Powershell 服务器网络驱动器 [英] Powershell Server Network drive

问题描述

我有一个客户端和一个服务器.客户端将调用如下脚本:

I have a client and a server. The client will call a script like:

#Predefine necessary information
$Username = "Niels"
$Password = "password"
$ComputerName = "192.168.1.51"
$Script = {powershell c:/build/jclbuild2.bat}

#Create credential object
$SecurePassWord = ConvertTo-SecureString -AsPlainText $Password -Force
$Cred = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $Username, $SecurePassWord

#Create session object with this
$Session = New-PSSession -ComputerName $ComputerName -credential $Cred

#Invoke-Command
$Job = Invoke-Command -Session $Session -Scriptblock $Script 
echo $Job

#Close Session
Remove-PSSession -Session $Session

在服务器上，jclbuild2.bat 将运行并访问像 \\otherserver\something 这样的网络驱动器，如果我执行以下命令，它会显示访问被拒绝:

On the server the jclbuild2.bat will run and access a network drive like \\otherserver\something, it says access denied if I do this command:

cmd.exe /C copy "\\server\file1.pdf" "\\server2\file1.pdf"

如何从远程服务器上的 powershell 文件访问网络驱动器?我使用 $username 和 $password 的用户应该可以访问网络驱动器.

How do I access a network drive from a powershell file on a remote server? The user I use with the $username and $password should have access to the network drive.

我认为这是一个双跳问题，我不知道如何解决.

I think it's a double hop issue, which I don't know how to solve.

推荐答案

您无法使用默认身份验证机制执行此操作.您需要使用一种身份验证机制，允许您传输凭据，而不仅仅是身份.Kerberos 就是其中之一.CredSSP 是从 Vista/Server 2008 开始内置到 Windows 中的另一个.

You can't do this using the default authentication mechanism. You need to use an authentication mechanism that allows you to flow credentials, not just identity. Kerberos is one of these. CredSSP is another that is built into Windows starting from Vista/Server 2008 onwards.

我有设置 CredSSP 的经验.请注意，存在一些安全风险，因为目标计算机可以以纯文本形式访问凭据.

I have experience setting up CredSSP. Note that there is some security risk because the target machine will have access to the credentials as plain text.

要进行设置，您需要运行两个命令(都来自提升的 shell).一个在您运行上述脚本的机器上(客户端)，另一个在您将通过远程连接(服务器)连接的目标上.

To set it up you will need to run two commands (both from an elevated shell). One on the machine you are running the above script on (the client) and another on the target that you will be connecting to via remoting (the server).

Enable-WSManCredSSP -Role Client -DelegateComputer $ComputerName -Force

这允许从客户端委派给 $ComputerName(请注意，您可能必须使用 FQDN).出于安全原因，您应该避免使用通配符 '*'，尽管您可能会考虑使用 '*.mydomain.int' 来启用对域中所有计算机的委派.

This enables delegation to $ComputerName from the client (note you may have to use the FQDN). For security reasons you should avoid using the wild card '*' although you might consider using '*.mydomain.int' to enable delegation to all machines on the domain.

在目标服务器上

Enable-WSManCredSSP -Role Server

然后在创建会话时使用 -Authentication 标志

Then when you create the session use the -Authentication flag

$Session = New-PSSession -ComputerName $ComputerName -credential $Cred -Authentication Credssp

ServerFault 存在关于设置 CredSSP 的问题.还有一篇博客文章这里补充说明.此帖子提供了以下问题的故障排除提示一些常见的错误信息.

There are questions on ServerFault on setting up CredSSP. There is also a blog post here with additional explanation. This post has troubleshooting tips for some commonly encountered error messages.

这篇关于Powershell 服务器网络驱动器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！