Unable to pass param to ConvertTo-SecureString, only script defined variable

0
votes

This one has been confusing me or the last couple of days. Unable to pass param to ConvertTo-SecureString, only script defined variable.

When I run a script I pass a number of params. On of the tasks it needs to do is connect to a remote machine via PSSession, i.e.

./myscript.ps1 -VMPass "12345@!" -VMuser abc

In my script I have the following which will be passed to New-PSSession:

[CmdletBinding()] 
Param(
    $VMuser,
    $VMPass
)

$PWord = ConvertTo-SecureString -AsPlainText -String "$VMPass" -Force
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $VMuser, $PWord
$NewVMSession = (New-PSSession -ComputerName $NewVMAddress -Credential $cred -ErrorAction Stop)

When I run this I get the following error:

New-PSSession : [WIN-V2BK0KCPC7H] Connecting to remote server WIN-V2BK0KCPC7H
failed with the following error message : Access is denied. For more information,
see the about_Remote_Troubleshooting Help topic.
At C:\Users\ChildsC\Documents\Git\BAIC\Controller.ps1:85 char:26
+ ... MSession = (New-PSSession -ComputerName $NewVMAddress -Credential $vm ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed

However, if I were to explicitly define $VMPass = "12345@!" in the script OR if I were to call Get-Credential it works fine.

So there is a small issue in the way the param is being passed.

2
powershellvspherepowercli
Why are you passing the password to the function as plain-text? You can avoid the whole problem by passing a PSCredential object instead.Bill_Stewart
Hallo sorry for the late response. I am creating a PSCredential using the inputs. Is there a better way to do this? bearing in mind that this script will be run from gitlab and that has the ability to hold secure credentials which would be decrypted and passed.Explicitsoul

2 Answers

0
votes

To be sure the authentication attempt is valid, remember to format your domain credential username as DomainName\UserName. You may also need to provide an appropriate -Authentication parameter value to your New-PSSession cmdlet.

There are a number of authentication options available, and you can read more about them & WinRM authentication in general over at MSDN - https://msdn.microsoft.com/en-us/library/aa384295(v=vs.85).aspx

There's no immediate reason to believe the syntax for your script is at fault, however, if the above doesn't help perhaps we can look at that.

0
votes

sorry for the late response.

Later when I tried to explicitly call with the password in the script rather than passing it via a variable I was facing issues of intermittent connection.

If I were to connect to a machine already on our domain with the same script above then it works fine. This issue seems to be only when a machines is not connected to the domain.

I had thought about setting up an OS Template but I can not use templates to setup the VM to the domain because we have too many OUs.

My workaround is to disable the firewall. I have scripts that connect the VM to the domain and once added I can then re-enable the firewall.

I am not particularly satisfied with this but it is the only thing that works for now and is consistent. I did try opening some specific ports as detailed here: https://blogs.technet.microsoft.com/christwe/2012/06/20/what-port-does-powershell-remoting-use/

But I again I was not getting consistent results. But as I know that the firewall is an issue I can go back to it later to determine which ports I should open. I am open to ideas about how to do this if anyone has anything :).

I will mark this as answered.

Thanks for your time.