How do I add a user for local Powershell use? ( Jenkins and localhost user Impersonation ? )

Question

I have a Jenkins machine running builds, but I would like to run scripts as alternative users across Operating Systems on my Jenkins slaves.

I can do this on my GNU/Linux boxes using symmetrical keys and authorized_keys in ssh, but I am having quite a lot of trouble doing the same on some Windows machines.

I would like to use Powershell to run the commands I am interested in.

I am getting Access Denied errors as the user I would like to have run a specific command. I can run Invoke-Command with Get-Credential with an AD administrative account, and it works correctly but not as other AD users, so I know winrm is running as it should.

How do I add a specific AD user to run Invoke-Command or Enter-PSSession on a specific host?

And related to that question, How does the AD Admin have access to any machine running winrm? Can I emulate that in some way locally for one user on a targeted machine?

score 1 · Answer 1 · edited May 23 '17 at 12:13

1

If you're authenticating like this then you'll need to export a new file for each authenticating user, and after password changes:

read-host -assecurestring | convertfrom-securestring | out-file UserOneSecureString.txt

I'll beg off the more general parts of your question with docs for about_remote and about_remote_troubleshooting, which you've may've seen.

edited May 23 '17 at 12:13

Community

1
1

answered Feb 12 '14 at 17:57

noam

1,914
2
20
26

score 0 · Accepted Answer · answered Feb 14 '14 at 16:42

After a bit of reading, this question can be reduced to Impersonating a domain user on a host in Powershell non-interactively.

Impersonating a domain user on a host in Powershell non-interactively

To impersonate a user in powershell non-interactively you must do the following:

Enable Powershell Remoting
Add User to PowerShell PSSessionConfiguration
Enable CredSSP on Host (As client and server)
Export Asymmetrical Key of Domain user
Initiate session with Credssp authentication

Enable Powershell Remoting

The host we will use needs to have Windows Remote Management enabled, there is a powershell command to do all the work for you.

Enable-PSRemoting -Force

Add User to PowerShell PSSessionConfiguration

If the user is not an administrator on the host, you must add it to the Powershell Session Configuration. You can then control what kind of access you would like to give to the user on that host.

Set-PSSessionConfiguration Microsoft.PowerShell -ShowSecurityDescriptorUI

Enable CredSSP on Host (As client and server)

Credssp deals with the double-hop or second-hop issue on Microsoft products.

This allows credential forwarding to occur for users to access services that may not be on the local host, such as network shares.

In many cases, this is an issue when logging into machine B from machine A and needing a resource on machine C.

In this case, machine A and B are the same host, so we enable Credssp on the host as both the Client and Server roles.

Enable-WSManCredSSP -Role Client -Delegate $env:COMPUTERNAME

Enable-WSManCredSSP -Role Server

Export Asymmetrical Key of Domain user

This is mentioned in one of the answers by 'noam'.

An asymmetrical key can be used by exporting the domain user's password to a file.

Then, the file can be read and a new powershell session can be started on the host.

Read-Host -AsSecureString "Write the password: " | ConvertFrom-SecureString | Out-File C:\somelocation\users-pass-key-file.txt

Initiate session with Credssp authentication

Now you can initiate a non-interactive login session in Powershell by reading the file with the key, and logging into the host.

$user = "DOMAIN\username"
$passkey = Get-Content C:\somelocation\users-pass-key-file.txt | ConvertTo-SecureString
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user,$passkey
Invoke-Command -ComputerName $env:COMPUTERNAME -ScriptBlock { Write-Output $env:USERNAME } -Credential $credential -Authentication Credssp

Using Jenkins with impersonated user

After doing the previous steps you can use your Jenkins slaves or master to execute Powershell commands on behalf of another user.

This will have to be done by running Invoke-Command with the appropriate preface using the credentials stored on the host in question.