2

This is about the famous double-hop limitation that looks trivial and has at least 10 workarounds but I cannot find even one that works for my setup.

Here is my environment: I have ~50 virtual machines on Windows 10, every VM runs on a separate hardware - we use virtual machines because our IT guys claim it's easier to maintain and physical ones, I personally dislike VMs but it's not something that depends on me. We are on a non-domain environment, no Active Directory, we use a workgroup and every machine is administered individually.

My goal is to optimize PC management like installing software, registering/starting services and etc - I need to do that on all machines at once not to perform each task 50 times. I managed to run PowerShell remote relatively quickly but very soon I stuck on non being able to access any network resource that requires additional authentication (all our network shares requires LDAP authentication).

What I tried so far.

  1. Re-authenticate from the session, described here:

    $mappedDrive = @{
    Name = "u"
    PSProvider = "FileSystem"
    Root = "\\bladefs\share2"
    Credential = 'svetlozar.draganov'
}
Invoke-Command -ComputerName bw33 -ScriptBlock {
    New-PSDrive @using:mappedDrive
    Get-Content -Path \\bladefs\share2\text.txt
    Get-PSDrive
    Remove-PSDrive -Name "u"
    Get-PSDrive
} -Credential render

    What the above command does is to run a remote command via Invoke-Command that request two authentications, the first authentication is to connect to the machine bw33 then with a New-PSDrive command another authentication is sent to an already establishes session with bw33 to mount a network share with username and password. This sometimes on very rare occasions actually works, but I cannot pinpoint when and why it works and why in most of the cases doesn't work. Even though I'm executing absolutely the same PowerShell script a dozen of times it only works for a very small percentage of them the rest of them it just says this:

    A specified logon session does not exist. It may already have been
terminated
    + CategoryInfo          : InvalidOperation: (u:PSDriveInfo) [New-PSDrive], Win32Exception
    + FullyQualifiedErrorId : CouldNotMapNetworkDrive,Microsoft.PowerShell.Commands.NewPSDriveCommand
    + PSComputerName        : bw33
Cannot find path '\\bladefs\share2\text.txt' because it does not exist.
    + CategoryInfo          : ObjectNotFound: (\\bladefs\share2\text.txt:String) [Get-Content], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
    + PSComputerName        : bw33

    I actually captured a working and non-working attempt on the video bellow: https://drive.google.com/uc?id=1HYD8p-VkLYyIExZVWO_8qgpI2kmlUDgF

    As you can see with first execution everything is fine PSDrive is mapped successfully and I can reach \bladefs\share2 network path but with second execution I got some errors.

  2. Similar as the above but instead of mapping drive via PSDrive command mapping it via NET USE command with username and password.

    Invoke-Command -ComputerName bw33 -Credential render -ScriptBlock {
    net use x: \\bladefs\share2 /user:svetlozar.draganov password
    Test-Path \\bladefs\share2
}

    This, as the first, sometimes works but again it only works once, all subsequent execution leads to this error:

    System error 1312 has occurred.
    + CategoryInfo          : NotSpecified: (System error 1312 has occurred.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
    + PSComputerName        : bw33
A specified logon session does not exist. It may already have been terminated.

    Here is a video of another attempt that again captures working and non-working execution of that command: https://drive.google.com/uc?id=1wP20sbmXMfWu4dvjsdF8REDWgNxiKAS-

  3. Using CredSSP described here:

    $session = New-PSSession -cn bw33 -Credential render -Authentication Credssp
Invoke-Command -Session $session -ScriptBlock {Test-Path \\bladefs\share2}

    Although this is the most popular and insecure way to resolve this issue I decided to give it a try cause recommended options didn't work. Unfortunately I hit a brick with this approach as well, here are the errors:

    New-PSSession : [bw33] Connecting to remote server bw33 failed with
the following error message : The request is not  supported. For more
information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12
+ $session = New-PSSession -cn bw33 -Credential render -Authentication  ...
+            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
   + FullyQualifiedErrorId : 50,PSSessionOpenFailed
Invoke-Command : Cannot validate argument on parameter 'Session'. The
argument is null or empty. Provide an argument that is  not null or empty,
and then try the command again.
At line:2 char:25
+ Invoke-Command -Session $session -ScriptBlock {Test-Path \\bladefs\sh ...
+                         ~~~~~~~~
   + CategoryInfo          : InvalidData: (:) [Invoke-Command], ParameterBindingValidationException
   + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.InvokeCommandCommand

    And respectively the video: https://drive.google.com/uc?id=10tbAq6vvRsvT-1SGqOzvPgIPcM-MT8CJ

Ansgar Wiechers
  • 193,178
  • 25
  • 254
  • 328
Svetlozar Draganov
  • 147
  • 1
  • 11

1 Answers1

0

I had a somewhat similar issue to yours a while back, but I have a domain joined setup. That shouldn't make to much difference as long as you have the credentials. In your example you don't seem to be using an actual PSCredential object, which might be you issue. If you can use the same credential to connect to the remote system and then back to your share then this should work:

$Password = Read-Host -Prompt 'Enter Password' -AsSecureString
$Credential = New-Object -TypeName PSCredential('username',$Password)
$mappedDrive = @{
  Name = "u"
  PSProvider = "FileSystem"
  Root = "\\bladefs\share2"
  Credential = $Credential
}
Invoke-Command -ComputerName bw33 -Credential $Credential -ScriptBlock {
  New-PSDrive @Using:mappedDrive
  # Do Stuff...
  Remove-PSDrive -Name "u"
}
Scott Heath
  • 830
  • 7
  • 5
  • I didn't mentioned it in the initial post but this is also something I tried and didn't work. I tried one more time just in case but it still doesn't work. I don't think this would help cause even without Credential-object Powershell asks for username and password during the command execution and it creates them on the fly. Furthermore I will need two Credential-objects cause connecting to the slave requires one set of username and password, and connecting to network share requires another set. – Svetlozar Draganov Jan 09 '19 at 08:44
  • I'm almost convinced that the entire issue is to due to not using domain controller but this is not something I could change. – Svetlozar Draganov Jan 09 '19 at 08:49
  • You can have as many credential objects as you need. Without knowing how the usernames are set up i just put ‘username’. You may need to put in ‘servername\username’ for the credential to work. – Scott Heath Jan 09 '19 at 17:03
  • Thanks for that clarification, unfortunately this doesn't help to resolve the issue. It's most likely something else not the way that credentials are supplied. – Svetlozar Draganov Jan 09 '19 at 19:20