stackoom
  简体   繁体   中英

Use current Powershell credentials for remote call

 原文  2014-12-03 20:06:36       windows/ powershell/ batch-file

Question

I have a Powershell script that is used to remotely call other Powershell scripts on other servers. The script is used to shut down and start up services on the different servers. The Powershell script is setup in such a way that all I have to do is invoke it by calling serverStartStop [START|STOP] and it goes automatically and methodically to a list of servers and turns off a list of services on each server.

I recently had an upgrade to the system that requires a batch script to be run after starting a few services. I'm able to call the batch script remotely, but the batch script calls another command that tries to access a share on the network. The command fails because whatever user is being used to call the command does not have sufficient privileges to access the share.

I've tried several things to remedy this situation and done some research into the Invoke-Command commandlet in Powershell and the runas command for Windows Batch. The runas command asks for a password for the user, which is not acceptable as this is an automated script. Does anyone have any ideas as to how I can make this work cleanly and without user interaction other than making the initial START or STOP call?

2 answers

solution1
 1 ACCPTED  2014-12-03 20:30:46

The -Credential method on Invoke-Command is probably what you want. I find this pretty useful for storing a credential set for scripting use in an encrypted fashion. 

Add-Type -assembly System.Security

# String to Crypt
$passwordASCII = Read-Host -Prompt "Enter the Password"

# String to INT Array
$enc = [system.text.encoding]::Unicode
$clearPWD_ByteArray = $enc.GetBytes( $passwordASCII.tochararray())

# Crypting
$secLevel = [System.Security.Cryptography.DataProtectionScope]::LocalMachine
$bakCryptedPWD_ByteArray = [System.Security.Cryptography.ProtectedData]::Protect($clearPWD_ByteArray, $null, $secLevel)

# Store in Base 64 form
$B64PWD_ByteArray = [Convert]::ToBase64String($bakCryptedPWD_ByteArray)
Set-Content -LiteralPath c:\Temp\pass.txt -Value $B64PWD_ByteArray

<#>
Use...
Add-Type -assembly System.Security
$resCryptedPWD_ByteArray = [Convert]::FromBase64String((Get-Content -LiteralPath "$Password_File"))
$secLevel = [System.Security.Cryptography.DataProtectionScope]::LocalMachine
$clearPWD_ByteArray = [System.Security.Cryptography.ProtectedData]::Unprotect( $resCryptedPWD_ByteArray, $null, $secLevel )
$enc = [system.text.encoding]::Unicode

...To retrieve the password from $Password_File

Then use...

$enc.GetString($clearPWD_ByteArray)

...As your password
</#>

solution2
 1  2014-12-03 20:46:34

Sounds like a double hop problem . These are notoriously difficult to work around, since the credentials you would pass can't be authenticated by the second system.

CredSSP is a solution , but it does increase security risk so use caution, make sure you understand the configuration, and make sure you configure it right.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Pass current user credentials to remote server Download a file from Remote Server(https) using powershell with credentials How to use a PowerShell script to run another PowerShell Script on a Remote Computer Create folder on remote machine using Powershell - how do I add credentials? Run Powershell script that prompts for credentials before running command against remote device Powershell PS Credentials Powershell provide credentials for RunAs Powershell UNC Path with credentials Remote Desktop APP Credentials Authenticate credentials remote server
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM