Powershell remoting - cannot execute an exe as another user

Question

I've a commandline program (c#) that encrypts config files based on machine key. A powershell script copies the build to a Target Server, modifies configs accordingly and installs windows services. All the windows services run as local system account (standard user, non-admin) - let's call this account "locuser".

The Target Server is a Win 2012 R2 Server. All of the above is achieved by PS remoting from the Build Server to this Target server.

Now, I need to run the encrypt commandline program as "locuser", so that the program can use the account specific key to do the encryption. I know that this can be easily achieved by calling Start-Process cmdlet with -Credentials parameter. Well, here's the catch, the above works fine, if I remote in (RDP) to the Target Server and then run the Start-Process .... -Credential $cred from a Powershell Console.

However, I need this to be working while I remote-in (using my scripts) to the TargetServer whilst deploying. When I remote-in to the TargetServer I use credentials that has Admin privileges.

I've tried the following

1. I've granted "locuser" both "Full Control" and "Invoke (Execute)" permissions by using the Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI command. I've run this command for both Microsoft.Powershell and Microsoft.Powershell32 - Still get Access Denied
2. I've edited the "Local Security Policy"->"Local Policies"->"User Rights Assignment"->Impersonate a client after authentication - and added both the Admin account (that I login with) and the "locuser" account - Still get Access Denied
3. I've also granted locuser admin rights - Still get Access Denied

I'm pretty sure, there is some configuration on the PS Remoting Side of things that I'm missing out but can't figure out what - because all Powershell throws me is a Access Denied error (see screenshot) with little to no useful information to troubleshoot further.

Also, checked Event logs for any traces but to no avail.

Answer 1

You've fallen prey to the dreaded Double Hop. Basically you're authenticating from computer A to computer B, then trying to authenticate again from computer B to computer C (which also happens to be B in this case).

If at all possible, you would be better off ending the session and starting a new one with the locuser credentials, then just calling Start-Process. Another, more messy approach is to use schtasks.

I can tell you how to do it in the same session but it's a bit messy and very complicated, and should only be a last resort:

On the originating server (Build Server):

1. Run the command Enable-WSManCredSSP -Role Client -Delegate [name] where [name] is an IP or DNS address / range including any target servers (eg "192.168.1.*")
2. Open GPEdit.msc, navigate to Computer Configuration\\Administrative Templates\\System\\Credentials Delegation and check that the rules Allow delegating fresh credentials and Allow delegating fresh credentials with NTLM... are enabled and include [name]

On the Target Server:

1. Run the command Enable-WSManCredSSP -Role Server

Running the command:

Invoke-Command [targetserver] [-Credential $cred] -Scriptblock {
    ## do stuff

    Invoke-Command . -Credential $locusercred -Authentication Credssp -ScriptBlock {
        Start-Process -FilePath $sc #etc
    }
}

Some things to be aware of:

Firstly I used this setup to create a local session, then remote from there (so AAB instead of ABB) so the Group Policy stuff might be in the wrong place but pretty sure it's right.

Secondly I found that credentials are a pain to get working in sessions (in this case $locusercred ). I did get it going natively but weirdly it suddenly couldn't decrypt the securestring. I ended up saving a securestring with a defined key to the registry so it can always be decrypted from any account, you may need to come up with your own solution there.

All this stuff is explained in the free eBook "The Secrets of PowerShell Remoting" , if you go for the double-hop approach I recommend giving it a read.