Author Posts

October 31, 2015 at 12:33 am

I'm using the following to store credentials:

GET-CREDENTIAL –Credential “domain\user” `
| EXPORT-CLIXML .\creds.xml

This works in scripts when ran as my account and I call the xml file. However, if I try to run a script on the same machine under a different user (e.g. a scheduled task), calling the same XML using the import-clixml command I get the error:

import-clixml : Key not valid for use in specified state.

Do I need to switch to convertto-securestring/convertfrom-securestring or is there something I can do to allow a different user to access the stored credentials?

October 31, 2015 at 5:24 am

You can't do that, because those cmdlets use the DPAPI to do the encryption, and DPAPI stores the encryption keys in your user profile.

However, there are other techniques you can use, and this was the subject of a talk I gave at this year's PowerShell Summit: https://www.youtube.com/watch?v=Ta2hQHVKauo . The short version is, use certificates to encrypt your passwords, and distribute the certificate (with its private key) to any user who you want to be able to run the script.

October 31, 2015 at 5:44 am

I only have a basic understanding of the details but in general the default protection\encryption of secure objects uses a key that is specific to user and machine. By design this makes sharing credentials between users have the issue you are experiencing. Please be aware that in general this type of automation violates most organizations security policies.
But it can be done:
http://blogs.technet.com/b/robcost/archive/2008/05/01/powershell-tip-storing-and-using-password-credentials.aspx
https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde

October 31, 2015 at 1:26 pm

Hi Dave,
Thanks for the suggestion to use certificates, the video is very helpful. I'll go that route.