0

So I am trying to use invoke-command to install a chocolatey package who is just a 7z command to extract the archive from a server and unzip to the C: drive. Unfortunately, I'm having powershell access denied popped up and I don't know why.

1- My executionpolicy is unrestricted 2- I have set my computer to allow powershell remoting

Here is my code: 

$Computers = Get-Content -Path "E:\DeployWin\scripts\test-chocolatey\vm.txt"
$Cred = Get-Credential $env:USERNAME

Foreach ($Computer in $Computers)
    {
        $Computer
        Invoke-Command -ComputerName $Computer -Credential $Cred -ScriptBlock {choco install ue_4.24_test -my  -t=0 --force}
    }

I am greeted by the error:

Progress: Downloading ue_4.24_test 1.0... 51%
Progress: Downloading ue_4.24_test 1.0... 100%

ue_4.24_test v1.0 (forced)
ue_4.24_test package files install completed. Performing other installation steps.

7-Zip 19.00 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21

Scanning the drive for archives:
System.Management.Automation.RemoteException
ERROR: Access denied‚.
\\servername\share\nameofthezip.zip

In my chocolatey package, I am using:

7z e "\servername\share\nameofthezip.zip" -o"D:\"

If I do this command on the target computer directly in powershell, it works without a problem... is this a double hopping problem? Anyone has an idea?

Axiom
  • 33
  • 1
  • 8
  • I think the issue isn't in your code since the process had already started. The error: Access denied is related to the permissions of the share you are trying to access. You don't have permissions to access it, try checking them to know that. –  Apr 02 '20 at 09:24
  • That's the thing.... for testing purposes I put everyone on full access.... That's what I don't get. – Axiom Apr 02 '20 at 11:53
  • Are you able to execute anything on the target computer ? Like try writing a file to the Desktop, command: "testing remoting" | Out-File "$env:userprofile\Desktop\test.txt" . If the command works through remoting then your issue isn't related to remoting we can rule it out. –  Apr 02 '20 at 11:55
  • I think I found my problem. The access denied seems related to the invoke-command. Even though I specified credentials, it doesn't seem to follow with chocolatey... I'll do more investigation and I'll come back with a solution. – Axiom Apr 02 '20 at 14:47

1 Answers1

0

You fell victim to one the classic blunders regarding the infamous double-hop issue with winrm/psremoting, etc. You are authenticating to one system and then trying to authenticate to another (the CIFS server hosting the share at "\\servername").

This isn't really a bug but an actual security feature, intended to prevent would be evil-doers from double-hopping from system to system. There are ways to work around it with CredSSP or without. I wish you luck.

Rob0tScience
  • 49
  • 5