6

I am trying to run a powershell script on a remote (Windows 2008 Server R2) machine. The following code works great when executed directly from powershell. (I.e. everything is set up correctly, WinRM services are running, Hosts trust each other, login is correct...)

However, when I execute the exact same code from a Jenkins instance (running on the same machine where I tested) I get a PSSessionStateBroken connection failure, . (Not posting full error because it is in German on my machine.)

I suppose that means Jenkins is using powershell differently or has different powershell/winrm settings or insufficient privileges. Any ideas?

$computer = "<some ip>"
$user = "Administrator"
$password = "<secretpassword>"
$securepassword = ConvertTo-SecureString -String $password -AsPlainText -Force
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, $securepassword
Invoke-Command -ComputerName $computer -ScriptBlock { Get-ChildItem C:\ } -Credential $cred

Edit: Managed to fix it by running jenkins service as Administrator. Works for me, but does not feel right...

MadDave
  • 137
  • 1
  • 8

2 Answers2

4

As of March 2014, Jenkins installs the Jenkins service to run as the LocalSystem user (i.e., NT AUTHORITY\SYSTEM). The LocalSystem account accesses the network using the computer account.

For example , Jenkins on a host named JENKINSSERVER connects to remote machines using the MYDOMAIN\JENKINSSERVER$ computer account in the MYDOMAIN Active Directory domain.

This means you need to add the MYDOMAIN\JENKINSSERVER$ account as a member of the BUILTIN\Administrators local group on the TARGETSERVER:

NET LOCALGROUP "Administrators" "MYDOMAIN\MYSERVER$" /add

Caveat Emptor: This grants any code executing as LocalSystem or NetworkService on the MYSERVER host to run remote commands on TARGETSERVER as an Administrator. You may be better off creating a specific domain user for just this service to restrict admin rights to just the single Jenkins service.

Steve Jansen
  • 9,398
  • 2
  • 29
  • 34
1

Does your Jenkins service account credential have permission to log on remotely to the target computer?

I would use ProcMon to watch the target system when accessed by the administrator account and by the regular service account. You will see a difference, and I bet it will be obvious! Good luck!

northben
  • 5,448
  • 4
  • 35
  • 47