Invoke command using local admin creds

This topic contains 8 replies, has 3 voices, and was last updated by Profile photo of Richard Diphoorn Richard Diphoorn 2 weeks, 4 days ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #53477
    Profile photo of TommyQuality
    TommyQuality
    Participant

    Hi,

    I'm after a bit of advice.

    I'm trying to invoke a command scriptblock but need to use local creds rather that domain creds.

    I've try to pass the creds using get-credential but i get the following error:

    "WinRM cannot process the request, The following error with error code 0x80090311 occurred while using Kerberos Authentication "

    Thanks in advance

    Tom

    • This topic was modified 2 weeks, 6 days ago by Profile photo of TommyQuality TommyQuality.
    #53487
    Profile photo of Richard Diphoorn
    Richard Diphoorn
    Participant

    Can you show the command you're using? I'm guessing you've maybe hit the doublehop issue.

    #53505
    Profile photo of TommyQuality
    TommyQuality
    Participant

    #LocalAdmin Account
    $LAdmin = "$TimeServer\User"
    $Password = $Password = Read-Host -AsSecureString "Enter Your Password:"
    $Credential = new-object -typename System.Management.Automation.PSCredential -argumentlist $LAdmin, $Password

    $TimeCreds = $Credential
    $TimeServers = $servers
    foreach ($TimeServer in $TimeServers ){
    write-host "Resyncing time on $TimeServer" -ForegroundColor DarkYellow
    Enter-PSSession -ComputerName $TimeServer
    Invoke-Command -ComputerName $TimeServer -ScriptBlock {"w32tm /resync"} -Credential $TimeCreds -Verbose -Debug
    Exit-PSSession
    }

    #53516
    Profile photo of Richard Diphoorn
    Richard Diphoorn
    Participant

    You're using a bit strange method here. First you enter a PS remoting session, than you use Invoke-Command. That's not the way to go. You can just use this if the server you connect to is domain joined:

    Invoke-Command -ComputerName $TimeServer -ScriptBlock { w32tm /resync }

    If that server is not domain joined, than you have to setup your configuration for this. Check this eBook for the details:
    https://www.gitbook.com/book/devopscollective/secrets-of-powershell-remoting/details

    #53522
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Enter-PSSession -ComputerName $TimeServer
    Invoke-Command -ComputerName $TimeServer -ScriptBlock {"w32tm /resync"} -Credential $TimeCreds -Verbose -Debug

    Here, the Enter-PSSession is redundant. Just remove that and the Exit-PSSession. Invoke-Command will then spin up a new session to the remote machine, and that new session will be spun up using the credentials you desire. What you'r currently doing is...

    1. Connecting from ComputerA to ComputerB, and delegating your ComputerA credentials

    2. Asking ComputerB to connect to ComputerC (which is in fact still ComputerB), using a set of specified credentials – this isn't legal using Kerberos, which is the default authentication protocol

    It might be worth reading up a bit on some of Remoting's basics, so that you have a better feel for how sessions are used and managed. We have a free Remoting book (on our eBooks page) that goes over the foundations, if that helps.

    #53548
    Profile photo of TommyQuality
    TommyQuality
    Participant

    Hi,

    Thanks for the replies, i kinda knew what i was doing was wrong. But i was just testing different methods to see if i could get it working.

    Anyway, if i remove the Enter-PSSession i still get the same issue. I need to pass the local Admin creds to allow me to run the command w32tm /resync.

    Basically, the Domain Controllers are being aged (Date changed to the future) and i need to reysnc all the times as quickly as possible. I want to try to avoid having to log onto each server and run the command. So i need to use the local admin account rather than the domain account as this is blocked due to the time difference between host and DC.

    Thanks

    Tom

    #53552
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Ah.

    So... I'm not actually sure that'll work. At least not with Kerberos, and at least not how you're doing it. You're probably going to have to enable, and then use, Basic authentication. That'll mean either implementing SSL on the DCs, or adding them to your local TrustedHosts list. Be aware that without SSL, you're passing username/password in clear text.

    The problem is that Kerberos doesn't let you authenticate using non-Domain credentials. That's more or less the point of it, in fact. So if the domain isn't an option, then neither is Kerberos. Nothing else will be enabled on the DCs by default, though, so you'll have to enable Basic or something else – possibly using a Group Policy, if possible, or manually if not.

    #53851
    Profile photo of TommyQuality
    TommyQuality
    Participant

    Thanks for the advice.

    I'm trying to get this working my enabling basic authentication and trustedhosts, but not having any joy.

    I'll keep trying tho, and post the answer once i've solved it.

    Thanks for your time.

    Tom

    #53853
    Profile photo of Richard Diphoorn
    Richard Diphoorn
    Participant

    Yeah, PS Remoting can be a pain in the b*tt sometimes. I hope you'll have success and are willing to share your efforts here.

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.