Udostępnij za pośrednictwem


Using invoke-command to launch a script on a remote computer which connects to network resources.

First, I found the details here.

Second, things can change as this is being done with the CTP for Powershell 2.0

Third, if you don’t know about remoting in 2.0 watch this 5 minute video. Then read this.

Whew.

 

 

 

 

Backstory:

You might find yourself in a situation where you want to run a batch/vbs/cmd file on a bunch of servers at once. This batch file requires to connect to network locations to gather/put information during run time. The Powershell 2.0 remoting experience out of the box doesn’t allow you to do these “double hops” with the client side credentials. What happens is that when you remote using powershell, you get a set of credentials for use on that machine.  When you go off-box, the request hasthe machine credentials. This obviously can cause issues leaving you two solutions:

1) Change the ACLS on the remote share to include the machine credentials

a. Can be done by adding <domain>\domain computers with read access to the shares(s).

b. Create a group that has all the machines required in it and ACL out the share permissions with that group.

2) Use CredSSP so that you get a credential which can do multi-hop.

So what is required to use CredSSP, thus allowing your client-side credentials to “pass-thru” to the server-side and go off box as your creds?

On the client-side:

new-item HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -force
new-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -name AllowFreshCredentials -value 1 -type DWord -force
new-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -name ConcatenateDefaults_AllowFresh -value 1 -type DWord -force
new-item HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentials -force
new-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentials -name 1 -value wsman/* -force
winrm s winrm/config/client/auth '@{CredSSP="true"}'

On the server-side:

winrm s winrm/config/service/auth '@{CredSSP="true"}'

Example without credSSP:

PS C:\Debuggers> Invoke-Command -ComputerName server1.domain.com,server2.domain.com -ScriptBlock {c:\debuggers\test_PS.cmd} -Credential reddom\brad

C:\Windows\System32>cd\

C:\>cd debuggers

C:\Debuggers>md test

C:\Debuggers>copy \\serverx\bradshare\Book1.xlsx <-- Can’t make this happen as it goes off-box as the machine account.

Access is denied.

C:\Windows\System32>cd\

C:\>cd debuggers

C:\Debuggers>md test

C:\Debuggers>copy \\serverx\bradshare\Book1.xlsx

Access is denied.

PS C:\Debuggers>

Example with credSSP:

PS C:\Debuggers> Invoke-Command -ComputerName server1.domain.com,server2.domain.com -ScriptBlock {c:\debuggers\test_PS.cmd} -Authentication CredSSP -Credential reddom\brad

//Had to use the FQDN as it does an SPN lookup and hostname fails.

C:\Windows\System32>cd\

C:\>cd debuggers

C:\Debuggers>md test

C:\Debuggers>copy \\serverx\bradshare\Book1.xlsx <-- Now goes off the server-side with my ‘brad’ user account.

1 file(s) copied.

C:\Windows\System32>cd\

C:\>cd debuggers

C:\Debuggers>md test

C:\Debuggers>copy \\serverx\bradrutk$\Book1.xlsx

1 file(s) copied.

PS C:\Debuggers>

 

Update:  

You must have at least the CTP2 verison of WINRM: https://connect.microsoft.com/WSMAN/Downloads 

Make sure to run Configure-Wsman.ps1 and WINRM quickconfig too...

Technorati Tags: powershell

Comments