locked
Having issues psremoting to a server from another server, running a job scheduler RRS feed

  • Question

  • We use CISCO Tidal as the scheduler that kicks off the following:

    C:\Scripts\PsSessionExecute.bat

    with the following parameters:

    "SERVERP1" "C:\Scripts\DataImportRunner.bat"

    This is kicking it off on TIDALP1.  The script itself is:

    @ECHO

    OFFSETLOCAL ENABLEDELAYEDEXPANSION

    SET "_Params="

    FOR %%A IN (%*) DO (   

    IF NOT %%A==%1 (       

    IF NOT %%A==%2 (           

    SET "_Params=!_Params!^"^"%%A^"^" "       

    )   

    )

    )

    Powershell -ExecutionPolicy Bypass -WindowStyle Hidden "C:\Scripts\PsSessionExecute.ps1" "%1" ""%2"" !_Params!

    EXIT /B %ERRORLEVEL%

    I use a batch script because tidal can run them directly but ps1 scripts require running powershell.exe with -Command option and that can get cumbersome with how quotes are passed.  Also it allows me to run then with executionpolicy bypassed.  The script has also allowed me to run the same one for multiple tasks.  I can use the same script to run something on any server with any given parameters being passed:

    Param(
        [Parameter(Mandatory=$true)]    #Variable is to be submitted by Tidal, for server
        [String]$Server,
        [Parameter(Mandatory=$true)]    #Variable is to be submitted by Tidal, for path to executable or script
        [String]$Path,
        [Parameter(ValueFromRemainingArguments=$true)]    #Variable is to be submitted by Tidal, for Params
        $Options
    )
    
    $ErrorActionPreference = "Stop"
    
    $RemoteSession = New-PSSession -ComputerName $Server
    
    $Run = "&`"$Path`" $Options"
    
    $Run
    
    Invoke-Command -Session $RemoteSession -ScriptBlock {param($Run) Invoke-Expression $Run} -ArgumentList $Run
    
    $RemoteLastExitCode = Invoke-Command -ScriptBlock {$LASTEXITCODE} -Session $RemoteSession
    
    Remove-PSSession -Session $RemoteSession
    
    Exit $RemoteLastExitCode

    That script is creates pssession and invokes a command to it. I then grab the last output.  The first issue I was having was that I was trying to run an EXE directly...This exe is closed source, so I don't know much about it, but the Tidal service account running the task, is an admin on the server and has access to the database the EXE connects to.  When I run the exe directly, the EXE outputs a log file with the following name:

    2017-06-21_SRVC_ACCNT

    This tells me that the service account is being passed successfully to the exe, but within the exe, when it tries to connect to the database, it is not correctly receive credentials.  The log throws the following error:

    Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'

    So up to the EXE, it passes the service account but then drops it. One, not sure why, two, I chose to go about a different way then.  I run the dataimportrunner.bat:

    @ECHO OFF
    
    Powershell -ExecutionPolicy Bypass -WindowStyle Hidden "C:\Scripts\DataImportRunner.ps1" %*
    
    EXIT /B %ERRORLEVEL%

    The PS1 script has the following:

    $ErrorActionPreference = "Stop"
    $Logs = "D:\apps\dataImporter\log"
    $RunDate = Get-Date -Format "yyyy-MM-dd"
    
    $ReadCreds = Get-Content C:\Scripts\SVCAcc.txt
    $User = $ReadCreds[0]
    $UserId = $User.Substring($User.IndexOf("\") + 1)
    $Pwd = $ReadCreds[1] | ConvertTo-SecureString
    $Creds = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $User,$Pwd
    
    $DataImporter = Start-Process -FilePath "D:\apps\dataImporter\DataImportRunner.exe" -Credential $Creds -Wait
    
    $LogFile = "$Logs\$RunDate`_$UserId.txt"
    
    If(Select-String -Path $LogFile -Pattern "Message: Data Import Complete"){
        EXIT
    }Else{
        EXIT 1
    }
    

    The above script reads an encrypted password stored in a file.  Then runs the exe using the creds.  This is the same EXE that when run from tidal directly runs fine but fails on the database connection. It fails with the following error:

    ConvertTo-SecureString : The requested operation cannot be completed. The 
    computer must be trusted for delegation and 

    Not sure how to get it to work at this point.

    Need help!



    Thursday, June 22, 2017 3:41 AM

All replies

  • You cannot access a third server from a remote connection.

    Search for "second hop restriction".


    \_(ツ)_/

    Thursday, June 22, 2017 5:09 AM
  • I enabled WSManCredSSP on the client server to delegate to all and on the remote server as a server role. The credential is still being dropped.
    Thursday, June 22, 2017 2:58 PM
  • Be sure to test the CredSSP manually.  You need to be sure all of the settings are correctly enabled with CredSSP.


    \_(ツ)_/

    Thursday, June 22, 2017 3:09 PM
  • How is this done? I tried doing a pssession to from another pssession and was told by PS that I could not do that...not sure if it is PS related or CredSSP related.
    Thursday, June 22, 2017 5:21 PM
  • You need to go to the specific computer and test CredSSP then you need to test it from the initial computer.  It must be working correctly from both.

    \_(ツ)_/

    • Proposed as answer by Hello_2018 Tuesday, June 27, 2017 9:46 AM
    Thursday, June 22, 2017 9:55 PM