3

all, I believe this scenario sounds indeed odd, but I do need your help on this. First I use

Enter-PSSession -ComputerName myComputerName -Credential domain\user1

to remote to a third machine from my dev machine. I got a prompt like [myComputername]: PS C:\Users\user\. Then I try to Start-Process with another user, say domain\user2. However it failed, although the executable path fed to the Start-Process is full under control of domain\user2. I suppose there is no permission problem on this. For example

Start-Process -FilePath powershell -ArgumentList "-command" & {whoami} "" -Credential domain\user2 -WorkingDirectory workingdirectory

It wouldn't print the domain\user2. And it would if you run this command after remote desktop to the test machine. Anyone knows the root cause and the fix of this? Thanks & Regards, Jingfei

machinarium
  • 631
  • 6
  • 17
  • I'm running into this same difficulty where user1 for me is an account on a different domain, and user2 is an account with sql permissions I need on a database in that different domain. Interesting that this never got answered; doesn't seem like this is so out of the ordinary. – bwerks Feb 06 '14 at 22:38

1 Answers1

0

I believe you have the dreaded Powershell Remoting Second Hop blues.

http://technet.microsoft.com/en-us/magazine/jj853299.aspx

CredSSP:

http://msdn.microsoft.com/en-us/library/ee309365(v=vs.85).aspx

Delegating credentials to a runspace:

http://www.vinithmenon.com/2012/11/delegated-administration-in-windows.html

mjolinor
  • 66,130
  • 7
  • 114
  • 135
  • Thanks for your reply. I need to add something, the 'Enter-PSSession' is not controlled by me in our product scenario which means I need to Start-Process with domain\user2 under a domain\user1 PS session. Your solutions are all to change the properties or parameters of the first step, i.e. 'Enter-PSSession' – machinarium Nov 18 '13 at 05:22
  • Those are the only solutions I know of. The target (Enter-PSSession) machine will not delegate your connection credentials to another machine unless it is explicitly configured to do so, either by using CredSSP authentication or by using PSSession delegation. – mjolinor Nov 18 '13 at 13:26