8

Unable to Map drive to workgroup machine when I'm running the script using the Invoke-command. I'm connecting to a workgroup machine using the Invoke-command and there I'm trying to map a drive. I'm able to connect to the machine but unable to Map the drive. The options below I have tried:

I have tried using

net use $driveName $ShareLocation $Password /u:$Username

Getting Error:

System error 1312 has occurred. + CategoryInfo : NotSpecified: (System error 1312 has occurred.:String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError + PSComputerName : 10.125.160.132 A specified logon session does not exist. It may already have been terminated.

I have tried using

$net.MapNetworkDrive($driveName, $ShareLocation, $false, $Username, $Password);
New-PSDrive -Name K -PSProvider FileSystem -Scope Global -Root $ShareLocation -Credential $Credential -Persist

Getting Error:

A specified logon session does not exist. It may already have been terminated. + CategoryInfo : OperationStopped: (:) [], COMException + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException

This is working fine when I'm trying this code directly on the remote machine.

I have also tried enabling CredSSP on both the machine and using Invoke-command. It didn't help

Bruno Bieri
  • 9,724
  • 11
  • 63
  • 92
Iliyas
  • 81
  • 1
  • 1
  • 3
  • I have even tried checking and deleting drive if already exist Using $Net.RemoveNetworkDrive($driveName, 0) – Iliyas May 26 '16 at 10:40
  • Error while using net use: System error 1312 has occurred. + CategoryInfo : NotSpecified: (System error 1312 has occurred.:String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError + PSComputerName : 10.125.160.132 A specified logon session does not exist. It may already have been terminated. – Iliyas May 26 '16 at 11:28
  • Error on MapNetworkDrive and New-PsDrive A specified logon session does not exist. It may already have been terminated. + CategoryInfo : OperationStopped: (:) [], COMException + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException – Iliyas May 26 '16 at 11:29
  • Put it into the question please. It's unreadable here – Andrey Marchuk May 26 '16 at 11:35

2 Answers2

1

It seems like the "double hop" problem. Try following these links to fix it: New-PsDrive Remote copy from DFS share errors: A specified logon session does not exist

https://social.technet.microsoft.com/Forums/windowsserver/en-US/a7853ac3-6c48-4615-896a-e306067ab804/net-use-via-powershell-returning-a-specified-logon-session-does-not-exist-it-may-already-have-been?forum=winserversecurity

Community
  • 1
  • 1
Andrey Marchuk
  • 13,301
  • 2
  • 36
  • 52
  • Thanks, But I have tried that and still getting same error – Iliyas May 26 '16 at 12:20
  • If it is a double hop error, look into running with a Group Managed Service Account that has delegation privilege within the Active Directory. Such a concept exists in SQL Server when two servers communicate via Linked Server - delegation is required to allow the user permissions to access only the authorized locations on the other server. The GMSA has enough permission to grant what is needed https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/configure-kerberos-delegation-group-managed-service-accounts – Jamie Nov 03 '22 at 11:50
1

"This behavior is by design" per the article here at Microsoft (even if the share is not for DFS) and can be resolved by changing Windows policy to allow the storing of passwords as described in the article. I've been trying to "net use" the way Bruno Bieri has, from a console app which is run periodically by Task Scheduler and the Task Scheduler Properties dialog includes a "Do not store password" checkbox; it also says "The task will only have access to local computer resources". I can't uncheck it because my organization's Windows policy doesn't allow this change.

The policy is Local Security Policy > Local Policies > Security Options > Network access: Do not allow storage of passwords and credentials for network authentication. Type "Local Security Policy" in the Windows search box to get started.

Reuben
  • 143
  • 1
  • 6
brit503
  • 43
  • 7
  • What is "I've been trying to "net use" the way Bruno Bieri has"? Is there a sample? – Tim Jul 16 '19 at 09:23
  • 3
    @brit503 - Link is dead, would have been really helpful, to know what the important part was exactly] – Security Hound Nov 27 '19 at 23:19
  • 1
    I found an archive of the article at that link indicating: On the Management Server, click Start, click Run, type gpedit.msc, and then click OK. Under Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then expand Security Options. In the Policy pane, right-click Network access: Do not allow storage of credentials or .NET Passports for network authentication, click Properties, click Disabled, and then click OK. The corresponding registry name and location is: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Name: DisableDomainCreds – brit503 Jul 30 '21 at 05:37