2

My client controls access to their database with ActiveDirectory. I would like to do the following:

$cred = Get-Credential
Start-Job -Credential $cred { 
    #do some stuff with the db
}

This works fine for any local user but when on the vpn and entering my ActiveDirectory credentials this fails to authenticate.

I know that I can use runas to start processes as the ActiveDirectory user only if I provide the /netonly flag (it does not work otherwise). I thought the following might help

$cred = (Get-Credential).GetNetworkCredential()

but the resulting object is not convertible to PsCredential, which is what the -Credential parameter takes.

Related to this question on SO but it seems I might have been asking the wrong thing.

Community
  • 1
George Mauer
  • 479
  • 3
  • 7
  • 13
  • Can you try adding `-Authentication Negotiate` to Start-Job, right after `-Credential $cred` ? – Ryan Ries Mar 25 '13 at 15:35
  • @RyanRies `Start-Job : The specified authentication mechanism "Negotiate" is not supported. Only "Default" is supported for this operation.` – George Mauer Mar 25 '13 at 15:53
  • I think you need to be more explicit about what it is that you're trying to do within the job -- are you trying to do database calls using "integrated security" ? – Jaykul Mar 26 '13 at 17:42
  • @Jaykul yes the client's db uses integrated security. The reason for Start-Job is because I'm loading a .Net assembly into the AppDomain and calling utilities in it that connect to the database. Since there is no way to unload an assembly Start-Job allows me to do this without locking the file for the duration of the PS process. I was hoping that I understood what was going on beneath the covers and could use the -Credential flag on the job to also provide the correct integrated security credential. – George Mauer Mar 27 '13 at 01:57

1 Answers1

3

If you're trying to do Integrated Security SQL queries, you might be able to do it with the impersonation module. I haven't tried SQL, but there's a post on how to use the PowerShell Impersonation Module for network share access on my blog, and I believe that it's the same network credentials you need for SQL server (e.g. the same as using runas with /netonly).

If you're just using the job because you thought it would let you change credentials for network access, then just get rid of that and use Push-ImpersonationContext instead. If you need the job for some other reason, then you have to call Push-ImpersonationContext inside the job, which means you have to get your credentials into the job (probably by serializing the password and passing it through as an encrypted secure string).

I can't test it right now (I don't have a domain or even a db server handy), so, uhm ... let me know if it doesn't work ;)

Jaykul
  • 484
  • 3
  • 7
  • Actually, spoke to soon. This works outside of `Start-Job` but becomes problematic within it. The thing is that I'd have to call `Push-ImpersonationContext` from inside the job, and there is no `Read-Host` inside of there (to gather the password) – George Mauer Mar 29 '13 at 15:55
  • 1
    Yeah, you'll have to serialize the credentials to disk encrypted, and the decrypt them in the job (there is a version of "Get-Credential" on poshcode.org which does that), or pass it into the job as a parameter (I can't remember if that works, and I'm on a tablet right now). – Jaykul Mar 29 '13 at 22:12
  • It looks like the link to the blog post is broken :( – Saintali Oct 30 '15 at 17:35