Server A is using SSIS Execute Process step to run a Powershell command calling a Python script on a Server B. The Python script then connects to SQL Server on Server A via windows credentials.
Invoke-Command -ComputerName ServerB -FilePath '\\ServerB\MyPythonScript.py'
This failed, because a classic case of the double hop problem. The Windows credential gets passed to the remote PS session, but not onto the SQL Connection.
After reading many of the other answers about double hop, I've tried to directly start the Python Script with a new set of credentials, using plaintext. I'm aware this is not the most secure method but I'm building this as a proof of concept - only after it's proven can then look at more secure approaches.
Invoke-Command -ComputerName ServerB -FilePath '\\ServerB\MyPowerShellWrapper.ps1'
MyPowerShellWrapper.ps1
$Username = 'BLAH'
$Password = ConvertTo-SecureString -String 'FOO' -AsPlainText -Force
[pscredential]$cred = New-Object System.Management.Automation.PSCredential ($userName, $Password)
Start-Job -Name PythonJob -Scriptblock {python.exe 'C:\MyPythonScript.py'} -Credential $cred
Wait-Job -Name Pythonjob
This approach is still not working. The job fails, and PowerShell returns the following error message: An error occurred while starting the background process. Error reported: Access is denied.
What am I missing here?
CodePudding user response:
From the Error Message it seems like you don't the Access to the path
.
Coming back to Double Hop Problem, To Avoid this I have started new PowerShell Execution in the remote Machine with below code.
$credpassword = ' Where I am passing password with from key logger'
$execaccount = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$secpwd = ConvertTo-SecureString $credpassword -AsPlainText -Force
$pscreds = New-Object System.Management.Automation.PSCredential($execaccount,$secpwd)
This below Invoke-Command will start new PowerShell process with help of ScriptBlock in the Remote machine. Which will solve the Double Hop Problem.
I have Used CredSSP Authentication in during our setup
Invoke-Command -ComputerName ServerB -ScriptBlock {powershell -FilePath '\\ServerB\MyPowerShellWrapper.ps1'} -Authentication CredSSP
CodePudding user response:
After some fiddling around, I have solved it.
I couldn't get it working just by passing credentials along, though that still might be possible - maybe I didn't adapt the idea correctly (which I took from Microsoft here)
I ended up using the method described here instead which is another Microsoft suggested method (PSSessionConfiguration using RunAs)
I setup a Powershell session on Server B called "SQLPassthrough" and then created an ungodly single line string in the execute process task to call it. It doesn't use a wrapper script though it's so messy perhaps it should.
$Username = 'BLAH'; $Password = ConvertTo-SecureString -String 'FOO' -AsPlainText -Force; $cred = New-Object System.Management.Automation.PSCredential ($userName, $Password); Invoke-Command -ComputerName ServerB -Credential $cred -ConfigurationName SQLPassthrough -ScriptBlock {python 'C:\MyPythonScript.py'}