Is it possible to pass credentials to a new PS session?

This topic contains 7 replies, has 3 voices, and was last updated by Profile photo of SuperSysAdmin SuperSysAdmin 1 year, 9 months ago.

  • Author
    Posts
  • #28625
    Profile photo of SuperSysAdmin
    SuperSysAdmin
    Participant

    I have a GUI form and from there want to open a PSSession to a computer in a new CLI window.

    So something like:

    $mycred = Get-Credential
    Start-Process powershell.exe  -ArgumentList "-noexit -command Enter-PSSession -ComputerName computer1 -Credential $mycred"
    

    As soon as I run the Start-Process, it again prompts me for credentials. Is it not somehow to pass the $mycred variable to the new session?

  • #28628
    Profile photo of Don Jones
    Don Jones
    Keymaster

    No in that fashion, no. You're forcing $mycred to be evaluated as a string, not a credential object, so it's disregarded and that's why you're prompted. I'm not entirely certain why you need to start a new process, though – can't you just run Enter-PSSession?

  • #28630
    Profile photo of SuperSysAdmin
    SuperSysAdmin
    Participant

    Well, it's a GUI form where I enter credentials and a computername and then can do all sorts of operations against this computer.

    I also wanted to add a button to open an PSSession in a new CLI window, so that's why I am using Start-Process.

    Also tried this for instance:

    Start-Process powershell.exe  -ArgumentList "-noexit -command Enter-PSSession -ComputerName computer1" -Credential $mycred
    

    so passing the credential to the Start-Process, but then it says the username/password is incorrect (even though it's correct and I can use this credential to perform other actions against this computer).

  • #28633
    Profile photo of Don Jones
    Don Jones
    Keymaster

    The latter example should have worked if $mycred is a valid credential object; I'm unfortunately not able to help you troubleshoot that without access to your network :). Syntactically, it looks correct from what you've shown me. I guess I'd just make sure you're using DOMAIN\USERNAME format for the username portion of the credential.

  • #28635
    Profile photo of SuperSysAdmin
    SuperSysAdmin
    Participant

    I am running the form from a standalone PC and targeting a domain controller. Of course I enter the credential as username@domain.ext and can confirm it works, because other scripts I run from this form against this domain controller work fine.

    Also, when I run the Start-Process, I can see in the domain controller security event log a Kerberos ticket being created and all and no FailureAudits appear.

    Hmmm 🙁

  • #28637
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    That's a little bit tricky. You can't pass live objects across process boundaries like that, but you can serialize the credential into text and then back again. Something like this should work (though it requires PowerShell 3.0 or later, for the PSSerializer class):

    $mycred = Get-Credential
    $credxml = [System.Management.Automation.PSSerializer]::Serialize($mycred)
    
    $commands = @"
        `$mycred = [System.Management.Automation.PSSerializer]::Deserialize('$credxml')
        Enter-PSSession -ComputerName computer1 -Credential `$mycred
    "@
    
    $base64 = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($commands))
    
    Start-Process powershell.exe  -ArgumentList "-noexit -EncodedCommand $base64"
    

    I used -EncodedCommand to avoid any parsing / quoting problems with all of the XML on a command line.

  • #28638
    Profile photo of SuperSysAdmin
    SuperSysAdmin
    Participant

    @dlwyatt

    1) It works, thanks so much 🙂

    2) Don't exactly understand what is going on here, time to do some reading on this subject 🙂

  • #28643
    Profile photo of SuperSysAdmin
    SuperSysAdmin
    Participant
    $mycred = Get-Credential
    Start-Process -FilePath "c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ArgumentList "-noexit Enter-PSSession -ComputerName computer1" -Credential $mycred
    

    Just a small addition, above code now also works but you have to take into account 2 things:
    1) Full path to the process you call need to specified
    2) Credentials need to be entered in form domain\user, for some reason user@domain.ext returns incorrect username or password

You must be logged in to reply to this topic.