problem when starting a job within a remote CredSSP call_问答_开发者

problem when starting a job within a remote CredSSP call

开发者 https://www.devze.com 2023-04-02 08:15 出处：网络

So from machine X i\'m connecting to Y with Creds A as CredSSP, then i\'m passing through Cred B, and i want to start a job on machine Y with Cred B.

So from machine X i'm connecting to Y with Creds A as CredSSP, then i'm passing through Cred B, and i want to start a job on machine Y with Cred B.

Though i can RDP into machine Y as X , and successfully create a job locally as Y, when i do this with remoting. i get an error. here is example code to replicate by problem with

$sb1 = {param($cred) $cred ; write-host "started"  ; start-job  -Credential $cred -ScriptBlock {"yo"} | Wait-Job | Receive-Job }
$j = invoke-command -ComputerName $compy -Credential $creda -Authentication CredSSP -ScriptBlock $sb1 -argumentlist $credb

its erroring on the receive-job , after like 30 seconds or something (maybe some timeout) and i don't see any process created in task manager on y (when i put a sleep in the scriptblock with "yo" just to see).

Here is the error that comes back

[localhost] 开发者_开发知识库The background process reported an error with the following message: .
    + CategoryInfo          : OpenError: (:) [Receive-Job], PSRemotingTransportException
    + FullyQualifiedErrorId : PSSessionStateBroken

The extend of the exception is "The background process reported an error with the following message: ." and there is no innerexception.

As far as I understand everything goes well when whe remove the -Credential parameter of the Start-Job in the remote script.

CredSSP is used when we want our remote session to have full access to network resources. that is what is called double-hope scenario.

In you case you build $credb on computer A this variable contains credentials of B, but when you give $credb as a parameter to your remote script it's serialized and I bet that the second computer is not able to use the encrypted par of the credential.

Itry to recreate credential on the server computer but it fails too.

To use credssp switch, the remote computer needs to be configured to allow it. However, even if that's enable, you cant simply pass a credentials object to remote computer. You can easily test it with below code:

$a="hello world"
Will work: Invoke-Command -ScriptBlock {write-host "hello world"} -session $(get-pssession 2)
Will break: Invoke-Command -ScriptBlock {write-host $a} -session $(get-pssession 2)

What you can do is create a secure string using ConvertFrom-SecureString and pass it as a variable.