none
Open PSSession with encrypted Credentials

    Question

  • Hello,

    I've been trying since days to open a PSSession with encrypted credentials.

    I was using ConvertTo-SecureString but unfortunately it doesn't work.

    Could you please take a look at my script:

    param 
    (
        [String]$var1,
        [String]$var2,
        [String]$var3,
    )
        
    $scriptstring = {
        param([String]$var1,[String]$var2,[String]$var3)
        c:\script\otherserver.ps1 -var1 $var1 -var2 $var2 -var3 $var3
    }
    
    $username = 'domain\user'
    $password = '01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a114d45b8dd3f4aa11ad7c0abdae9800000000002000000000003660000a8000000100000005df63cea84bfb7d70bd6842e7
    efa79820000000004800000a000000010000000f10cd0f4a99a8d5814d94e0687d7430b100000008bf11f1960158405b2779613e9352c6d14000000e6b7bf46a9d485ff211b9b2a2df3bd
    6eb67aae41'
    $targetserver = 'fqdn.server'
    $cred = New-Object -TypeName System.Management.Automation.PSCredential -argumentlist $username,($password | ConvertTo-SecureString)
    $s = New-PSSession -computerName $targetserver -credential $Cred
    Invoke-Command -Session $s -Scriptblock $scriptBlock -Argumentlist $var1, $var2, $var3
    
    Remove-PSSession $s
    

    Thank you very much in advance!

    Thursday, April 20, 2017 9:36 AM

All replies

  • You would need to convert from the secure string while also providing the key.

    I would advise exporting the credentials into a CliXML file and then importing it:

    https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.utility/export-clixml

    https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.utility/import-clixml

    If you have any specific questions after reading the above, let me know.


    Thursday, April 20, 2017 9:46 AM
  • $password = '01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a114d45b8dd3f4aa11ad7c0abdae9800000000002000000000003660000a8000000100000005df63cea84bfb7d70bd6842e7
    efa79820000000004800000a000000010000000f10cd0f4a99a8d5814d94e0687d7430b100000008bf11f1960158405b2779613e9352c6d14000000e6b7bf46a9d485ff211b9b2a2df3bd
    6eb67aae41'
    
    $pwd = $password | ConvertTo-SecureString -AsPlainText -Force
    


    \_(ツ)_/

    Thursday, April 20, 2017 9:51 AM
  • Here are the full steps:

    $password = ConvertTo-SecureString 'mypass@word!' -AsPlainText -force $encrypted = $password | ConvertFrom-SecureString
    # at this point "encrypted can be saved to a file.

    The following line converts the encrypted password into a SecureString object.
    $secStr = ConvertTo-SecureString $encrypted



    \_(ツ)_/



    • Edited by jrv Thursday, April 20, 2017 10:03 AM
    Thursday, April 20, 2017 10:01 AM
  • Thank you very much for the quick reply.

    It worked for me storing the securestring in a password file, but nevertheless i get a error output:

    ConvertTo-SecureString : Cannot convert 'System.Object[]' to the type 'System.String' required by parameter 'String'. Specified method is not supported.
    At C:\file.ps1:19 char:31
    + $pass = ConvertTo-SecureString <<<<  $password
        + CategoryInfo          : InvalidArgument: (:) [ConvertTo-SecureString], ParameterBindingException
        + FullyQualifiedErrorId : CannotConvertArgument,Microsoft.PowerShell.Commands.ConvertToSecureStringCommand
     
    This host does not support transcription.
        + CategoryInfo          : NotImplemented: (:) [Start-Transcript], PSNotSupportedException
        + FullyQualifiedErrorId : NotSupported,Microsoft.PowerShell.Commands.StartTranscriptCommand

    used script:

    $username = 'user'
    $password = get-content 'C:\pw.txt'
    $targetserver = 'fqdn.server'
    $pass = ConvertTo-SecureString $password
    $Cred = New-Object System.Management.Automation.PSCredential -ArgumentList $username, $pass
    $s = New-PSSession -computerName $targetserver -credential $Cred


    • Edited by ShellGringo Thursday, April 20, 2017 2:38 PM
    Thursday, April 20, 2017 1:07 PM
  • Assuming pw.txt contains plaintext password as-is, you need to run ConvertTo-SecureString $password -AsPlainText -Force, as advised by jrv.

    Assuming it already is an output file from a conversion as above, you might want to convert from.

