port 8300. I didn’t notice that. I can log out and log in again in that page OK. However, if I open a page on port 8200, I’m back to unrecognized password and a Windows log with a .NET Error. There are other Info log entries with App Errors for Duplicati. I’ll go over to the Support forum for those and other bits.

But that begs the question: Is this the new normal for V2.3? That the Service runs on 8200 but is inaccessible, and the web GUI has to run on 8300 as negotiated by the Tray Icon? Is the Service even being used in this context? Should I uninstall the Service and move the Tray Icon back into the Startup folder where it once was many revs ago? Sorry for the chum, but I’m really confused at this point.

End Correction */

Below are excerpt of my own notes I wrote as a reminder of how to do things not mentioned in the manual.

What am I missing to get a clean install where I can give the server its password? I get you prefer the random one, but the instructions on retrieving it are too terse for my understanding. There is a flash on the screen too fast to read or capture. I’d need a FAR more detailed tutorial for that, with screenshots of the Event Viewer for example.
Just for giggles, I’ll append the logs that appear after the Server is started at the end of this. … Um, oh WOW - it is throwing up a fresh .Net Error every 10 seconds! Shutting it down…

This thing is not happy… Again, what else do I need to do to get it to a .msi install with no earlier baggage, or what more precise install procedure?

====================================== My notes:

To do a full fresh reinstall to solve a password issue, first STOP then UNINSTALL the Service, then Windows uninstall the Program. Next clean out these folders (which may contain your backup definition files as above, save them in the process) so that the record of the old password is deleted:

C:\Program Files\Duplicati – if it exists, Windows uninstall may remove it

C:\Users\\AppData\Local\Duplicati – remove control_dir_v2 and Duplicati-server.sqlite

C:\ProgramData\Duplicati

C:\Windows\System32\config\systemprofile\AppData\Local\Duplicati

-- if it exists, not used in 2.3; artifact of previous versions.

===================================Windows App logs

Information:

Service started successfully.

Error:

Category: Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware
EventId: 1
SpanId: fa5d58bd1952b37d
TraceId: e31aa61bbf4441a7fb8c96a64fb9e75e
ParentId: 0000000000000000
ConnectionId: 0HNLJ9M2PI4LT
RequestId: 0HNLJ9M2PI4LT:00000001
RequestPath: /api/v1/auth/login

An unhandled exception has occurred while executing the request.

Exception:
Duplicati.WebserverCore.Exceptions.UnauthorizedException: Failed to log in
at Duplicati.WebserverCore.Endpoints.V1.Auth.<>c.<b__3_2>d.MoveNext()
— End of stack trace from previous location —
at Microsoft.AspNetCore.Http.RequestDelegateFactory.g__ExecuteAwaited|92_0[T](Task1 task) at Duplicati.WebserverCore.Middlewares.HostnameFilter.InvokeAsync(EndpointFilterInvocationContext context, EndpointFilterDelegate next) at Duplicati.WebserverCore.Middlewares.LanguageFilter.InvokeAsync(EndpointFilterInvocationContext context, EndpointFilterDelegate next) at Microsoft.AspNetCore.Http.RequestDelegateFactory.<ExecuteValueTaskOfObject>g__ExecuteAwaited|130_0(ValueTask1 valueTask, HttpContext httpContext, JsonTypeInfo`1 jsonTypeInfo)
at Microsoft.AspNetCore.Http.RequestDelegateFactory.<>c__DisplayClass102_2.<b__2>d.MoveNext()
— End of stack trace from previous location —
at Duplicati.WebserverCore.Middlewares.WebsocketExtensions.<>c__DisplayClass0_0.<b__0>d.MoveNext()
— End of stack trace from previous location —
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.g__Awaited|10_0(ExceptionHandlerMiddlewareImpl middleware, HttpContext context, Task task)

Error:

Category: Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware
EventId: 1
SpanId: cfbbc84c47e33980
TraceId: 714b91c8cc4595c79060f7d129c09570
ParentId: 0000000000000000
ConnectionId: 0HNLJ9M2PI4LS
RequestId: 0HNLJ9M2PI4LS:00000007
RequestPath: /api/v1/auth/refresh

An unhandled exception has occurred while executing the request.

