Windows 上的 Jenkins 无法使用 WinRM 进行部署？

Question

I have an old established codebase that I'm trying to bring up to modern era standards. Most of it is written on Windows using Visual Studio, so I need to have a Windows based build server to use the MSBuild pipeline. I have a mostly working Jenkins CI pipeline that ingests from Github webhooks, and should deploy to a Windows PC on my local.network. I've tested that this works from any other user, on my workstation and on the build server. I know Jenkins runs jobs as the "NT AUTHORITY\System" user, and I've used SysInternals PSExec to pop in and setup my ssh keys, and so forth in the past. The problem is during the deploy step; I'm compressing and copying the build output using a PowerShell script, and using New-PSSession , and Copy-Item -ToSession .

I'm using a cred I'm constructing with Get-Credential, user/pass pair, that I've verified as working. All concerned systems are in a simple workgroup, no domain involved.

The New-PSSession command in my deploy.ps1 script fails with the following error:

PS C:\Program Files (x86)\Jenkins\workspace\xxx> .\deploy.ps1

Compressing to C:\Windows\TEMP\tmpEBB2.tmp.zip
New-PSSession: C:\Program Files (x86)\Jenkins\workspace\xxx\deploy.ps1:95
Line |
  95 |  …     $sess = New-PSSession -ComputerName $TargetHost -Credential $cred …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | [205.208.87.185] Connecting to remote server 205.208.87.185 failed with the following error message :
     | WinRM cannot process the request. The following error with errorcode 0x8009030d occurred while using
     | Negotiate authentication: A specified logon session does not exist. It may already have been
     | terminated.    Possible causes are:   -The user name or password specified are invalid.   -Kerberos is
     | used when no authentication method and no user name are specified.   -Kerberos accepts domain user
     | names, but not local user names.   -The Service Principal Name (SPN) for the remote computer name and
     | port does not exist.   -The client and remote computers are in different domains and there is no trust
     | between the two domains.  After checking for the above issues, try the following:   -Check the Event
     | Viewer for events related to authentication.   -Change the authentication method; add the destination
     | computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.  Note that computers
     | in the TrustedHosts list might not be authenticated.    -For more information about WinRM
     | configuration, run the following command: winrm help config. For more information, see the
     | about_Remote_Troubleshooting Help topic.  Other Possible Cause:   -The domain or computer name was not
     | included with the specified credential, for example: DOMAIN\UserName or COMPUTER\UserName.
Write-Error: C:\Program Files (x86)\Jenkins\workspace\xxx\deploy.ps1:129
Line |
 129 |  Deploy-ToTargetHost
     |  ~~~~~~~~~~~~~~~~~~~
     | Could not establish session.

I generated that second error when the $sess var fails to populate. This is line 95:

$sess = New-PSSession -ComputerName $TargetHost -Credential $cred

I believe I've heard something about the System user has some restrictions on.network access? Is there any way to work around this?

I mean, I can just scp it over if there's no other way to do this, but I really wanted to just have all my shell scripting in pwsh if I could get away with it. Thanks.

[Edit: TL;DR, I suppose I can modify Jenkins to run as a different user, but why isn't it already running like that? This just seems trivially weird to me to install by default on a user with no.network access, I guess?]

Answer 1

I ended up running Jenkins as a different user in Windows Services, specifically a "regular" login user. This made it do the deployment successfully.