none
Securely deploying and using credentials within a script (not running the script under the credentials) RRS feed

  • Question

  • Here is my scenario - I have SCOM 2007 R2 and on certain agents I want to execute a script. One of the actions of that script is to access a secured web page using a username and password via integrated authentication (IE pop-up for auth).

    The username and password that I need to use are unrelated to the Windows domain that the servers run in, meaning you can think of the website as if it were a public site (it isn't, but it has no security sharing with the domain where the agents run - no trust, no nothing).

    I can easily accomplish this by hard-coding the username and password within the script (powershell), however, I don't want to do this for security reasons. Here's a rough example of the relevant code:

    $targetURL = "https://somehost.somewhere.something/filename.zip"
    $path = "c:\downloads\filname.zip"
    $wclient = New-Object System.Net.WebClient
    $wclient.Credentials = New-Object System.Net.Networkcredential($uname, $pword)
    $wclient.DownloadFile( $url, $path )

    What I want is a way to pass the $uname and $pword variables to this script securely, with the script running on a schedule under SCOM. The SCOM agents run as localsystem and need to remain that way.

    I currently use Run-As accounts and profiles for other functions where the entire script runs under the run-as profile, but I can't figure out how to extract the username and passwords, and doubt it's even possible.

    To be clear, I cannot run the script under the given credentials as a Run-As account as those credentials are not known to the local server. I need to somehow pass the credentials to the script (other than hardcoding) or extract them from the run-as accounts.

    I've looked at the get-runasaccount cmdlet and can see some of the info there, but don't see a way to re-use, pass-through, or extract the password for use in my scenario.

    Any guidance? Can I get there from here?


    Monday, June 23, 2014 5:02 PM

Answers

  • Hi, check this

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/ebfc706d-93be-4ca0-83e0-33d9e072fb97/powershell-script-monitor-with-encrypted-password?forum=operationsmanagerauthoring

    But you should not specify runas account for your workflow, just reference Runas Username and Password from Profile and use simple authentication. (The same way as in article above)

    So in the end your script will be executed by default action account but you'll pass username and password securely to your script.

    • Marked as answer by EngineerBoy Tuesday, June 24, 2014 9:28 PM
    Tuesday, June 24, 2014 5:09 PM

All replies

  • Hi, check this

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/ebfc706d-93be-4ca0-83e0-33d9e072fb97/powershell-script-monitor-with-encrypted-password?forum=operationsmanagerauthoring

    But you should not specify runas account for your workflow, just reference Runas Username and Password from Profile and use simple authentication. (The same way as in article above)

    So in the end your script will be executed by default action account but you'll pass username and password securely to your script.

    • Marked as answer by EngineerBoy Tuesday, June 24, 2014 9:28 PM
    Tuesday, June 24, 2014 5:09 PM
  • Alexis, thanks, this looks promising, I'll give it a try.
    Tuesday, June 24, 2014 9:28 PM