Home Dashboard Directory Help

Invoke-command does not use the credentials as it should by Graellar Sharantyr



Sign in
to vote
Type: Bug
ID: 850150
Opened: 4/10/2014 6:19:25 AM
Access Restriction: Public
User(s) can reproduce this bug


Hello there,

I'm using psremoteservices module to read current connections on my terminal servers.

I do it remotely.

If I use a powershell runas user "domain\tsereader" on management-server, and run get-tssession -ComputerName tse-server
it works

If I login to windows on management-server using domain\tsereader login, and run the same command above it works.

If I use

Invoke-Command -ComputerName $env:COMPUTERNAME -Credential $creds -ScriptBlock { Import-Module psterminalservices; get-tssession -ComputerName tse-server }
($creds stores domain\tsereader credentials)

it does not works, I get : Invoke-Command : Exception calling "GetSessions" with "0" argument(s): "Access is denied"

If I use

$job = start-job -Credential $creds -ScriptBlock { Import-Module psterminalservices; get-tssession -ComputerName tse-server }

it works ! ?

start-job use 100% of credentials, invoke-command does not. I don't understand why because using echo $env:username returns the right login, but seems using invoke-command does not make the user's rights herited.

Sorry for my bad english and thanks in advance for any hint.
Sign in to post a comment.
Posted by Boe Prox on 4/10/2014 at 7:01 PM
This really isn't the place for troubleshooting an issue (a forum such as TechNet PowerShell forum (https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverpowershell) would be better). That being said, what you are seeing is called a 'double hop' and is a well documented subject. You cannot connect to a remote session (or even a local endpoint as your example shows) and then attempt to connect to another remote system without some sort of delegation happening.

Using a PSJob (Start-Job) is different than using Invoke-Command as that is connecting to a remoting endpoint.

You should either look at using enabling CredSSP or set up a delegated remote endpoint to handle what you are trying to do. You can also find out more information about this here: http://blogs.technet.com/b/heyscriptingguy/archive/2013/04/04/enabling-multihop-remoting.aspx or http://blogs.technet.com/b/heyscriptingguy/archive/2014/04/03/use-delegated-administration-and-proxy-functions.aspx
Sign in to post a workaround.