1

i am trying to update the certification revocation list on a root server and want to update it on an issuing CA server. But i am facing a strange problem as below -

1. when i am trying to publish the .crl on the issuing CA using the following command from powershell , it is working as expected. I am using the domain admin account to login to the machine and then executing the command on powershell with admin privilege

cmd /c "certutil -f -dspublish C:\<crl_name>.crl"

it is working fine

whoami
<domain_name>\administrator

2. now if i execute the same command from a jenkins pipeline, i am trying to do the same using invoke-command with the same admin credentials .. but it is not working and throwing the following error -

try { 
    Invoke-Command -ScriptBlock { cmd /c "certutil -f -dspublish C:\<crl_name>.crl" } -ComputerName localhost  -Credential (New-Object System.Management.Automation.PSCredential $username,(ConvertTo-SecureString $password -AsPlainText -Force)) 
    
} catch { echo $_.Exception.Message }

for $username i am passing the value <domain_name>\administrator

but the error is -

ldap:///CN=XXXX,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=<domain_name>,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint?certificateRevocationList

ldap: 0x1: 000004DC: LdapErr: DSID-0C090DE7, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580
CertUtil: -dsPublish command FAILED: 0x800704dc (WIN32: 1244 ERROR_NOT_AUTHENTICATED)
CertUtil: The operation being requested was not performed because the user has not been authenticated.

i am using the same credentials which i am using to login to the machine as admin to execute the command and that time it is working but the same credentials if i use on invoke-command it is failing.

Can anybody please help me on this.

Reese
  • 389
  • 2
  • 10
  • 26
  • Curious: Have you tried changing `-ComputerName localhost` to `-ComputerName fully.qualified.host.name`, or even `-ComputerName IPAddress`? Also, have you tried using a local computer administrator account against localhost instead of a domain administrator account? – leeharvey1 Jul 08 '20 at 12:14
  • tried these things.. but no luck. what surprises me is that if i run the dsppublish command as i mentioned in the question directly on the issuing CA from an administrative poweshell box.. it runs just fine.. then i do the whoami and i see the local admin username.. the same usename and the password(known) i then use and do an invoke command since i need to run this script remotely from a pipeline.. it fails with privilege error.. am i using the invoke command in the right way? please suggest – Reese Jul 10 '20 at 21:54
  • Maybe, inside your `-ScriptBlock { ... }`, try calling `Start-Process` and use the `-Verb runAs` parameter. [This topic](https://stackoverflow.com/q/57399984/11609403) may help. – leeharvey1 Jul 11 '20 at 11:35
  • Does this answer your question? [Powershell throws error with Get-ADPrincipleGroup](https://stackoverflow.com/questions/64606936/powershell-throws-error-with-get-adprinciplegroup) – DustWolf Dec 27 '22 at 16:49

1 Answers1

0

Basically what's happening here is that the PowerShell context you are using has credential delegation disabled, which means that the credentials you are using to run the command cannot be used for the LDAP connection, hence the user is "not authenticated".

The solution depends on what exactly your context is, usually boils down to either enabling delegation or using CredSSP instead of Kerberos. In my case, I was using Kerberos on Ansible, which allows delegation but it is not enabled by default, so my solution was adding ansible_winrm_kerberos_delegation: yes in the inventory.

DustWolf
  • 516
  • 7
  • 10