Geek Answers Handbook

Remote Access with Powershell and Jenkins

I am trying to run powershell script on a remote computer (Windows 2008 Server R2). The following code works fine when executed directly from powershell. (Ie everything is configured correctly, WinRM services are started, hosts trust each other, login is correct ...)

However, when I execute the same code from a Jenkins instance (running on the same machine where I tested), I get a PSSessionStateBroken connection failure . (Do not post the full error because it is in German on my machine.)

I suppose this means that Jenkins uses powershell differently or has different powershell / winrm settings or insufficient privileges. Any ideas?

$computer = "<some ip>" $user = "Administrator" $password = "<secretpassword>" $securepassword = ConvertTo-SecureString -String $password -AsPlainText -Force $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, $securepassword Invoke-Command -ComputerName $computer -ScriptBlock { Get-ChildItem C:\ } -Credential $cred

Edit: I was able to fix this by starting the jenkins service as an administrator. Works for me but doesn't feel good ...

+6
source share
2 answers

As of March 2014, Jenkins is installing the Jenkins service to act as a LocalSystem user (i.e. NT AUTHORITY\SYSTEM ). The LocalSystem account accesses the network using a computer account .

For example, Jenkins on a node named JENKINSSERVER connects to remote computers using the computer account MYDOMAIN\JENKINSSERVER$ in the MYDOMAIN Active Directory domain.

This means that you need to add the MYDOMAIN\JENKINSSERVER$ account as a member of the local BUILTIN\Administrators group in TARGETSERVER :

NET LOCALGROUP "Administrators" "MYDOMAIN\MYSERVER$" /add

Caveat Emptor: provides any code that runs as LocalSystem or NetworkService on the MYSERVER host to run remote commands on TARGETSERVER as an administrator. You might be better off creating a specific domain user for this service only, in order to restrict administrator rights to only one Jenkins service.

+3
source

Does your Jenkins service account have permission to log in remotely to the target computer?

I would use ProcMon to view the target system when accessing the administrator account and the regular service account. You will see the difference, and I'm sure it will be obvious! Good luck

+1
source

More articles:


All Articles