0

I just run a simple script with invoke-command -computer [servername] -scriptblock {powershell.exe D:\test\script.ps1}

If I run the script manually in the box and then run the remote script again the error does not appear anymore but I don't like having to login manually to the box and run the script to be able fix this error especially with so many servers. Can anyone help me on this. Thanks

Error during CryptAcquireContext. [servername] : Error msg : The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. Error code : 80090345

The script running on the server that gets the error part

$fciv = "D:\test\fciv.exe"
$fcivLog = "D:\test\fcivLog.txt"
$xmlPath = "D:\test\server.xml"

& $fciv -v -bp "\\servername\folder1" -XML $xmlPath | Out-File $fcivLog
user3199509
  • 1
  • 3
  • I posted the script that is running the fciv.exe tool – user3199509 Apr 07 '14 at 14:54
  • Do you know if the error is coming from the PowerShell Remoting feature, or if it's coming from the `fciv.exe` tool? –  Apr 07 '14 at 15:03
  • I think it is probably coming from the fciv.exe tool since it the output is save in the log which has the errors :( The script runs fine manually in the box and if I do that once, the remote script runs fine. I don't know why the error is coming up if the script is not run manually at first in each of the box. – user3199509 Apr 07 '14 at 15:20
  • What is your ultimate goal with this script? To verify hashes of a bunch of files? There might be a better way to do that. For example, PowerShell in Windows 8.1 includes a `Get-FileHash` command. –  Apr 07 '14 at 15:25
  • Yes verifying hashes of files but my servers I am working on is running in windows 2003 and 2008 servers and it only has powershell 2.0 so I really am limited. – user3199509 Apr 07 '14 at 16:23
  • Gotcha. Have you considered writing some code around the .NET base class library (BCL)? Consider this similar C# question: http://stackoverflow.com/questions/10520048/calculate-md5-checksum-for-a-file –  Apr 07 '14 at 16:28
  • Or, if you don't mind using the [PowerShell Community Extensions](http://pscx.codeplex.com/) module it includes a Get-Hash cmdlet that would do what you want with ease. – TheMadTechnician Apr 07 '14 at 17:02
  • Does this need to be installed? or can be imported instead? I would rather not have installation required on the servers since that would probably take a while to get approvals – user3199509 Apr 07 '14 at 17:35

3 Answers3

0

Here is a PowerShell function, that should work on PowerShell version 2.0, to calculate MD5 hashes:

function Get-MD5FileHash {
    [CmdletBinding()]
    param (
        [string] $Path
    )

    $MD5 = [System.Security.Cryptography.MD5]::Create();
    $Stream = [System.IO.File]::OpenRead($Path);
    $ByteArray = $MD5.ComputeHash($Stream);
    [System.BitConverter]::ToString($ByteArray).Replace('-','').ToLower();
    $Stream.Dispose();
}

Get-MD5FileHash -Path C:\test\test.xlsx;

I tested it out on PowerShell 4.0 on Windows 8.1, and it works great!

  • can this do recursive hashing? My goal is to be able to check if all folders/files in each of the servers are the same which is why I am using fciv.exe tool because it outputs the hashes in the xml file which I can use to compare hashes – user3199509 Apr 07 '14 at 17:38
  • 1
    This just gets a hash, recursing would be up to you. Something like `gci -recurse|%{$hash = Get-MD5FileHash $_.FullName;New-Object PSObject -Property @{File=$_.FullName;Hash=$hash}}|Export-CSV C:\Path\File,csv -notype` and then when you run it on the next server import the CSV and compare that server's file's hashes against the CSV as reference. Run the same thing, but assign it a variable instead of outputting it to CSV, then do a compare-object for the two would be simplest. – TheMadTechnician Apr 07 '14 at 18:10
0

This question is quite old, and a work around has been found. But it still does not resolve the primary issue of delegation for programs using CryptAcquireContext

I had the very same problem with another program (BiosConfigUtility, from HP).

I solved it by allowing delegation between my computer, and remote computers.

To enable delegation on your client :

Enable-WSManCredSSP -Role Client -DelegateComputer host.domain.com -Force

To enable delegation on the remote computer : 

Enable-WSManCredSSP -Role Server –Force

See this post : https://devblogs.microsoft.com/scripting/enable-powershell-second-hop-functionality-with-credssp/ for more info

dev.greg
  • 71
  • 1
  • 10
0

You can always use scheduled tasks instead. This script changes the bios from legacy to uefi boot using biosconfigutility64 (or erase setup password for surplusing). Remotely running it directly will give that cryptacquirecontext error.

# usage: .\hpuefi.ps1 comp1,comp2,comp3

$s = new-pssession $args[0]
$src = 'Y:\hp-bios-new'
$dst = 'c:\users\admin\documents\hp-bios-new'
icm $s { if (! (test-path $using:dst)) { mkdir $using:dst > $null } }
$s | % { copy $src\biosconfigutility64.exe,$src\pass.bin,$src\uefi.bat,$src\uefi.txt $dst -tosession $_ }
icm $s {
  # ERROR: Error during CryptAcquireContext. LastError = 0x80090345
  # & $using:dst\uefi.bat 

  # 2>&1 must go last
  $action = New-ScheduledTaskAction -Execute 'cmd' -argument '/c c:\users\admin\documents\hp-bios-new\uefi.bat > c:\users\admin\documents\hp-bios-new\uefi.log 2>&1'
  Register-ScheduledTask -action $action -taskname uefi -user system > $null
  Start-ScheduledTask -TaskName uefi
  # wait
  while ((Get-ScheduledTask -TaskName uefi).State -ne 'Ready') {
    Write-Verbose -Message 'Waiting on scheduled task...' }
  Get-ScheduledTask uefi | Get-ScheduledTaskInfo | ft

  # remove-scheduledtask uefi
  # shutdown /r /t 0
}

uefi.bat:

%~dp0BiosConfigUtility64.exe /set:"%~dp0uefi.txt" /cspwdfile:"%~dp0pass.bin"

exit /b %errorlevel%
js2010
  • 23,033
  • 6
  • 64
  • 66