tags:

views:

1433

answers:

4
+1  Q: 

Issue with nested calls with psexec (access denied)

Hello

First of all, sorry for my poor english. I would try to explain my problem.

I am using psexec within a script to restart a cluster as follows:

script1 in node1: perform a lot of tasks (shutdown services, check status, etc..) in the node1 and after completing all task launch with psexec the script2 in node2 (psexec-d \ \ node2 script2)

script2 in node2: perform a lot of tasks and launches script3 in node1. Here is, when i recived an "access denied" in psexec when I try to run the script3 in node1. (psexec-d \ \ nodo1 script3)

I launch the script with an user that belongs to the group administrators

For security reasons I can not pass username and password, because it is not safe to leave the credentials in a .bat file.

Additional info:

I´m running the script in W2k3 server I tried a net use and its all ok I tried a psexec with -u username and -p username and its all ok I tried to exec psexec with this syntax: psexec .exe -d \node1 cmd.exe "script3.bat" and returns the same error.

Thks a lot Best Regards

A: 

It may be related with an issue that one gets from too many linked server hops using integrated authentication - a double-hop Kerberos problem.

Since Integrated Windows Authentication covers two separate authentication mechanisms:

  • NTLM v2 -and-
  • Kerberos,

if you are using Kerberos, since the user's password is never passed to the IIS server, the only way the token on the IIS server is going to hop to another machine on the network is via Kerberos Delegation. If that isn't available or allowed, then the hop won't happen (which is what it sounds like is happening).

Given that you are using default credentials, and if the current security context is an impersonation token that can not delegate, then the credentials you supply will not hop to the other machine. Since Windows integrated authentication creates an impersonation token, this is very likely to be the case.

Sources:

VonC  2008-12-11 12:37:05
A: 

Thank you, we are stuck right now in this problem as we don't want to hardcode the credentials in the script, so we are thinking about making a synchronous batch or something like that.

Does anyone have any idea?

 2008-12-11 13:23:13
Please delete this answer and complete/edit your question, and/or leave a comment on my answer (that way, I am notified). Furthermore, could you not execute script3 from script1 - both on node 1 - , and not from script2 node 2 ?
VonC  2008-12-11 13:35:20
A: 

Can you make the call to script2 wait for completion, rather than have script2 call back to node1:

script1 in node1: perform a lot of tasks (shutdown services, check status, etc..) in the node1 and after completing all task launch with psexec the script2 in node2 (psexec \ \ node2 script2)

script2 in node2: perform a lot of tasks.

script1 in node1: launches script3.

Patrick Cuff  2008-12-11 13:40:24
A: 

Finally I have decided to use a watchdog process in the second script, so the script will be launched by this process instead of being launched by psexec.

Thanks a lot for your help and your time devoted to help me.

Best regards

 2008-12-11 16:06:23

related questions

Fast SQL Server 2005 script generation
In Exchange (2003) how do I list the forms used in the public folder tree ?
Can Windows' built-in ZIP compression be scripted?
Set up PowerShell Script for Automatic Execution
Automated script to zip IIS logs?
Windows Mobile - What scripting platforms are available?
Best way to extract data from a FileMaker Pro database in a script?
which language you use for "throw away" programs?
Delete all but the most recent X files in bash
In SQL Server, how do I generate a CREATE TABLE statement for a given table?
Batch file to "Script" a Database
Is it OK to drop sql statistics?
How do I generate scripts that will rebuild my MS SQL Server 2005 database WITH data?
Which scripting language to support in an existing codebase?
quoting System.DirectoryServices.ResultPropertyCollection
Automate adding entries to a wiki
Can I copy files to a Network Place from a script or the command line?
How do you use PowerShell?
How to resolve symbolic links in a shell script
showing a message box from a bash script in linux
Date arithmetic in Unix shell scripts
Common Types of Subversion Hooks
MS-SQL: Drop all tables whose names begin with a certain string
What PHP framework would you choose for a new application and why?
Adding Scripting functionality to .NET applications