简体繁体 English

针对不同AD域中的计算机的TFS“目标计算机上的Powershell”任务

[英]TFS 'Powershell on Target Machines' task for machines in different AD domain

原文 2017-01-03 10:13:27 4 1 powershell/ tfs/ powershell-remoting/ ms-release-management

We want to utilize TFS release management for our deployments. 我们希望将TFS版本管理用于我们的部署。 We have several environments (dev, qa, staging, prod). 我们有几种环境（dev，qa，staging，prod）。 Each of them in separate AD forest. 它们每个都位于单独的AD林中。 Build machine also resides in separate forest. 构建机器也驻留在单独的林中。 No trust between them. 他们之间没有信任。

I set up target machines to accept CredSSP authentications for PS remoting. 我将目标计算机设置为接受CredSSP身份验证以进行PS远程处理。 I was able to enter PS session on target machine from build machine. 我能够从构建计算机进入目标计算机上的PS会话。 But no luck from TFS task 'Powershell on Target Machines'. 但是，TFS任务“目标计算机上的Powershell”没有运气。

Here how my tasks looks in TFS: TFS PS on Target Machines task 这是我的任务在TFS中的外观：目标计算机上的TFS PS任务

In logs: 2016-12-30T15:04:11.0279893Z System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server app.dev.local failed with the following error message : WinRM cannot process the request. 在日志中：2016-12-30T15：04：11.0279893Z System.Management.Automation.Remoting.PSRemotingTransportException：连接到远程服务器app.dev.local失败，并显示以下错误消息：WinRM无法处理该请求。 The following error with errorcode 0x80090322 occurred while using Negotiate authentication: An unknown security error occurred. 使用协商身份验证时发生以下错误代码为0x80090322的错误：发生未知的安全错误。

Is there any way to make TFS run PS on target machines that resides outside of build machine AD domain? 有什么方法可以使TFS在驻留在构建计算机AD域之外的目标计算机上运行PS？

AD trust doesn't look like an option. AD信任似乎不是一种选择。 And without proper PS remoting it doesn't look like release management can provide much value for us. 而且，如果没有适当的PS远程处理，发布管理似乎无法为我们提供很多价值。

1 个解决方案

TL;DR; TL; DR;

No, you have two options. 不，您有两个选择。

Setup one way trust between your primary domain ans all of your sub domains so that your production domain credentials can be used on all of your sub domains. 在主域和所有子域之间设置一种单向信任 ，以便可以在所有子域上使用生产域凭据。
use shadow accounts to allow cross domain authentication. 使用影子帐户允许跨域身份验证。 These are local accounts with the same username and password across machines that allows auth. 这些是在允许身份验证的计算机上具有相同用户名和密码的本地帐户。 This is the official MSFT work around for non trust domain auth. 这是针对非信任域身份验证的官方MSFT解决方案。

The long answer 长答案

Other than that, since you are well off the supported happy path, you would need to implement your own custom tasks that facilitated the cross domain authentication that you want. 除此之外，由于您所支持的幸福道路还很遥远，因此您需要实施自己的自定义任务，以促进所需的跨域身份验证。 Should be a fairly simple task to implement your own tasks in PowerShell. 在PowerShell中实现您自己的任务应该是一个相当简单的任务。

https://www.visualstudio.com/en-us/docs/integrate/extensions/develop/add-build-task https://www.visualstudio.com/zh-CN/docs/integrate/extensions/develop/add-build-task

The reality is that there are only a few limited senarios that you need a "test AD" environment and it is never correct to have domains for Dev, QA, or Staging. 现实情况是，您仅需要几个有限的条件，就需要“测试AD”环境，并且拥有用于Dev，QA或暂存的域永远是不正确的。 AD is not designed that way and I have never seen it work for the benefit of the organisation or the development efforts. AD不是以这种方式设计的，我从未见过它能为组织或开发工作带来好处。 It is a product of over paranoid sysadmins and it is a lost cause. 它是过度偏执的sysadmins的产物，它是一个丢失的原因。

The only reason to have a permanent additional domain is for your sysadmins to test their domain changes and configurations. 拥有永久附加域的唯一原因是让系统管理员测试其域更改和配置。

For software development projects that actively change AD, or require specific setups for testing, you would dynamically create your test domain along with the test machines required. 对于主动更改AD或需要特定设置进行测试的软件开发项目，您将动态创建测试域以及所需的测试机器。 That is how you create valid and repeatable tests against a Domain. 这就是您针对域创建有效且可重复的测试的方式。