Home > Blockchain >  Handling the Double Hop Problem in Remote PowerShell Queries with Plaintext Credential Storage
Handling the Double Hop Problem in Remote PowerShell Queries with Plaintext Credential Storage

Time:06-27

Server A is using SSIS Execute Process step to run a Powershell command calling a Python script on a Server B. The Python script then connects to SQL Server on Server A via windows credentials.

Invoke-Command -ComputerName ServerB -FilePath '\\ServerB\MyPythonScript.py'

This failed, because a classic case of the double hop problem. The Windows credential gets passed to the remote PS session, but not onto the SQL Connection.

After reading many of the other answers about double hop, I've tried to directly start the Python Script with a new set of credentials, using plaintext. I'm aware this is not the most secure method but I'm building this as a proof of concept - only after it's proven can then look at more secure approaches.

Invoke-Command -ComputerName ServerB -FilePath '\\ServerB\MyPowerShellWrapper.ps1'

MyPowerShellWrapper.ps1

$Username   = 'BLAH'
$Password   = ConvertTo-SecureString -String 'FOO' -AsPlainText -Force
[pscredential]$cred = New-Object System.Management.Automation.PSCredential ($userName, $Password)
Start-Job -Name PythonJob -Scriptblock {python.exe 'C:\MyPythonScript.py'} -Credential $cred
Wait-Job -Name Pythonjob

This approach is still not working. The job fails, and PowerShell returns the following error message: An error occurred while starting the background process. Error reported: Access is denied.

What am I missing here?

CodePudding user response:

From the Error Message it seems like you don't the Access to the path.

Coming back to Double Hop Problem, To Avoid this I have started new PowerShell Execution in the remote Machine with below code.

$credpassword = ' Where I am passing password with from key logger'

$execaccount = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$secpwd = ConvertTo-SecureString $credpassword -AsPlainText -Force
$pscreds = New-Object System.Management.Automation.PSCredential($execaccount,$secpwd)

This below Invoke-Command will start new PowerShell process with help of ScriptBlock in the Remote machine. Which will solve the Double Hop Problem.

I have Used CredSSP Authentication in during our setup

Invoke-Command -ComputerName ServerB -ScriptBlock {powershell -FilePath '\\ServerB\MyPowerShellWrapper.ps1'} -Authentication CredSSP

CodePudding user response:

After some fiddling around, I have solved it.

I couldn't get it working just by passing credentials along, though that still might be possible - maybe I didn't adapt the idea correctly (which I took from Microsoft here)

I ended up using the method described here instead which is another Microsoft suggested method (PSSessionConfiguration using RunAs)

I setup a Powershell session on Server B called "SQLPassthrough" and then created an ungodly single line string in the execute process task to call it. It doesn't use a wrapper script though it's so messy perhaps it should.

$Username = 'BLAH'; $Password = ConvertTo-SecureString -String 'FOO' -AsPlainText -Force; $cred = New-Object System.Management.Automation.PSCredential ($userName, $Password); Invoke-Command -ComputerName ServerB -Credential $cred -ConfigurationName SQLPassthrough -ScriptBlock {python 'C:\MyPythonScript.py'}

Page link:https//www.codepudding.com/Blockchain/456008.html

Prev:Powershell: Replace line that starts with string in text file by string and filename
Next:Classes in TestNg POM framework are not getting executed in Sequence
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding