Remotely setting network credentials using cmdkey

This topic contains 4 replies, has 4 voices, and was last updated by  Simar 4 months, 2 weeks ago.

  • Author
    Posts
  • #36924

    Reji Nair
    Participant

    I have a task to automate the build on Azure VM with custom extension scripts. One of the tasks of the custom extension scripts is to map network drives [and save its credentials]. The custom extension scripts are automatically executed by Azure using the ADMIN user id. This causes problems as the mapped network drive resides in a different user domain. As a consequence, I have to create another script [map.ps1] which does the mapping and have it invoked from a wrapper script [deploy.ps1].

    Please note snippets of my script:

    deploy.ps1

    $storageCred="A long string of name value pairs containing the network user id and password"
    $domainAdminUserId = "xxxx/yyyy"
    $domainAdminPassword = ( 'zzzz' | ConvertTo-SecureString -AsPlainText -Force )
    $domainAdminCredentials = New-Object -typename System.Management.Automation.PSCredential -argumentlist $domainAdminUserId, $domainAdminPassword
    
    Enable-PSRemoting -Force
    Invoke-Command -ComputerName localhost -FilePath "C:\FTPFiles\map.ps1" -Credential $domainAdminCredentials -ArgumentList $storageCred -Verbose
    

    Map.ps1

    $storageCredArray = $storageCred.Split('~')
    $storageCredLookupTable = ConvertFrom-StringData ($storageCredArray | out-string)
    
    Write-Host 'Mapping file shares - started' -ForegroundColor Green
    $driveLetterAscii = [Byte][char]'X'
    
    foreach ($usr in $storageCredLookupTable.Keys) {
      $driveLetter = [Char][byte]$driveLetterAscii
      CMDKEY /add:$usr.file.core.windows.net /user:$env:COMPUTERNAME\$usr /pass:($storageCredLookupTable.Item($usr))
      Net Use ($driveLetter + ":") "\\$usr.file.core.windows.net\share" /SAVECRED /PERSISTENT:YES
      if (Test-Path ($driveLetter + ":\Interfaces")) {
          Write-Host "$driveLetter mapped to $usr.file.core.windows.net\share successfully" -ForegroundColor Green
      } else {
          Write-Host "Failure in mapping $driveLetter to $usr.file.core.windows.net\share" -ForegroundColor Red
      }	  
      ++$driveLetterAscii
    } 
    

    When I run this, it errors while adding the network credentials [cmdkey /add]. I get the following error:

    CMDKEY: Credentials cannot be saved from this logon session

    Any help on this is much appreciated.

  • #37003

    Don Jones
    Keymaster

    That's a limitation of the Cmdkey command – not really a PowerShell thing. But it's related to the way Remotig handles credentials. The remote session doesn't actually get a credential, it gets a delegated ticket, so there's no token to actually save. That's all by design, and not something you can reconfigure.

  • #37312

    Valery Moskalenko
    Participant

    You should run CMDKEY per each user with RunAs. Please find some help below

    $cmdlist = @"
    cmdkey /add:yourstorage.file.core.windows.net /user:yourstorage /pass:vcfj*********************************************/**********************************gFlw==
    Read-Host "Press any key to continue..."
    "@
    $cred = Get-Credential -Message "Enter password for user" -UserName "DOMAIN\USER"
    Start-Process powershell.exe -Credential $cred -ArgumentList $cmdlist -LoadUserProfile
    
  • #37315

    Reji Nair
    Participant

    Valery,
    The intention is to automate the mapping and not make it interactive. Anyway, you have given me ideas. Thanks for your help.

  • #74147

    Simar
    Participant

    @Reji Nair,

    I am facing the similar issue. Can you please guide me for the solution?

You must be logged in to reply to this topic.