使用偏远的Powershell查询处理双HOP问题,并使用明文凭据存储
服务器A使用SSIS执行过程步骤来运行PowerShell命令在服务器B上调用Python脚本。然后,Python脚本将通过Windows凭据连接到服务器上的SQL Server。
Invoke-Command -ComputerName ServerB -FilePath '\\ServerB\MyPythonScript.py'
这失败了,因为双跳问题的经典案例。 Windows凭据传递到远程PS会话,但没有传递到SQL连接。
在阅读了有关Double Hop的许多其他答案之后,我尝试使用明文直接使用新的凭据来启动Python脚本。我知道这不是最安全的方法,而是我将其作为概念证明 - 只有在经过证明之后才能查看更安全的方法。
Invoke-Command -ComputerName ServerB -FilePath '\\ServerB\MyPowerShellWrapper.ps1'
mypowershellwrapper.ps1
$Username = 'BLAH'
$Password = ConvertTo-SecureString -String 'FOO' -AsPlainText -Force
[pscredential]$cred = New-Object System.Management.Automation.PSCredential ($userName, $Password)
Start-Job -Name PythonJob -Scriptblock {python.exe 'C:\MyPythonScript.py'} -Credential $cred
Wait-Job -Name Pythonjob
这种方法仍然无法正常工作。作业失败,PowerShell返回以下错误消息:启动背景过程时发生了错误。报告的错误:访问被拒绝。
我在这里缺少什么?
Server A is using SSIS Execute Process step to run a Powershell command calling a Python script on a Server B. The Python script then connects to SQL Server on Server A via windows credentials.
Invoke-Command -ComputerName ServerB -FilePath '\\ServerB\MyPythonScript.py'
This failed, because a classic case of the double hop problem. The Windows credential gets passed to the remote PS session, but not onto the SQL Connection.
After reading many of the other answers about double hop, I've tried to directly start the Python Script with a new set of credentials, using plaintext. I'm aware this is not the most secure method but I'm building this as a proof of concept - only after it's proven can then look at more secure approaches.
Invoke-Command -ComputerName ServerB -FilePath '\\ServerB\MyPowerShellWrapper.ps1'
MyPowerShellWrapper.ps1
$Username = 'BLAH'
$Password = ConvertTo-SecureString -String 'FOO' -AsPlainText -Force
[pscredential]$cred = New-Object System.Management.Automation.PSCredential ($userName, $Password)
Start-Job -Name PythonJob -Scriptblock {python.exe 'C:\MyPythonScript.py'} -Credential $cred
Wait-Job -Name Pythonjob
This approach is still not working. The job fails, and PowerShell returns the following error message: An error occurred while starting the background process. Error reported: Access is denied.
What am I missing here?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
从错误消息中,似乎您无法
访问路径。回到双跳问题,为了避免这种情况,我已经在远程计算机中开始使用以下代码进行新的PowerShell执行。
$ credpassword ='我在哪里传递密码从键logger'From the Error Message it seems like you don't the
Access to the path.Coming back to Double Hop Problem, To Avoid this I have started new PowerShell Execution in the remote Machine with below code.
$credpassword = ' Where I am passing password with from key logger'经过一些摆弄后,我解决了它。
我无法仅通过传递凭据来实现它,尽管这仍然可能是可能的 - 也许我没有正确调整这个想法(我从Microsoft 在这里)
我最终使用了描述的方法在这里相反,这是另一个Microsoft建议的方法(使用Runas使用runas的PsSessionConfiguration)
我在服务器B上设置了一个PowerShell会话,称为“ SQLPASSTHRHTHROUGH”,然后在执行过程任务任务任务任务中创建了一个无模式的单行字符串打电话给它。尽管它是如此混乱,但它不使用包装脚本。
After some fiddling around, I have solved it.
I couldn't get it working just by passing credentials along, though that still might be possible - maybe I didn't adapt the idea correctly (which I took from Microsoft here)
I ended up using the method described here instead which is another Microsoft suggested method (PSSessionConfiguration using RunAs)
I setup a Powershell session on Server B called "SQLPassthrough" and then created an ungodly single line string in the execute process task to call it. It doesn't use a wrapper script though it's so messy perhaps it should.