Exception:
Duplicati.WebserverCore.Exceptions.UnauthorizedException: Authorization failed due to missing cookie.
at Duplicati.WebserverCore.Endpoints.V1.Auth.<>c.<b__3_0>d.MoveNext()
— End of stack trace from previous location —
at Microsoft.AspNetCore.Http.RequestDelegateFactory.g__ExecuteAwaited|92_0[T](Task1 task) at Duplicati.WebserverCore.Middlewares.HostnameFilter.InvokeAsync(EndpointFilterInvocationContext context, EndpointFilterDelegate next) at Duplicati.WebserverCore.Middlewares.LanguageFilter.InvokeAsync(EndpointFilterInvocationContext context, EndpointFilterDelegate next) at Microsoft.AspNetCore.Http.RequestDelegateFactory.<ExecuteValueTaskOfObject>g__ExecuteAwaited|130_0(ValueTask1 valueTask, HttpContext httpContext, JsonTypeInfo`1 jsonTypeInfo)
at Microsoft.AspNetCore.Http.RequestDelegateFactory.<>c__DisplayClass102_2.<b__2>d.MoveNext()
— End of stack trace from previous location —
at Duplicati.WebserverCore.Middlewares.WebsocketExtensions.<>c__DisplayClass0_0.<b__0>d.MoveNext()
— End of stack trace from previous location —
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.g__Awaited|10_0(ExceptionHandlerMiddlewareImpl middleware, HttpContext context, Task task)

Many(!) Errors later … Error:

Category: Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware
EventId: 1
SpanId: 05c3c3c4142b312d
TraceId: d5afea35b813e87b10657eea84541fa4
ParentId: 0000000000000000
ConnectionId: 0HNLJ9M2PI4LT
RequestId: 0HNLJ9M2PI4LT:000000DB
RequestPath: /api/v1/auth/login

An unhandled exception has occurred while executing the request.

Exception:
Duplicati.WebserverCore.Exceptions.UnauthorizedException: Failed to log in
at Duplicati.WebserverCore.Endpoints.V1.Auth.<>c.<b__3_2>d.MoveNext()
— End of stack trace from previous location —
at Microsoft.AspNetCore.Http.RequestDelegateFactory.g__ExecuteAwaited|92_0[T](Task1 task) at Duplicati.WebserverCore.Middlewares.HostnameFilter.InvokeAsync(EndpointFilterInvocationContext context, EndpointFilterDelegate next) at Duplicati.WebserverCore.Middlewares.LanguageFilter.InvokeAsync(EndpointFilterInvocationContext context, EndpointFilterDelegate next) at Microsoft.AspNetCore.Http.RequestDelegateFactory.<ExecuteValueTaskOfObject>g__ExecuteAwaited|130_0(ValueTask1 valueTask, HttpContext httpContext, JsonTypeInfo`1 jsonTypeInfo)
at Microsoft.AspNetCore.Http.RequestDelegateFactory.<>c__DisplayClass102_2.<b__2>d.MoveNext()
— End of stack trace from previous location —
at Duplicati.WebserverCore.Middlewares.WebsocketExtensions.<>c__DisplayClass0_0.<b__0>d.MoveNext()
— End of stack trace from previous location —
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.g__Awaited|10_0(ExceptionHandlerMiddlewareImpl middleware, HttpContext context, Task task)

Error from last night, different from the above, just a bit after reinstall:

5/15/2026 7:50:27 PM

Category: Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware
EventId: 1
SpanId: ff7ee72024013f93
TraceId: 97a6053881d24b3da4f18467b539abf9
ParentId: 0000000000000000
ConnectionId: 0HNLIUNDJT6FG
RequestId: 0HNLIUNDJT6FG:00000004
RequestPath: /api/v1/auth/refresh

An unhandled exception has occurred while executing the request.

