发表新帖
发表新帖

Powershell Server Network drive

前端 未结
关注
2 1502
广开言路
广开言路 2021-01-24 17:55

I have a client and a server. The client will call a script like: 

#Predefine necessary information
$Username = \"Niels\"
$Password = \"password\"
$ComputerName
相关标签:
2条回答
  • 小鲜肉
    2021-01-24 18:39

    Another option is to use a delegated session on your server.

    Basically, you create a custom remote session that uses the -RunAs parameter to designate the credentials that the session will run under. You can also constrain what scripts and cmdlets can be run in the session and specify who can connect to the session.

    In this case, the session would run as the Niels account, and everything done in the session would be under that account authority, regardless of who was connected to the session. From that session, you can now make one hop to another server without needing CredSSP.

    This also eliminates the security risk involved in storing that account password in the script file on the client computer.

    http://blogs.technet.com/b/heyscriptingguy/archive/2014/04/03/use-delegated-administration-and-proxy-functions.aspx

    0 讨论(0)
  • 别那么骄傲
    2021-01-24 18:52

    You can't do this using the default authentication mechanism. You need to use an authentication mechanism that allows you to flow credentials, not just identity. Kerberos is one of these. CredSSP is another that is built into Windows starting from Vista/Server 2008 onwards.

    I have experience setting up CredSSP. Note that there is some security risk because the target machine will have access to the credentials as plain text.

    To set it up you will need to run two commands (both from an elevated shell). One on the machine you are running the above script on (the client) and another on the target that you will be connecting to via remoting (the server).

    Enable-WSManCredSSP -Role Client -DelegateComputer $ComputerName -Force

    This enables delegation to $ComputerName from the client (note you may have to use the FQDN). For security reasons you should avoid using the wild card '*' although you might consider using '*.mydomain.int' to enable delegation to all machines on the domain.

    On the target server

    Enable-WSManCredSSP -Role Server

    Then when you create the session use the -Authentication flag

    $Session = New-PSSession -ComputerName $ComputerName -credential $Cred -Authentication Credssp

    There are questions on ServerFault on setting up CredSSP. There is also a blog post here with additional explanation. This post has troubleshooting tips for some commonly encountered error messages.

    0 讨论(0)
 看不清?
提交回复
热议问题