locked
Cannot decrypt exported Credentials when using Scheduled Jobs RRS feed

  • Question

  • Hey guys,

    I encrypt passwords for later use in scripts like this:
    get-credential | export-clixml c:\mycreds.xml

    I decrypt them in a Script like this:
    $Cred = Import-Clixml c:\mycreds.xml



    I work with scheduled jobs to run my script unattended. Works fine as long as the user is logged on. But not when logged off.

    Here is what I've done so far:
    1. I connect via RDP and create the XML File
    2. I create a scheduled Job in which I run a script which imports the XML
    3. I wait for the scheduled job to run while logged on. Works.
    4. I reschedule the scheduled Job to run in 5 Min.
    5 I log off the machine and wait for the script to run.
    6. I log back on and see that it couldn't run the script. With receive Job I get this Error:
    Key not valid for use in specified state.
    The user I log on with, is the same as the one running the Job, is the same which created the "mycreds.xml".

    No Problem with Scheduled Tasks (created via GUI). There it works as long as I do NOT check the Box "Do not store password. The task will only have access to local computer ressources."

    Is there any way to make this works with scheduled jobs? I do not want to use scheduled tasks because I need the feature to receive the output of my script with "receive-job". 

    any help appriciated. :) 

    www.netlogix.de


    • Edited by Reittier Monday, February 3, 2020 8:28 AM typo
    Thursday, January 30, 2020 1:13 PM

Answers

  • The job has to be run with full credentials which is why I suggested using a scheduled task.

    Register-ScheduledJob -Credential <full user cre4dentials for the job>

    Same with task.  I recommend testing the task first by creating it in the GUI using the task scheduler.  Be sure the task is defined with full user credentials so that it has network access.


    \_(ツ)_/

    • Marked as answer by Reittier Monday, February 3, 2020 11:02 AM
    Monday, February 3, 2020 9:47 AM

All replies

  • Just create a scheduled task using the CmdLets.

    help Register-ScheduledTask -ShowWindow


    \_(ツ)_/

    Thursday, January 30, 2020 1:26 PM
  • Thanks for your answer!

    yeah I wrote that this makes it work. But I wanted to use scheduled jobs because I need the "receive-job" feature to get the output of the jobs. This is very handy in my case. 

    I just wanted to know if someone had the same experience and has a solution for it, or maybe an explanation. 


    www.netlogix.de

    Friday, January 31, 2020 10:05 AM
  • There is no need to do this the way you are doing it.  Just define the job to run as the user and let it go.

    The credentials do not need to be saved,  Just add them to the job.

     help Register-ScheduledJob -par credential

    The system does the rest for you.


    \_(ツ)_/

    Friday, January 31, 2020 6:43 PM
  • Thanks again for your answer.

    I have to use a different account, because the job needs to access a resource in a non-trusted different domain.

    The job accesses a SQL database, which cannot be put in the same domain. 
    I'm using a "least privileged" specific sql-server Account.

    www.netlogix.de

    Monday, February 3, 2020 7:39 AM
  • To use a SQLServer account you need to add the login and password to the connect string.


    \_(ツ)_/

    Monday, February 3, 2020 8:31 AM
  • This is totally correct. And this is what I do in the Script. And it works perfectly well. And this is not what I need help with.

    I store the credentials in the XML, to have them encrypted somehow so I do not need to store the password as clear text. I decrypt the credentials in the script. I then use the Username and Password in the connect string. Works perfectly as designed.

    But I want to use it in a scheduled job, because I need the "Receive Job" feature, which I do not have when using a scheduled task. 

    Don't get me wrong, I appreciate your efforts in helping me. And I see you just want to understand why I go this complicated way. :) 

    www.netlogix.de

    Monday, February 3, 2020 8:43 AM
  • It has to be encrypted with the account the task is running under.


    \_(ツ)_/

    Monday, February 3, 2020 8:47 AM
  • Hey jrv.

    Please read my post again. I already wrote that I'm doing this. The problem is, that it does only work, if the User is logged on.

    www.netlogix.de

    Monday, February 3, 2020 8:56 AM
  • Certainly doesn't make any sense.  I recommend contacting MS Support and opening a ticket on this.

    Are you using the users network credentials for the task.  You must save the credentials and password.  The task has to be able to perform a full login so it has full access to the users resources that may be on the network and I am pretty sure the account must be able to authenticate on the network so it has access to the remote domain.  Local logons cannot see outside of the local domain and its resources.


    \_(ツ)_/

    Monday, February 3, 2020 9:01 AM
  • Ok maybe I explain further:

    There is a Server1. 
    There is a User1 on Server1. (Local User)

    There is a Server2 hosting a SQL Server 2016 (in another domain).
    With a SQL-User2 existing in the SQL Server on Server2. 

    I created an XML1 on Server1 with the Username and encrypted PW of SQL-User2, by logging in with User1 and running Get-credential | Export-clixml

    I create a scheduled Job on Server1, with User1. The Job runs a Script which reads the XML1, decrypts and uses the Username and PW of SQL-User2

    $cred = Import-clixml -path c:\XML2.xml
    $User = $cred.Username
    $Pass = $cred.GetNetworkCredential().password
    
    $connectionString = "Server=$dataSource;uid=$user; pwd=$pass;Database=$database;Integrated Security=False;"

    The Job on Server1 runs as long as User1 is logged on Server1.
    The Job fails when User1 is NOT logged in on Server1, when trying to import the xml.

    So my question is why I cannot import the XML in a scheduled job, when the user is not logged on.

    I understand that it may look strange with the SQL Server stuff and so on. But it will be to complex or to much to explain why I have to do it. 
    If there is no way for it to work with "Scheduled Jobs" then I have to use "Scheduled Tasks" and find a workaround the Problem that I cannot use the "receive-job" feature. I was just wondering, why it works with Tasks but not with Jobs. Is this a bug, or works as designed?


    www.netlogix.de

    Monday, February 3, 2020 9:42 AM
  • The job has to be run with full credentials which is why I suggested using a scheduled task.

    Register-ScheduledJob -Credential <full user cre4dentials for the job>

    Same with task.  I recommend testing the task first by creating it in the GUI using the task scheduler.  Be sure the task is defined with full user credentials so that it has network access.


    \_(ツ)_/

    • Marked as answer by Reittier Monday, February 3, 2020 11:02 AM
    Monday, February 3, 2020 9:47 AM
  • Ah, at first I didn't get what you mean with "Full Credentials". 

    I assumed it made no difference logging on as User1 and run "Register-scheduledjob", or running "Register-Scheduledjob -credentials <Credentials of User1>"

    But you were right! Thanks for that hint! Saved me a lot of effort and time! Nice. It works now as I want it.
    Thank you!


    www.netlogix.de

    Monday, February 3, 2020 11:02 AM
  • Glad I was able to make it clear.  It is subtle but there is a difference.

    \_(ツ)_/

    Monday, February 3, 2020 11:14 AM