Exception:
Duplicati.WebserverCore.Exceptions.UnauthorizedException: Failed to refresh token
at Duplicati.WebserverCore.Endpoints.V1.Auth.<>c.<b__3_0>d.MoveNext()
— End of stack trace from previous location —
at Microsoft.AspNetCore.Http.RequestDelegateFactory.g__ExecuteAwaited|92_0[T](Task1 task) at Duplicati.WebserverCore.Middlewares.HostnameFilter.InvokeAsync(EndpointFilterInvocationContext context, EndpointFilterDelegate next) at Duplicati.WebserverCore.Middlewares.LanguageFilter.InvokeAsync(EndpointFilterInvocationContext context, EndpointFilterDelegate next) at Microsoft.AspNetCore.Http.RequestDelegateFactory.<ExecuteValueTaskOfObject>g__ExecuteAwaited|130_0(ValueTask1 valueTask, HttpContext httpContext, JsonTypeInfo`1 jsonTypeInfo)
at Microsoft.AspNetCore.Http.RequestDelegateFactory.<>c__DisplayClass102_2.<b__2>d.MoveNext()
— End of stack trace from previous location —
at Duplicati.WebserverCore.Middlewares.WebsocketExtensions.<>c__DisplayClass0_0.<b__0>d.MoveNext()
— End of stack trace from previous location —
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.g__Awaited|10_0(ExceptionHandlerMiddlewareImpl middleware, HttpContext context, Task task)

EDIT: /// I’m NOT going to mark this closed and resolved. It seems I actually have DO NEED for the Service .. for VSS. /// … , as the Tray Icon now persists on a reboot and does what I need. I’ve been hung up on ancient workarounds and procedures that don’t apply to the modern version.

• Patient: Doc it hurts when I …
  Physician: Don’t do that.

So far I’ve got three units running with only the Tray Icon, no Service install. All had prior versions of Duplicati with the Service running. All now have their exported backup jobs/dbs imported successfully. These are all have destinations as SMB targets either locally or on softether VPN remote SMB targets. I’m looking forward to redoing them with the 2.3 multiple target feature.

A couple of notes along the way:

The .msi package “REMOVE” button seems to do a better job of cleaning up things than Windows Uninstall. After fighting with the Service password issue with 2.3 on each of them, doing the Remove and a fresh install was then very clean. Check on the box to run Duplicati now, do NOT install the Service and therefore do not edit the Tray Icon properties.

I still have no idea how to acquire the password for the Service. The User Docs give tantalizing hints but NO ACTUAL PROCEDURE that one can follow step by step with screenshots. It is unclear which switch goes on what command on what platform, in which context, etc. If somebody actually can figure it out and post it on the forum, it would be a blessing. And perhaps give a more salient explanation of why the Service would still be desirable any more? Right now I don’t see it.

Now that I’m not fighting with it, I’m feeling really good about the new version. Thank You!!!

I just discovered again why I need the Service. For VSS. Which explains why I’m getting a VSS warning running with just the inadequately privileged Tray Icon. !@#$%^&*

If you have no intention of ever using a TrayIcon with its own built-in server,
having it start that way will likely confuse you, but isn’t permanently harmful.

would be nice, and is even more needed because 2.1+ has additional security.

v2.1.0.4_stable_2025-01-31

Mandatory password

Current documentation covers that in

Duplicati Access Password

It’s almost invisible, opening GUI from TrayIcon running on its internal server.
Any other use requires some more complicated arrangement for GUI access.

Running the Server as a Windows Service
shows how to pass server --webservice-password when starting TrayIcon.
There is (and has been for many years) also a --no-hosted-server option.
Without that, TrayIcon comes up on port 8300, thinking it’s to run standalone.

