Remotely setting network credentials using cmdkey

Tagged: 

This topic contains 3 replies, has 3 voices, and was last updated by Profile photo of Reji Nair Reji Nair 8 months ago.

  • Author
    Posts
  • #36924
    Profile photo of Reji Nair
    Reji Nair
    Participant

    I have a task to automate the build on Azure VM with custom extension scripts. One of the tasks of the custom extension scripts is to map network drives [and save its credentials]. The custom extension scripts are automatically executed by Azure using the ADMIN user id. This causes problems as the mapped network drive resides in a different user domain. As a consequence, I have to create another script [map.ps1] which does the mapping and have it invoked from a wrapper script [deploy.ps1].

    Please note snippets of my script:

    deploy.ps1

    $storageCred="A long string of name value pairs containing the network user id and password"
    $domainAdminUserId = "xxxx/yyyy"
    $domainAdminPassword = ( 'zzzz' | ConvertTo-SecureString -AsPlainText -Force )
    $domainAdminCredentials = New-Object -typename System.Management.Automation.PSCredential -argumentlist $domainAdminUserId, $domainAdminPassword
    
    Enable-PSRemoting -Force
    Invoke-Command -ComputerName localhost -FilePath "C:\FTPFiles\map.ps1" -Credential $domainAdminCredentials -ArgumentList $storageCred -Verbose
    

    Map.ps1

    $storageCredArray = $storageCred.Split('~')
    $storageCredLookupTable = ConvertFrom-StringData ($storageCredArray | out-string)
    
    Write-Host 'Mapping file shares - started' -ForegroundColor Green
    $driveLetterAscii = [Byte][char]'X'
    
    foreach ($usr in $storageCredLookupTable.Keys) {
      $driveLetter = [Char][byte]$driveLetterAscii
      CMDKEY /add:$usr.file.core.windows.net /user:$env:COMPUTERNAME\$usr /pass:($storageCredLookupTable.Item($usr))
      Net Use ($driveLetter + ":") "\\$usr.file.core.windows.net\share" /SAVECRED /PERSISTENT:YES
      if (Test-Path ($driveLetter + ":\Interfaces")) {
          Write-Host "$driveLetter mapped to $usr.file.core.windows.net\share successfully" -ForegroundColor Green
      } else {
          Write-Host "Failure in mapping $driveLetter to $usr.file.core.windows.net\share" -ForegroundColor Red
      }	  
      ++$driveLetterAscii
    } 
    

    When I run this, it errors while adding the network credentials [cmdkey /add]. I get the following error:

    CMDKEY: Credentials cannot be saved from this logon session

    Any help on this is much appreciated.

  • #37003
    Profile photo of Don Jones
    Don Jones
    Keymaster

    That's a limitation of the Cmdkey command – not really a PowerShell thing. But it's related to the way Remotig handles credentials. The remote session doesn't actually get a credential, it gets a delegated ticket, so there's no token to actually save. That's all by design, and not something you can reconfigure.

  • #37312
    Profile photo of Valery Moskalenko
    Valery Moskalenko
    Participant

    You should run CMDKEY per each user with RunAs. Please find some help below

    $cmdlist = @"
    cmdkey /add:yourstorage.file.core.windows.net /user:yourstorage /pass:vcfj*********************************************/**********************************gFlw==
    Read-Host "Press any key to continue..."
    "@
    $cred = Get-Credential -Message "Enter password for user" -UserName "DOMAIN\USER"
    Start-Process powershell.exe -Credential $cred -ArgumentList $cmdlist -LoadUserProfile
    
  • #37315
    Profile photo of Reji Nair
    Reji Nair
    Participant

    Valery,
    The intention is to automate the mapping and not make it interactive. Anyway, you have given me ideas. Thanks for your help.

You must be logged in to reply to this topic.