locked
runas with the /savecred switch does not accept a credential stored by the cmdkey command RRS feed

  • Question

  • Hello,

    I am trying to automate the storing of a credential to several people's profiles on several servers so they can use it with scripts they will be running that have the "runas" command with the /savecred switch.  I am using the "cmdkey" command to store the user and password but when the runas command is executed, it prompts for the password anyway.  I know the /savecred works since if I let the runas command prompt for the password and I enter it, on subsequent executions, it no longer asks for the password.  Interestingly enough, if I use the cmdkey command to overwrite the stored credential, runas will prompt again for the password so it can store it itself.  Almost like runas doesn't "trust" cmdkey.  Any thoughts on why this may be happening and how I can get around it?  I really need to automate the storing of the credential or it will take a couple hundred manual executions of the runas command to get it store on all the people's profiles that need it.

    Thursday, May 24, 2012 1:54 PM

All replies

  • Hi,


    If you prefer to do all your credentials management from the command line, take a look at the new CMDKEY utility. This utility creates, displays, and deletes credentials in the credentials cache.


    Meanwhile, I'd like to share a useful article for your reference:


    Password Security
    http://www.progettista.ru/0735711585_ch11lev1sec4.shtml


    Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.


    Hope this helps!

    Best Regards
    Elytis Cheng

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Elytis Cheng

    TechNet Community Support

    Friday, May 25, 2012 7:58 AM
  • Hi,

    Thanks for posting in Microsoft TechNet forums.

    As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to  reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

    BTW,  we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.

    Best Regards

    Elytis Cheng


    Elytis Cheng

    TechNet Community Support

    Tuesday, May 29, 2012 9:21 AM
  • Elytis,

    Thanks for the additional info.  I understand the CMDKEY command and have tried it but it seems that RUNAS does not "trust" the credential stored but CMDKEY.  The steps I have followed are:

    1) execute the CMDKEY command storing the ID and password

    2) verify the credential exists with CMDKEY /list

    3) execute the RUNAS command providing the same ID and the /savecred switch

    At that point, RUNAS prompts for the password.  After entering the password for RUNAS, subsequent executions of the same RUNAS command do not prompt for the password.

    As a test, if I try saving the credential again using CMDKEY, the next execution of the RUNAS command will prompt for the password one more time.  It is as though CMDKEY is not properly storing the credential for RUNAS or RUNAS is looking for something more than CMDKEY creates.

    Any other thoughts?

    RS

    Tuesday, May 29, 2012 1:15 PM
  • Hello,

     

    Thank you for your post.

     

    This is a quick note to let you know that we are performing research on this issue.

     

    Best Regards

    Elytis Cheng


    Elytis Cheng

    TechNet Community Support

    Monday, June 4, 2012 9:45 AM
  • Hi,

    i have made a test in my lab below:

    1. log on to a Win 7 with standard user and run following command:

    Runas /savecred /user:A\administrator notepad

    2. i'm prompted for a password for administator and then enter the password.

    3. i run following command again and i'm not prompted for a password.

    Runas /savecred /user:A\administrator notepad

    4. i run following command to add credentials.

    Cmdkey /add:mycomputername /user:a\administrator /password:pass!

    3. i run following command again and i'm not prompted for a password.

    Runas /savecred /user:A\administrator notepad

    The results is different as yours, so please give me your exactly steps.


    Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, June 6, 2012 9:42 AM
  • Hi,

    please refer to following thread:

    http://social.technet.microsoft.com/Forums/en-IN/winservergen/thread/50475105-4773-4a98-95f3-80d7f9bcd480


    Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, June 6, 2012 9:44 AM
  • Jason,

    Thanks for the response.  I noticed you tried this under Windows 7 but I am having this problem under Windows 2003 R2.  I will try your steps under Win 7 just to see if I get different resullts and get back.

    Friday, June 8, 2012 6:03 PM
  • Jason,

    Sorry for the delay - other priorities took over.  At any rate, I tested this as mentioned last week.  The CMDKEY procedure does work under Windows 7 however it does not work under Win 2K3 SP2.  After entering the CMDKEY command, an attempt to do another RUNAS results in another password prompt.  Any other ideas?

    RS

    Friday, June 15, 2012 3:00 PM
  • HI,

    please provide your details steps so that i can make a test in my lab. thanks !


    Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, June 18, 2012 9:37 AM
  • Jason,

    Here is the contents of my session on a Windows 2003 server:

    Microsoft Windows [Version 5.2.3790]
    (C) Copyright 1985-2003 Microsoft Corp.

    C:\Documents and Settings\rsmith>cmdkey /list

    Currently stored credentials:

    * NONE *

    C:\Documents and Settings\rsmith>cmdkey /add:inspro\svc_batch /user:inspro\svc_b
    atch /password:xxxxxx

    CMDKEY: Credential added successfully.

    C:\Documents and Settings\rsmith>runas /savecred /user:inspro\svc_batch notepad
    Attempting to start notepad as user "inspro\svc_batch" ...
    Enter the password for inspro\svc_batch:
    Attempting to start notepad as user "inspro\svc_batch" ...

