2 Replies Latest reply on Sep 5, 2012 7:54 AM by mik22

    SwisSnapin and PSremoting

    mik22

      SDK version 1.5

      NPM version 10.2.2

       

      I'm having trouble using SwisSnapin inside a PSremoting session.  Using local SW credentials so there isn't any double-hop windows authentication issues, I can't seem to get it to connect successfully.  My script works fine when run locally(even with the stored credentials), but as soon as it's done inside a WinRM session it stops connecting.  I removed the secure string for purposes of posting, but the secure string method was generated by converting a working credential password to a secure string and then saving that string as a variable.  This was tested working locally.  You can do the same by using

       

      $cred | Get-Credential

      $password = $cred.Password | ConvertFrom-SecureString

       

      and storing that value in the below string(although the value printed to the string is incomplete so I was able to use PowerGui to fetch the entire string value from the variable.

       

       

      $ctxsess = New-PSSession -ComputerName "server.hostname.com"

      Invoke-Command -Session $ctxsess -ScriptBlock {

       

      Add-PSSnapin SwisSnapin

       

      $username = "\release_team"

      $secpassword = "securestring would be here"

      $password = ConvertTo-SecureString -String $secpassword

      $credential = New-Object System.Management.Automation.PsCredential($username,$password)

      # Connect to Solarwinds server

      $swis = Connect-Swis -v2 -host 'solarwinds.hostname.com' -Credential $credential

       

       

      $nodes = Import-Clixml -Path E:\Scripts\Files\UnmanagedServers.xml

       

       

      #UnManage Nodes

       

       

      foreach($node in $nodes) {

      $nodename = $node.DNShostname

      $nodeid = Get-SwisData $swis "SELECT NodeID FROM Orion.Nodes WHERE DNS like '$nodename'"

      Write-Output "Unmanaging $nodename : $nodeid"

      $now=[DateTime]::Now

      $later=$now.AddHours(6)

      Invoke-SwisVerb $swis Orion.Nodes Unmanage @("N:$nodeid",$now,$later,"false")

      }

       

       

      }

      Remove-PsSession -Session $ctxsess

        • Re: SwisSnapin and PSremoting
          tdanner

          PowerShell remoting is kind of magical (which is another way of saying complicated and error-prone!).

           

          But I suspect the actual problem here is that the exported SecureString is not portable from one computer to another. So when you copy the long number produced by ConvertFrom-SecureString and paste it into the remote session, it can't be decrypted properly. When I try that, I get this error:

           

          ConvertTo-SecureString : Key not valid for use in specified state.

           

          I know you are trying to do the right thing and protect that password, but try using a plain text password to see if you can get it working:

           

          ConvertTo-SecureString “Hello” -AsPlainText -Force


          If that works, then you can either live with the plain text password, get Windows authentication (the -Trusted option for Connect-Swis) working, or look at the -Key option for ConvertTo/From-SecureString (of course, then you have another secret to protect somehow...).

            • Re: SwisSnapin and PSremoting
              mik22

              Thank you for that information, it slipped my mind that
              there would be keys involved to do the SecureString generation. The plain text
              method works perfectly as you describe. My next step was to attempt generating
              the securestring text on that remote computer, but it looks like the encryption
              is tied to the user account and the local computer generating the string.

               

               

              My intention of having someone else run this script wouldn't
              work unless they generated the secure string beforehand. Even still, you need
              to set-up SPN's/delegation to even generate the string. You would think
              double-hop authentication would be more straightforward in passing tickets
              around but I’m sure there are technical reasons that it isn't seamless yet.

               

               

              We ended up creating a local solarwinds account so the plain
              text password would really just give these people access to solarwinds and
              nothing more. It isn't the end of the world if we have to store the password in
              plain.