Highlighted
Outstanding Contributor.
Outstanding Contributor.
83 views

Base 1.3.0. (CloudSlang) - powershell_script - domain user

Hello guys,
I have a problem with PowerShell execution when I use domain user on windows server 2016, I have created local administrator which can run the same script.
While I am running it with with domain user I get an error:

java.lang.RuntimeException: Unauthorized! Service responded with 401 status code! at io.cloudslang.content.services.WSManRemoteShellService.executeRequest(WSManRemoteShellService.java:171) at io.cloudslang.content.services.WSManRemoteShellService.createShell(WSManRemoteShellService.java:197) at io.cloudslang.content.services.WSManRemoteShellService.runCommand(WSManRemoteShellService.java:112) at io.cloudslang.content.actions.PowerShellScriptAction.execute(PowerShellScriptAction.java:167) at sun.reflect.GeneratedMethodAccessor1428.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at io.cloudslang.runtime.impl.java.JavaExecutor.execute(JavaExecutor.java:114) at io.cloudslang.runtime.impl.java.JavaExecutionCachedEngine.execute(JavaExecutionCachedEngine.java:43) at io.cloudslang.runtime.impl.java.JavaRuntimeServiceImpl.execute(JavaRuntimeServiceImpl.java:32) at io.cloudslang.lang.runtime.steps.ActionExecutionData.runJavaAction(ActionExecutionData.java:189) at io.cloudslang.lang.runtime.steps.ActionExecutionData.doAction(ActionExecutionData.java:107) at sun.reflect.GeneratedMethodAccessor1164.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at io.cloudslang.worker.execution.reflection.ReflectionAdapterImpl.executeControlAction(ReflectionAdapterImpl.java:92) at io.cloudslang.worker.execution.services.ExecutionServiceImpl.executeStep(ExecutionServiceImpl.java:572) at io.cloudslang.worker.execution.services.ExecutionServiceImpl.execute(ExecutionServiceImpl.java:170) at io.cloudslang.worker.management.services.SimpleExecutionRunnable.executeRegularStep(SimpleExecutionRunnable.java:161) at io.cloudslang.worker.management.services.SimpleExecutionRunnable.run(SimpleExecutionRunnable.java:120) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at io.cloudslang.worker.management.services.WorkerThreadFactory$1.run(WorkerThreadFactory.java:39) at java.lang.Thread.run(Thread.java:748)

I have used 'basic' or 'ntlm' method for authentication but I don't know if I need to set up something else to work correctly.

Best regards,
Dino

Labels (2)
0 Likes
3 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Base 1.3.0. (CloudSlang) - powershell_script - domain user

Hello Dino,

 

Please check the user running the Central service has the proper permissions to run the script. 

 

Regards! 

Carlos Rojas
Customer Support Engineer

If you find that this or any other post resolves your issue, please be sure to mark it as an accepted solution.
If you are satisfied with anyone’s response please remember to give them a KUDOS by clicking on the STAR at the bottom left of the post and show your appreciation.
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: Base 1.3.0. (CloudSlang) - powershell_script - domain user

Hello, @Carlos_Rojas_OO I don't think that is about that because as I written in my comment that when I use local administrator account I can run the script, when I use DOMAIN\USER then I can't run it.
I asked for help what I need to configure to enable running of PS with domain account which is a member of local administrator group.
0 Likes
Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..

Re: Base 1.3.0. (CloudSlang) - powershell_script - domain user

I use the following to achieve the level of impersonation I need in my clients environments.

Powershell Script input:

Ensure this input is placed after the username/password fields - it will mask the script field during execution.  

$userDomain = $username.Split("\\")[0]
$userAccount = $username.Split("\\")[1]
$passwordAccount = $password

$ImpersonationLib = Add-Type -IgnoreWarnings -Namespace 'Lib.Impersonation' -MemberDefintion @"
[DllImport("advapi32.dll", SetLastError=true)]
public static extern bool LogonUser(string pszUsername, string lpszDomain, string lpszPassword, int dwlogonType, int dwLogonProvider, ref IntPtr phToken);

[DllImport("advapi32.dll", SetLastError=true)]
public static extern bool DuplicateToken(IntPtr token, int impersonationLevel, ref IntPtr duplication);

[DllImport("kernel32.dll")]
public static extern Boolean CloseHandle(IntPtr hObject);

"@ -PassThru
[System.IntPtr]$userToken = [System.intPtr]::Zero
$success = $ImpersonationLib::LogonUser($userAccount, $userDomain, $passwordAccount, 9, 0, [ref]$userToken)
if ($success -eq $false) {
  write-host "Failed to execute logon user"
}

$Identity = New-Object Security.Principal.WindowsIdentity $userToken
if ($userToken -ne [System.IntPtr]::Zero) {
  $null = $ImpersonationLib::CloseHandle($userToken)
  $userToken = [System.IntPtr]::Zero
}
$context = $Identity.Impersonate();
##Put your script below this
whoami
#or call a script
& 'c:\path\to\script.ps1'
##Put your script above this we're ending our impersonation
$context.Undo()
$context.Dispose()

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.