Menu
I am trying to run a powershell script on a remote (Windows 2008 Server R2) machine. The following code works great when executed directly from powershell. (I.e. everything is set up correctly, WinRM services are running, Hosts trust each other, login is correct...)
However, when I execute the exact same code from a Jenkins instance (running on the same machine where I tested) I get a PSSessionStateBroken connection failure, . (Not posting full error because it is in German on my machine.)
I suppose that means Jenkins is using powershell differently or has different powershell/winrm settings or insufficient privileges. Any ideas?
$computer = "<some ip>"
$user = "Administrator"
$password = "<secretpassword>"
$securepassword = ConvertTo-SecureString -String $password -AsPlainText -Force
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, $securepassword
Invoke-Command -ComputerName $computer -ScriptBlock { Get-ChildItem C:\ } -Credential $cred
Edit: Managed to fix it by running jenkins service as Administrator. Works for me, but does not feel right...
300
Jenkins PowerShell PluginIntegrates with PowerShell by allowing you to directly write PowerShell scripts into the text box in Jenkins. Other than that, this plugin works pretty much like the standard shell script support.
Using the WS-Management protocol, Windows PowerShell remoting lets you run any Windows PowerShell command on one or more remote computers. You can establish persistent connections, start interactive sessions, and run scripts on remote computers.
As of March 2014, Jenkins installs the Jenkins service to run as the LocalSystem user (i.e., NT AUTHORITY\SYSTEM). The LocalSystem account accesses the network using the computer account.
For example , Jenkins on a host named JENKINSSERVER connects to remote machines using the MYDOMAIN\JENKINSSERVER$ computer account in the MYDOMAIN Active Directory domain.
This means you need to add the MYDOMAIN\JENKINSSERVER$ account as a member of the BUILTIN\Administrators local group on the TARGETSERVER:
NET LOCALGROUP "Administrators" "MYDOMAIN\MYSERVER$" /add
Caveat Emptor: This grants any code executing as LocalSystem or NetworkService on the MYSERVER host to run remote commands on TARGETSERVER as an Administrator. You may be better off creating a specific domain user for just this service to restrict admin rights to just the single Jenkins service.
159
Does your Jenkins service account credential have permission to log on remotely to the target computer?
I would use ProcMon to watch the target system when accessed by the administrator account and by the regular service account. You will see a difference, and I bet it will be obvious! Good luck!
37
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
