torek, 13. oktober 2015

Powershell Remote connection between two domains with CredSSP

After searching on the google, to find how connect between to different domain in company network, i have decided to put all information in one.
This blog will describe how to connect from one computer.domain and execute script on  computer from other domain.
Windows WinRM will be used. It uses session to connect to computer and do remote calls. After a long time session needs to be checked if is alive, if not reconnection should be made.
WinRM  is a standard Simple Object Access Protocol, more informaito is avaliable here.

 

Domains

Two domains:
 - compaydom.com (jmeter clients)
 - perfdom.com ( performance environment like App, DB servers)

Company.com domain is primary domain where are located jmeter clients which are running tests.
perfdom.com domain is performance domain where is performance environment
Perfcl001 from company.com domain will execute powershell script on  perfcoreapp server on perfdom.com domain..


Powershell or Powershell ISE windows must be opened as administrator. Powershell ISE is used for editing and execution.

 

Powershell Remote connection on

Create domain administrator user

In perfdom.com domain create administrator user 'perf'. Add this user as administator on all machines on perfdom.com domain. This user will be used to connection from primary domain to remote internal domain.

Configure Powershell

For powershell script execution: 
Enable-PSRemoting -Force

Assign user to execute powershell
Set-Item wsman:\localhost\client\trustedhosts "perfcl001"

Set execution policy to bypass (click on the button 'Yes' to confirm):
Set-ExecutionPolicy Bypass



Enable to remote computer to connect via credential SSP (click on the button 'Yes' to confirm): 
Enable-WSManCredSSP -Role server

With next command enable 'perf' admin user to execute powershell scripts:
Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI




Last action is to :
Restart-Service WinRm

Check trusted host:
Get-Item –Path WSMan:\localhost\Client\TrustedHosts 

Return will be perfcl001 

On remote computer is powershell, WINRM configuration done to execute powershell script from other computers with SSP login.

 

Company domain

'Perf' user is correctly configured to execute powershell scripts on subdomain. On local computer do enable PS remote: 
Enable-PSRemoting -Force

Set execution policy of powershell scripts:  
Set-ExecutionPolicy Bypass


Set trusted hosts:  
Set-item wsman:localhost\client\trustedhosts -value *

Enable  perfcoreapp  to enable autentication SSP: 
Enable-WSManCredSSP –Role Client –DelegateComputer PERFcoreapp


Run gpedit.msc in command prompt and navigate to Computer Configuration –> Administrative Templates –> System –> Credential Delegation as shown below:
Open up the “Allow Delegating Fresh Credentials with NTLM-only Server Authentication” setting.  Enable the setting and then click on the “Show…” button to add a server to the list.  I added mine like so:



First run to test;
$name = "performance"
$pass = "#####"
$securePassword = ConvertTo-SecureString $pass -AsPlainText -force
$credential = New-Object System.Management.Automation.PsCredential("
perfdom\$name",$securePassword)
$check = New-PSSession -ComputerName "perfcoreapp" -Credential $credential -Authentication Credssp
$job = Invoke-Command -SessionId $
check -ScriptBlock {Get-Process | Select -First 10}
$j = Get-Job

$j | Format-List -Property *

$results = $j | Receive-Job
Wait-Job  -Job $job  *>&1

  

Run script

$name = "performance"
$pass = "#####"
$securePassword = ConvertTo-SecureString $pass -AsPlainText -force
$credential = New-Object System.Management.Automation.PsCredential("
perfdom\$name",$securePassword)

$check = New-PSSession -ComputerName "perfcoreapp" -Credential $credential -Authentication Credssp
$job = Invoke-Command -session $
check -ScriptBlock { "\\perfdoomaincontroler.domain.com\SHARE\ps-scripts\Prepare.ps1" }

or


$job = Invoke-Command -ComputerName "perfcoreapp" -ScriptBlock { "\\
perfdoomaincontroler.domain.com\SHARE\ps-scripts\Prepare.ps1" } -credential $credential -AsJob


$j = Get-Job

$j | Format-List -Property *

$results = $j | Receive-Job
Wait-Job  -Job $job  *>&1

 

Conclusion 

Remote in powershell is to use in automation where:
  • application logs are cleaned.
  • IIS logs are cleaned
  • IIS is restarted
  • Performance counters are started/stopped on performance machines  
  • logs are copied to one location,
  • etc...