    C:\Documents and Settings\rsmith>cmdkey /list

    Currently stored credentials:

        Target: inspro\svc_batch
        Type: Domain Password
        User: inspro\svc_batch

    C:\Documents and Settings\rsmith>cmdkey /add:inspro\svc_batch /user:inspro\svc_b
    atch /password:xxxxxxxx

    CMDKEY: Credential added successfully.

    C:\Documents and Settings\rsmith>cmdkey /list

    Currently stored credentials:

        Target: inspro\svc_batch
        Type: Domain Password
        User: inspro\svc_batch

    C:\Documents and Settings\rsmith>runas /savecred /user:inspro\svc_batch notepad
    Attempting to start notepad as user "inspro\svc_batch" ...
    Enter the password for inspro\svc_batch:
    Attempting to start notepad as user "inspro\svc_batch" ...

    C:\Documents and Settings\rsmith>

    1) I do a CMDKEY list to show there are no IDs/passwords stored.

    2) I do a CMDKEY to store the user and password (the password has been masked for my protection)

    3) I do a RUNAS with the "savecred" parameter and am reqested to enter the password again and notepad launches

    4) I do a CMDKEY list to show the RUNAS stored credential

    5) I do a CMDKEY to store the user and password again (the password has been masked for my protection)

    6) I do a CMDKEY list to show the stored credential

    7) I try another RUNAS but it prompts for the password again and notepad launches

    That's pretty much it.  Seems that RUNAS does not want to accept a credential stored by CMDKEY - at least not on Win 2K3.  I know you might be thinking I entered the password wrong but I tried it several times to make sure.

    Thanks again for any help,

    Bob

    Thursday, June 21, 2012 3:10 AM
  • Hi,

    I have made a test in my lab, and the results is same as yours. Also, I have checked the saved crendentials in crendentials manager. It seems the crendentials saved by cmdkey is different with the one saved by runas /savecred.

    The screeshot below shows us the crendentials save by cmdkey.

    below is the one saved by runas.


    Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Proposed as answer by Jason Mei Tuesday, July 3, 2012 6:08 AM
    Friday, June 22, 2012 7:59 AM
  • Jason,

    So am I out of luck here?  Seems it works fine with Win 7 but not Win 2K3, so perhaps it's a bug?  Is there any way I can work around this or pehaps edit the credential somwhow to make it acceptable to RUNAS?

    Regards,

    Bob

    Friday, June 22, 2012 12:53 PM
  • Hi,

    I perform the steps as you mentioned above on windows 7 and got same results as yours, it is not worked on Win 7 as well. Besides, your steps are different with the one I provided before.


    Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, June 26, 2012 10:37 AM
  • HI,

    How are things going on your end? Please keep me posted on this issue. I certainly appreciate your time.


    Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, July 10, 2012 9:42 AM
  • Jason,

    I apologize for the lack of a response on this.  I have been out of the office for several days.  I will get back to this tomorrow with an update.

    Regards,

    Bob

    Wednesday, July 18, 2012 4:15 PM
  • I'm having a very similar problem at this time....

    I enter credentials using:

    cmdkey /add:domain:interactive=%computername%\administrator /user:%computername%\administrator /pass:password

    CMDKEY /list

    Target: domain:interactive=COMPUTERNAME\administrator

    Type: Domain Password

    User: COMPUTERNAME\administrator

    Credentials Manager shows the Internet or network address as:

    COMPUTERNAME\administrator

    I run the following:

    %windir%\system32\runas.exe /savecred /user:%computername%\administrator notepad.exe

    It prompts for the password for administrator.  I enter it and notepad opens. 

    I run the same command again and notepad opens without prompting for a password. 

    CMDKEY /list shows the same:

    Target: Domain:interactive=COMPUTERNAME\administrator

    Type: Domain Password

    User: COMPUTERNAME\administrator

    This time Credentials Manager shows the Internet or network address as:

    COMPUTERNAME\administrator (Interactive Logon)

    Everything else in Credentials Manager (User name, Password, Persistence) remains the same. 

    That (Interactive Logon) seems to be making the difference even though CMDKEY shows the same info each time and I tried to specify "domain:interactive=" when I entered it using CMDKEY. 

    By the way, the method I used above for adding via CMDKEY produced the closest results that I've been able to get compared to using runas /savecred.  I get a single entry and runas /savecred adds (Interactive Logon) to the one I added with CMDKEY.  It doesn't work with CMDKEY.  But it works after entering the password when prompted by runas /savecred.  If I use any other method of specifying the user with CMDKEY such as "/user:COMPUTERNAME\administrator" or "/user:administrator" I end up with two distinct entries shown by Credentials Manager or CMDKEY /list after I use runas /savecred and enter the password. 

    I want to be able to add a username and password using CMDKEY and then use  runas /savecred  without having to enter a password at all. 

    All of this takes place on a Win 7 Pro computer in an active directory domain. 

    Anybody know how to get /savecred to work with CMDKEY and Interactive Logon on Win7 pro? 




    • Edited by bartace Tuesday, January 8, 2013 5:17 AM
    Monday, January 7, 2013 7:51 PM