none
Smartcard credentials and invoke-command for addsdeployment

    Question


  • Invoke-Command -ComputerName servernamehere  -ScriptBlock { 
    test-addsdomaincontrollerinstallation  }

    or

    Invoke-Command -ComputerName servername  -ScriptBlock { 
    test-addsdomaincontrollerinstallation -credential (get-credential) }

    or

    $cred = get-credential

    Invoke-Command -ComputerName servername  -ScriptBlock { 
    test-addsdomaincontrollerinstallation -credential $using:cred  }

    #####################################################################

    All fail with errors like

    1) 

    Message        : Verification of user credential permissions failed. The wizard cannot access the list of domains in the forest. The 
                     error is:
                     The Kerberos protocol encountered an error while attempting to utilize the smartcard subsystem.

    2) 

    Message        : Verification of user credential permissions failed. Failed to examine the Active Directory forest. The error was: 
                     ldap_search() failed, err=1
                     000004DC: LdapErr: DSID-0C090752, comment: In order to perform this operation a successful bind must be completed 
                     on the connection., data 0, v2580
                     Errors may be the result of insufficient credentials for a remote operation. Consider setting explicit credentials 
                     for this operation.

    I have enterprise admin rights, the promotion works fine if you login via RDP and do it. This only fails with Invoke-command , tried running the powershell as different user and giving the smart card credentials. Tried prompting as seen in above examples. All with NO Luck. Have a microsoft case open as well and engineer worked with me for over a day without any real solution yet.



    • Edited by Narayanan K Subramanian Thursday, November 24, 2016 4:47 PM posted confidential server information by mistake
    Thursday, November 24, 2016 4:47 PM

Answers

  • the solution is simple. Unlike RDP, invoke-command cannot forward credentials / the physical smartcard to the remote machine. Hence this fails.

    basically cannot use a smartcard attached remotely and use invoke-command for the dcpromo powershell process. The powerwshell process requires the smartcard to be present locally on the machine being promoted.

    Monday, March 6, 2017 2:37 PM

All replies

  • Did you try starting the PowerShell session with Run As Different -user and there use the Smartcard logon that UAC pops out, and test your command then?

    Friday, November 25, 2016 3:43 AM
  • Yes i did, no luck
    Friday, November 25, 2016 8:54 PM
  • the solution is simple. Unlike RDP, invoke-command cannot forward credentials / the physical smartcard to the remote machine. Hence this fails.

    basically cannot use a smartcard attached remotely and use invoke-command for the dcpromo powershell process. The powerwshell process requires the smartcard to be present locally on the machine being promoted.

    Monday, March 6, 2017 2:37 PM