c# - Problem with credential chaining sequence in Windows and .NET -
problem summary
when run in batch mode, user identity lost (like cliffhanger) not until last moment.
problem details
i have powershell script running on winxpsp3 runs script block (via invoke-command) on remote machine particular test user (via -session parameter) in background (via -asjob parameter). session created this:
new-pssession -computername $myserver -credential $mycredential
the script block performs number of actions, culminating in running nunit test framework. c# code under test records "mytestuser" username (via environment.username
) credentials provided powershell received far. further confirmed process explorer: examining properties of nunit-console running batch tests shows owned mytestuser.
the test includes accessing sql server 2008 r2 database; connection string set via new sqlconnection(connectionstring)
call. connection string set windows authentication , uses form:
data source=<my_db_server_name>;initial catalog=<my_db_name>;integrated security=true;persist security info=true
even though have conclusively pushed mytestuser credentials way c# code under test, db access attempt not seeing these credentials, resulting in error: login failed user 'nt authority\anonymous logon'
some supplemental info:
- i have confirmed test user (mytestuser) has db permissions , nunit test capable of accessing db: when run nunit test manually (via nunit gui) logged in mytestuser, test works , sqlprofiler shows activity mytestuser appearing in ntusername column.
- the same error occurs if run locally rather on remote machine.
- the same error occurs if run myself on local machine (i.e. omitting -credential parameter).
question
how can rescue mytestuser brink of doom , him db access?
2011.05.16 update
here simplified example exhibiting same problem.
first, test program dbfetchversion prints name of current user , results of simple query:
class program { const string connstring = ...your connection string here... ; const string query = "select getdate() [date], substring(@@version,1,charindex('-',@@version)-1) +convert(varchar(100),serverproperty('edition'))+ ' ' +convert(varchar(100),serverproperty('productlevel')) [sql server version], @@servicename [service name], @@servername [server host], db_name() [database], user_name() [user], host_name() [client]"; static void main(string[] args) { dataview dataview; using (var connection = new sqlconnection(connstring)) { console.writeline("user = " + environment.username); using (var dataadapter = new sqldataadapter(query, connection)) { var dataset = new dataset(); try { connection.open(); dataadapter.selectcommand.commandtype = commandtype.text; dataadapter.fill(dataset, query); } { if (connection.state == connectionstate.open) connection.close(); } dataview = dataset.tables[0].defaultview; } foreach (var item in dataview.table.rows[0].itemarray) console.writeline(item); } } }
and here powershell script calls above program.
$scriptblock = { & "...path executable...\dbfetchversion\bin\debug\dbfetchversion.exe" } $servername = ... server name ... $username = "testuser" $password = ... user password ... $adjpwd = $password | convertto-securestring -asplaintext -force $testcred = (new-object system.management.automation.pscredential($username,$adjpwd)) $mysession = new-pssession -computername $servername -credential $testcred # test scenarios: invoke-command $scriptblock #invoke-command $scriptblock -computername $servername #invoke-command $scriptblock -computername $servername -credential $testcred #invoke-command $scriptblock -session $mysession
in list of 4 test scenarios @ end, uncommented 1 works, printing user name , results of query. dbfetchversion still reports user second line, db connection fails " login failed user 'nt authority\anonymous logon' " error. remaining 2 lines report "testuser" user name, both report same login failure db connection.
what isolated example tells me not think there buggy powershell, .net, or code, there authentication mechanism not yet understand, since specifying computer or session both involve path should, in sense, have stronger protection.
2011.08.03 update - eureka!
well, matt correct in identifying double-hop issue culprit , credssp authentication solution. unfortunately, found out, credssp requires windows 7, went setting couple vms sandbox. credssp, however, not 1 relinquish secrets (at least me) detailed in post on serverfault: cannot credssp authentication work in powershell
i able credssp authentication work come problem posed here in thread. test, used these 3 script blocks plugged powershell script provided above:
$scriptblocka = { write-host ("hello, world: {0}, {1}" -f $env:username, (hostname)) } # simple db test, requires sqlserver installed! $scriptblockb = { if (! (get-pssnapin | ? { $_.name -eq "sqlservercmdletsnapin100" } ) ) { add-pssnapin sqlservercmdletsnapin100; } invoke-sqlcmd -query "select getdate() [now]" -serverinstance cindevdb5 } # indirect db test; requires .net not sqlserver, # plus dbfetchversion in home dir targeted user. $scriptblockc = { & ".\dbfetchversion.exe" }
block worked or without credssp, since there no double-hop. blocks b , c work credssp because both attempt access remote database. qed.
initially read , thought of "double hop" issue, supplemental info maybe me question though.
when run locally (as or testuser) commands use? this:
& "...path executable...\dbfetchversion\bin\debug\dbfetchversion.exe"
also work local machine (as either or user):
add-pssnapin sqlservercmdletsnapin100; invoke-sqlcmd -query "select getdate()" -serverinstance server
also os using? if windows 2008 , issue double hop may able credssp avoid it.
Comments
Post a Comment