Batch script runs fine, but fails when executed through PowerShell Remoting

I have the following batch script on a Windows 2008 R2 server:

@echo off djoin.exe /provision /domain my.domain.com /machine test /savefile savefile.txt echo %ERRORLEVEL%

If I run the script on the server itself, either through command prompt or PowerShell, it works perfectly fine and returns "0".

The problem is that I need to execute it from a remote computer, so I do the following (an example just for testing):

Invoke-Command -ComputerName remotehost -ScriptBlock {.\script.cmd}

The output is "-1073740940", which is probably error code C0000374, which could have something to do with heap corruption.

This seems to be a problem with the djoin command itself. I can comment out djoin and run other binaries, like ping, with no issues using the same Invoke-Command.

Keeping in mind that the script works perfectly fine when executed from PowerShell on the target computer, what issues could the act of remoting be introducing?

In both cases, the script is executed with the same privileges using my account, which is a member of Domain Admins. I doubt that it's a permissions issue and have no idea where else to look.

[edit]

Gave up on the whole thing. This is either a bug in djoin or some obscure problem in the interaction between djoin and PS remoting.

I managed to run djoin directly on the client, using 'runas /netonly ...' to provide domain credentials. It's a very messy solution (and I have yet to figure out how to get the exit status of a process started by runas), but gets the job done.

Answer1:

This is almost certainly a classic "double-hop" authentication issue. Remember that when you use PowerShell Remoting you're using up one of those hops. Anything you execute on that remote machine that accesses a third remote machine is unlikely to work if it requires authentication.

To get around that, you can use an authentication method which allows you to <strong>Delegate Credentials</strong> such as CredSSP. It's a bit more involved than simply changing your authentication type as you have to make changes on the client side and the server side of the transaction. Refer to this blog post on MSDN, PowerShell Remoting and the “Double-Hop” Problem and this "Hey, Scripting Guy!" post, Enable PowerShell "Second-Hop" Functionality with CredSSP.

人吐槽 人点赞

Recommend

Comment

用户名: 密码:
验证码: 匿名发表

你可以使用这些语言

查看评论:Batch script runs fine, but fails when executed through PowerShell Remoting