|
 |  |  |  |  |  |  |
| Welcome to Windows Vista Forums. Our forum is dedicated to helping you find solutions with any problems, errors or issues you are experiencing with Windows Vista. The Vista forum also covers news and updates and has an extensive Windows Vista tutorial section that covers a wide range of tips and tricks. |
| |||||||
 |
| |
04-02-2008
| #11 (permalink) |
| | Re: start-psjob - user credentials Robin Moffatt wrote: Quote: > Hi, > Further to my previous question about psjob, I have another. > > I have a simple script that connects to a SQL server using integrated > security. If I run the script from the console, it works. If I run it > from start-psjob it fails, even if I pass -credential of my current > user (and that has access to the SQL server in question) > > Running Profiler against the SQL server shows the interactive > execution of the script connecting to the server with the correct > domain ID of my current user, but when the job's run as start-psjob > (with or without -credential) it connects to the SQL server as NT > AUTHORITY\ANONYMOUS LOGON and came across this: http://blogs.msdn.com/sql_protocols/...nnections.aspx It seemed relevant to what was going on here. There is a "common issues and workaround" section on the above page regarding anonymous login failure messages. Marco -- Microsoft MVP - Windows PowerShell http://www.microsoft.com/mvp PowerGadgets MVP http://www.powergadgets.com/mvp Blog: http://marcoshaw.blogspot.com |
My System Specs |
|
04-02-2008
| #12 (permalink) |
| | Re: start-psjob - user credentials On Apr 2, 10:23*am, "Marco Shaw [MVP]" <marco.shaw@_NO_SPAM_gmail.com> wrote: Quote: > Robin Moffatt wrote: Quote: > > Hi, > > Further to my previous question about psjob, I have another. Quote: > > I have a simple script that connects to a SQL server using integrated > > security. If I run the script from the console, it works. If I run it > > from start-psjob it fails, even if I pass -credential of my current > > user (and that has access to the SQL server in question) Quote: > > Running Profiler against the SQL server shows the interactive > > execution of the script connecting to the server with the correct > > domain ID of my current user, but when the job's run as start-psjob > > (with or without -credential) it connects to the SQL server as NT > > AUTHORITY\ANONYMOUS LOGON > I was looking around for something related to credentials in general, > and came across this:http://blogs.msdn.com/sql_protocols/...understanding-... > > It seemed relevant to what was going on here. *There is a "common issues > and workaround" section on the above page regarding anonymous login > failure messages. > > Marco > > -- > Microsoft MVP - Windows PowerShellhttp://www.microsoft.com/mvp > > PowerGadgets MVPhttp://www.powergadgets.com/mvp > > Blog:http://marcoshaw.blogspot.com Start-PSJob, you are submitting the work via WinRM. If you remember, for the first powershell CTP even local jobs go via WinRM and as such through a web service. The web service listener is what ends up running your code. Even though you can run the job locally (as a trusted connection uses the interactive user's credentials, e.g. yours), this will not work via the webservice as your credentials cannot be delegated beyond the WinRM we bservice because of what's known as the "double-hop" issue. The double-hop refers to the problem whereby your credentials are being passed more than one hop away from the origin: * start-psjob - does not work localhost (posh) -> localhost (winrm) -> sqlserver * local script - works localhost (posh) -> sqlserver The only way you can get this to work is if you enable kerberos authentication instead of ntlm. Normally, both of these options are enabled in IIS, but kerberos is first by default, and only works when your machine is connected to a domain. Additionally, SPNs (service principal names) need to be created for each unique server / port combination of your machine in order for your machine to be authenticated by the remote server. Unfortunately this is beyond the scope of a usenet post, but perhaps if people are interested I could put together a blog post on how to do this. Again, this will not work on your home machine no matter how hard you try if it is not connected to a domain. On top of that, I'm not even sure if kerberos authentication will work on the loopback interface (localhost) - in fact, thinking about it now, it probably won't. In future builds of the CTP, start-psjob will not submit local jobs via the WinRM webservice for this very reason AFAIK. * Some more information here under the "double hop" section: http://support.microsoft.com/default...b;en-us;329986 Hope this helps, - Oisin PowerShell MVP http://www.nivot.org/ |
| My System Specs |
|
04-02-2008
| #13 (permalink) |
| | Re: start-psjob - user credentials Quote: > What's actually happening here is that when you start the job via > Start-PSJob, you are submitting the work via WinRM. If you remember, > for the first powershell CTP even local jobs go via WinRM and as such > through a web service. The web service listener is what ends up > running your code. Even though you can run the job locally (as a > trusted connection uses the interactive user's credentials, e.g. > yours), this will not work via the webservice as your credentials > cannot be delegated beyond the WinRM we bservice because of what's > known as the "double-hop" issue. The double-hop refers to the problem > whereby your credentials are being passed more than one hop away from > the origin: The reason I got confused, and wasn't sure what was going on was that I could not reproduce the problem. I'll test it some more and reread your post while paying more attention. Marco |
| My System Specs |
|
| Thread Tools | |
| |
Similar Threads | ||||
| Thread | Forum | |||
| Switch user credentials using powershell | PowerShell | |||
| Start-PSJob doesn't complete the backgroundjob | PowerShell | |||
| start-psjob | PowerShell | |||
| how to get logged-in user credentials? | PowerShell | |||
| Different user credentials | Vista networking & sharing | |||
