0

My problem is I have made a script which starts a Exchange shell PSsession. The scrips runs fine if I execute it line by line in PowerShell, or if I right click on it in explorer and run. However, when it is called via certify after a new certificate is produced it fails.

Here is the section of the script:

$password = Get-Content -Path 'c:\Certificate_Update\securepassword.txt'
$pw = ConvertTo-SecureString -String $password
#$pw = ConvertTo-SecureString -AsPlainText -Force -String "admin pass here"

$cred = New-Object System.Management.Automation.PSCredential ("Wookies-Domain\Administrator", $pw)
$uri = 'http://Exchange-Server/PowerShell/'
# Starts remote Exchange shell session
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $uri -Authentication Kerberos -Credential $Cred

# Imports remote Exchange shell session to this Machine
Import-PSSession $Session

The error I get is:

ConvertTo-SecureString : The system cannot find the path specified.

At C:\Certificate_Update\Update_Old_Cert.ps1:40 char:7
+ $pw = ConvertTo-SecureString -String $password
+       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [ConvertTo-SecureString], CryptographicException
    + FullyQualifiedErrorId :  ImportSecureString_InvalidArgument_CryptographicError,Microsoft.PowerShell.Commands.ConvertToSecureStringCommand

TerminatingError(New-Object): "Exception calling ".ctor" with "2" argument(s):
"Cannot process argument because the value of argument "password" is null.
Change the value of argument "password" to a non-null value.""

New-Object : Exception calling ".ctor" with "2" argument(s): "Cannot process
argument because the value of argument "password" is null. Change the value of
argument "password" to a non-null value."

It is saying $password is null? Can't work out what I have done wrong. Is it maybe some permissions thing as the script is being run by certify?

Ansgar Wiechers
  • 193,178
  • 25
  • 254
  • 328
wookie_73
  • 1
  • 1
  • 1
    Why would `ConvertTo-SecureString` throw an error "The system cannot find the path specified" when being passed a string? What is the content of your input file? A plaintext password? An exported secure string? – Ansgar Wiechers Jun 21 '18 at 07:23
  • The input file is an exported encrypted standard string. – wookie_73 Jun 21 '18 at 08:05
  • Was that encrypted string created on the same system by the same user? – Ansgar Wiechers Jun 21 '18 at 08:06
  • I realise that the system cannot find the path, yet when I run the script from windows explorer it works fine. It only has this error when the script is called by certify after generating the LetEncrypt certificate. – wookie_73 Jun 21 '18 at 08:06
  • Yes encrypted string created on same machine, by same user – wookie_73 Jun 21 '18 at 08:08
  • The error doesn't make any sense since there is no path involved in that particular statement. I would expect `Get-Content` to be the cmdlet throwing such an error. For further debugging, could you launch PowerShell as the user running the Let'sEncrypt commands and then try to manually run the `Get-Content` and `ConvertTo-SecureString` commands from there? – Ansgar Wiechers Jun 21 '18 at 08:12
  • Worked it out. Everything has been done as Admin. Certify uses a service to run, checked services and it was set to local system. Changed to Admin and restarted the service. Boom success. – wookie_73 Jun 21 '18 at 09:21
  • Thanks for helping me out, thought it may be a permissions issue. Odd that that part of the script fails under 'local system' – wookie_73 Jun 21 '18 at 09:22
  • Not really, since the encryption of exported secure strings is tied to both the user and the system. A different user (even on the same system) is not (and should not be) able to decrypt the string. – Ansgar Wiechers Jun 21 '18 at 10:10
  • Ahh that makes sense. Logged in as Admin but running as system hence fail. Thanks again for help/ – wookie_73 Jun 21 '18 at 11:23

2 Answers2

1

Although more than 4 years passed the issue is still there. I found that under some conditions ConvertTo-SecureString does not work with variables with "The system cannot find the path specified" error. In my case that happened, when I tried to execute my script under "NT AUTHORITY\SYSTEM". So instead of

$pw = ConvertTo-SecureString -String $password

I used

$pw = ConvertTo-SecureString -String "content-of-$password-variable"

and it worked.

Skeptical Bystander
  • 31
  • 1
0

My script was calling an file with a encrypted standard string used as a password. This was encrypted as Admin. Certify runs as a service set to Local system. So when the script tried to access the password file it failed due to wrong privileges. Setting the service to run as admin cured the problem.

Thanks to Ansgar Wiechers for helping me sort out the problem.

wookie_73
  • 1
  • 1