Detached TrayIcon
shows the configuration you want, if you will only be using it with your service.

Configuring the server password

says how to use --webservice-password option to set the server password.
You can add this and other server options on command line installing service.

This scheme is not terribly secure, as it leaves the password fairly accessible,
either in service config, system logs, or shortcut which reinstall may also lose.

Once you get into the server from GUI, Settings can do the password change.
You would then remove the initial temporary password from the service config.
Temporary signin token is how to locate automatic temporary password to use
if you find digging in the event logs easier than some extra work with a service.

Preload settings is an alternative way to pass options into Server and TrayIcon.

Thank you for the reply! The real key to my problem is that I’ve been used to examining Windows log files for so long (NT on) that I always looked at Windows–>Application and Windows–>System that I completely missed that the web link for the initial password input and presentation is in Event Viewer → Applications and Services → Duplicati 2.

That simple change of verbiage to be more specific in the Documentation would have saved me days and y’all from having to deal with my whining about it… Pleeeeeze!!! BTW, I’d be happy to submit added details for the Docs - is there a particular forum category that is best for that?

I’ve come a long way today in understanding the new model. The Eureka moment was this morning when I read on my phone a Reddit users reply to a note that Kenkendk left basically restating the web docs.

I’m keeping my own notes for this with the intent of tidying them up for the How To section of the forum, something for casual users like me. One mystery I have yet to understand is why the Tray Icon and Server don’t always use the same folder to build their unique versions of their .sqlite files. Seems like the first one to the party gets to use User…AppData and the next uses ProgramData? I don’t really care where it lives, but either way I’d like to see: “In the End there can be only One”.

I just logged in now to mostly remove the original request as it was founded on incorrect assumptions. However, I find I can’t go back and do that. If I could I would… Sorry.

There have to be different configs for different users. Service is usually SYSTEM.
On a multi-user Duplicati system, each user’s config lives in their own user profile.
SYSTEM user gets special case, as its profile can be wiped by Windows upgrade.

Database location on Windows is how it should work, but you describe otherwise.
I don’t think the detached TrayIcon even uses database. Please check your tests.
I think it should only connect to the server of your choice, and use server’s config.

Starting TrayIcon by accident without --no-hosted-server would make it a DB,
Duplicati-server.sqlite, but this wouldn’t be what the Server of the Service will use.

We also develop the documentation in the open, so you can submit changes directly from the repo:

Simply locate the file you want to edit (maybe search for a string on the page) then click the small pencil (upper right corner) and start editing.

We changed that recently (in 2.2 I think). Previously we would write everything in the general log, but this made it difficult to find specific messages as other services write there as well. And it also made it impossible to set limits on Duplicati log messages specifically.

If you use that method, I recommend that you use these steps:

1. Uninstall the service (if already installed)
2. Install the service with a dummy password, like --webservice-password=changeme123
3. Uninstall the service
4. Install the service again, do not provide --webservice-password this time
5. Log in with the dummy password
6. Change the password to a secure one

This slightly convoluted way ensures that the real password is not persisted in logs. (For 2.3, install/uninstall will automatically start/stop the service).

With 2.3 you can now start the TrayIcon with --no-hosted-server and it will ask for the server password and url. Type in the password and check the “Save configuration” checkbox and it will persist this with the secret provider (Windows Credential Manager for Windows systems).

Yeah, we had “one way” initially. The problem is that when you are running as a service, there is no “desktop user”, so the service has no AppData folder. The default from Windows is to use C:\Windows\System32\config\systemprofile\AppData\Local\Duplicati for services.

Maybe that makes sense in some cases, but later version of Windows started completely wiping the C:\Windows folder on major upgrades, erasing all the Duplicati settings. For that reason we decided to handle the service differently and store it in C:\ProgramData\Duplicati.

You can see where the data is stored here: