Allow multiple users to access credentials stored using export-clixml

This topic contains 3 replies, has 3 voices, and was last updated by Profile photo of Jason Beckett Jason Beckett 11 months, 3 weeks ago.

  • Author
  • #31543
    Profile photo of Jason Beckett
    Jason Beckett

    I'm using the following to store credentials:

    GET-CREDENTIAL –Credential “domain\user” `
    | EXPORT-CLIXML .\creds.xml

    This works in scripts when ran as my account and I call the xml file. However, if I try to run a script on the same machine under a different user (e.g. a scheduled task), calling the same XML using the import-clixml command I get the error:

    import-clixml : Key not valid for use in specified state.

    Do I need to switch to convertto-securestring/convertfrom-securestring or is there something I can do to allow a different user to access the stored credentials?

  • #31544
    Profile photo of Dave Wyatt
    Dave Wyatt

    You can't do that, because those cmdlets use the DPAPI to do the encryption, and DPAPI stores the encryption keys in your user profile.

    However, there are other techniques you can use, and this was the subject of a talk I gave at this year's PowerShell Summit: . The short version is, use certificates to encrypt your passwords, and distribute the certificate (with its private key) to any user who you want to be able to run the script.

  • #31545
    Profile photo of Jonathan Warnken
    Jonathan Warnken

    I only have a basic understanding of the details but in general the default protection\encryption of secure objects uses a key that is specific to user and machine. By design this makes sharing credentials between users have the issue you are experiencing. Please be aware that in general this type of automation violates most organizations security policies.
    But it can be done:

  • #31552
    Profile photo of Jason Beckett
    Jason Beckett

    Hi Dave,
    Thanks for the suggestion to use certificates, the video is very helpful. I'll go that route.

You must be logged in to reply to this topic.