    Thursday, April 20, 2017 1:20 PM
  • the converted securestring is in the pw.txt:

    01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a114d45b8dd3f4aa11ad7c0abdae9800000000002000000000003660000a8000000100000005df63cea84bfb7d70bd6842e7
    efa79820000000004800000a000000010000000f10cd0f4a99a8d5814d94e0687d7430b100000008bf11f1960158405b2779613e9352c6d14000000e6b7bf46a9d485ff211b9b2a2df3bd
    6eb67aae41

    Thursday, April 20, 2017 1:28 PM
  • when i add [STRING] to:

    [STRING]$password = get-content 'C:\pw.txt'

    error changes to:

    ConvertTo-SecureString : Input string was not in a correct format.
    At C:\script.ps1:21 char:31
    + $pass = ConvertTo-SecureString <<<<  $password
        + CategoryInfo          : NotSpecified: (:) [ConvertTo-SecureString], FormatException
        + FullyQualifiedErrorId : System.FormatException,Microsoft.PowerShell.Commands.ConvertToSecureStringCommand
     
    This host does not support transcription.
        + CategoryInfo          : NotImplemented: (:) [Start-Transcript], PSNotSupportedException
        + FullyQualifiedErrorId : NotSupported,Microsoft.PowerShell.Commands.StartTranscriptCommand



    Thursday, April 20, 2017 3:34 PM
  • when i change the script to the following:

    $passwordFile = "C:\pw.txt"
    $username = "domain\user"
    
    # done for the first time to create the PW file
    if (! (Test-Path $passwordFile))
    {
      Read-Host -AsSecureString | convertfrom-securestring | out-file $passwordFile
    }
    
    
    $password = Get-Content $passwordFile | convertto-securestring
    $Cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
    $targetserver = 'fqdn.server'
    $s = New-PSSession -computerName $targetserver -credential $Cred

    error message is:

    New-Object : Cannot convert argument "1", with value: "System.Security.SecureString", for "PSCredential" to type "System.Security.SecureString": "Cannot 
    convert the "System.Security.SecureString" value of type "System.String" to type "System.Security.SecureString"."
    At C:\script.ps1:27 char:19
    + $Cred = new-object <<<<  -typename System.Management.Automation.PSCredential -argumentlist $username, $password
        + CategoryInfo          : InvalidOperation: (:) [New-Object], MethodException
        + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand
     
    This host does not support transcription.
        + CategoryInfo          : NotImplemented: (:) [Start-Transcript], PSNotSupportedException
        + FullyQualifiedErrorId : NotSupported,Microsoft.PowerShell.Commands.StartTranscriptCommand

    Thursday, April 20, 2017 3:46 PM
  • Dear all,

    after i failed with encripting the credentials with convertfrom-securestring i tried using CLIXML.

    unfortunately the results are not better when i do it like this:

    #create the xml file $MyCredentials=GET-CREDENTIAL –Credential “domain\user” | EXPORT-CLIXML C:\SecureCredentials.xml

    #script $cred=IMPORT-CLIXML C:\SecureCredentials.xml $targetserver = 'server' $s = New-PSSession -computerName $targetserver -credential $Cred

    error:

    New-PSSession : Cannot process argument transformation on parameter 'Credential'. userName
    At C:\script.ps1:30 char:59
    + $s = New-PSSession -computerName $targetserver -credential <<<<  $Cred
        + CategoryInfo          : InvalidData: (:) [New-PSSession], ParameterBindin...mationException
        + FullyQualifiedErrorId : ParameterArgumentTransformationError,Microsoft.PowerShell.Commands.NewPSSessionCommand
     
    Cannot invoke pipeline because runspace is not in the Opened state. Current state of runspace is 'Closed'.
        + CategoryInfo          : OperationStopped: (Microsoft.Power...tHelperRunspace:ExecutionCmdletHelperRunspace) [], InvalidRunspaceStateException
        + FullyQualifiedErrorId : RemotePipelineExecutionFailed
     
    Cannot invoke pipeline because runspace is not in the Opened state. Current state of runspace is 'Closed'.
        + CategoryInfo          : OperationStopped: (Microsoft.Power...tHelperRunspace:ExecutionCmdletHelperRunspace) [], InvalidRunspaceStateException
        + FullyQualifiedErrorId : RemotePipelineExecutionFailed

    i'm really desperate and welcome every help.

    thank you


    Thursday, April 20, 2017 4:52 PM
  • $password = ConvertTo-SecureString 'mypass@word!' -AsPlainText -force
    $encrypted = $password | ConvertFrom-SecureString
    # at this point "encrypted can be saved to a file.
    Set-Content pwd.txt $encrypted
    
    # read from file and create a secure string
    $fileencrypted = Get-Content pwd.txt
    $secStr = ConvertTo-SecureString $fileencrypted
    $secStr = ConvertTo-SecureString $encrypted
    
    

    The password cannot be used by other accounts. It is only valid for the account that created it.


    \_(ツ)_/

    Thursday, April 20, 2017 8:04 PM