1

I have a client and a server. The client will call a script like: 

#Predefine necessary information
$Username = "Niels"
$Password = "password"
$ComputerName = "192.168.1.51"
$Script = {powershell c:/build/jclbuild2.bat}

#Create credential object
$SecurePassWord = ConvertTo-SecureString -AsPlainText $Password -Force
$Cred = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $Username, $SecurePassWord

#Create session object with this
$Session = New-PSSession -ComputerName $ComputerName -credential $Cred

#Invoke-Command
$Job = Invoke-Command -Session $Session -Scriptblock $Script 
echo $Job

#Close Session
Remove-PSSession -Session $Session

On the server the jclbuild2.bat will run and access a network drive like \\otherserver\something, it says access denied if I do this command:

cmd.exe /C copy "\\server\file1.pdf" "\\server2\file1.pdf"

How do I access a network drive from a powershell file on a remote server? The user I use with the $username and $password should have access to the network drive.

I think it's a double hop issue, which I don't know how to solve.

Improve this question

2 Answers 2

Reset to default
2

You can't do this using the default authentication mechanism. You need to use an authentication mechanism that allows you to flow credentials, not just identity. Kerberos is one of these. CredSSP is another that is built into Windows starting from Vista/Server 2008 onwards.

I have experience setting up CredSSP. Note that there is some security risk because the target machine will have access to the credentials as plain text.

To set it up you will need to run two commands (both from an elevated shell). One on the machine you are running the above script on (the client) and another on the target that you will be connecting to via remoting (the server).

Enable-WSManCredSSP -Role Client -DelegateComputer $ComputerName -Force

This enables delegation to $ComputerName from the client (note you may have to use the FQDN). For security reasons you should avoid using the wild card '*' although you might consider using '*.mydomain.int' to enable delegation to all machines on the domain.

On the target server

Enable-WSManCredSSP -Role Server

Then when you create the session use the -Authentication flag

$Session = New-PSSession -ComputerName $ComputerName -credential $Cred -Authentication Credssp

There are questions on ServerFault on setting up CredSSP. There is also a blog post here with additional explanation. This post has troubleshooting tips for some commonly encountered error messages.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I'm getting some WSMAN error. The identity of the targetcomputer cannot be verified as WSMAN-servce.
@Niels Which command did it fail on? See this for some additional info. I remember there being quite a bit wrangling with FQDNs when I set this up. You may have to use the FQDN when creating the session as well.
I fixed it. I had a strange error when I added the -Authentication then I simplified my script and it worked. Thanks !
0

Another option is to use a delegated session on your server.

Basically, you create a custom remote session that uses the -RunAs parameter to designate the credentials that the session will run under. You can also constrain what scripts and cmdlets can be run in the session and specify who can connect to the session.

In this case, the session would run as the Niels account, and everything done in the session would be under that account authority, regardless of who was connected to the session. From that session, you can now make one hop to another server without needing CredSSP.

This also eliminates the security risk involved in storing that account password in the script file on the client computer.

http://blogs.technet.com/b/heyscriptingguy/archive/2014/04/03/use-delegated-administration-and-proxy-functions.aspx

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.