In Azure Devops Server, I have created a group in Deployment Groups. A registration script was created for run in the target server. This is the generated script.
$ErrorActionPreference="Stop";If(-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent() ).IsInRole( [Security.Principal.WindowsBuiltInRole] “Administrator”)){ throw "Run command in an administrator PowerShell prompt"};If($PSVersionTable.PSVersion -lt (New-Object System.Version("3.0"))){ throw "The minimum version of Windows PowerShell that is required by the script (3.0) does not match the currently running version of Windows PowerShell." };If(-NOT (Test-Path $env:SystemDrive'azagent')){mkdir $env:SystemDrive'azagent'}; cd $env:SystemDrive'azagent'; for($i=1; $i -lt 100; $i++){$destFolder="A"+$i.ToString();if(-NOT (Test-Path ($destFolder))){mkdir $destFolder;cd $destFolder;break;}}; $agentZip="$PWD\agent.zip";$DefaultProxy=[System.Net.WebRequest]::DefaultWebProxy;$securityProtocol=#();$securityProtocol+=[Net.ServicePointManager]::SecurityProtocol;$securityProtocol+=[Net.SecurityProtocolType]::Tls12;[Net.ServicePointManager]::SecurityProtocol=$securityProtocol;$WebClient=New-Object Net.WebClient; $Uri='https://go.microsoft.com/fwlink/?linkid=2066756';if($DefaultProxy -and (-not $DefaultProxy.IsBypassed($Uri))){$WebClient.Proxy= New-Object Net.WebProxy($DefaultProxy.GetProxy($Uri).OriginalString, $True);}; $WebClient.DownloadFile($Uri, $agentZip);Add-Type -AssemblyName System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory( $agentZip, "$PWD");.\config.cmd --deploymentgroup --deploymentgroupname "DG-Test" --agent $env:COMPUTERNAME --runasservice --work '_work' --url 'https://devops.MyCompany.com/tfs/' --collectionname 'Col-FRN-Main' --projectname 'T-MyCompany'; Remove-Item $agentZip;
I run the script then PowerShell asks me to Enter authentication type (press enter for PAT), so I enter an accessToken that is generated in Personal Access Token but PowerShell returns Enter authentication type (press enter for PAT).
I could use the accessToken for connecting Team explorer in Visual studio to my DevOps server and connecting agent pool to my DevOps server, but I have trouble connecting deployment agnet.
What's wrong?
When PowerShell asks you to Enter authentication type (press enter for PAT), you are supposed to press enter on your keyboard. Then it will prompt you to enter your Personal Access Token. Follow the prompts and you should be able to connect successfully.
Related
If I run a command similar to the following on a private repository:
git ls-remote https://github.com/org/repo.git
I'm getting this following prompt.
I'm using https://gitforwindows.org and looking at the Process Explorer, it appears that the executable that produces this window is \mingw64\libexec\git-core\git-credential-manager.exe relative to Git for Windows installation folder.
When I put in my credentials, I'm getting an email from Github, saying that a new authentication token is created.
Where is this token stored on my PC? When I repeat the command above I'm no longer getting the prompt - as long as I do not revoke the token on the github web site.
By default, Git will use the Windows Credential Manager for storing and retrieving Git credentials via Github for Windows desktop.
Credential Manager lets you view and delete your saved credentials for signing in to websites, connected applications, and networks.
To open Credential Manager, type credential manager in the search box on the taskbar and select Credential Manager Control panel.
Select Web Credentials or Windows Credentials to access the credentials you want to manage.
You will find the GitHub - https://api.github.com/{username} entry on the Windows Credentials tab.
Mike Mackintosh is right. Here is how you can access the token.
Install-Module CredentialManager -Scope AllUsers -Force
Change flags on the above command to your liking. Then:
Get-StoredCredential -AsCredentialObject | %{$_} `
| ?{ $_.targetName -like "*github.com*"} `
| sort LastWritten `
| select LastWritten,Targetname,Password
This will get you the list of tokens you may have created. Use Get-Command -Module CredentialManager to list all avialble commands on the module, you can use to manipulate the credentials store.
Couldn't connect to a remote machine because of my password?
My problem here :
I can connect remotely with the normal method like "mstsc", so my user and password are working fine.
I do not understand why the password didn't work on powershell.
Could you help me for that please?
WinRM is enable on the remote machine.
Add your full command to the post for review.
You should run your powershell session as an account that has proper access to the server.
enter-pssession -computername "your PC Name" is the command.
Powershell version will matter here to the device you are trying to connect to needs to be on powershell 3.0
Created a script that installs an empty server to a server that uses an SQL Db, IIS, WebDeploy and FTP. Everything installs but when i try to run my createsqldatabaseb.ps1 it gives an error. Been searching a solution for about two weeks by now.
I've included a screenshot, ConfigurationFile.ini that setup.exe uses(SQL Server installer) and my script.
I'm looking for a small configuration error that prevents me from creating the Database.
Thanks.
Error that command gives
A couple of dism action to enable powershell etc...
dism /online /enable-feature /featurename:NetFx2-ServerCore
dism /online /enable-feature /featurename:NetFx3-ServerCore
dism /online /enable-feature /featurename:NetFx2-ServerCore-WOW64
dism /online /enable-feature /featurename:NetFx3-ServerCore-WOW64
dism /online /enable-feature /featurename:MicrosoftWindowsPowerShell
dism /online /enable-feature /featurename:MicrosoftWindowsPowerShell-WOW64
dism /online /enable-feature /featurename:ServerManager-PSH-Cmdlets
powershell Set-ExecutionPolicy Unrestricted
powershell ./InstallIIS.ps1
CnfigurationFile.ini
;SQL Server 2012 Configuration File
[OPTIONS]
; Specifies a Setup work flow, like INSTALL, UNINSTALL, or UPGRADE. This is a required parameter.
ACTION="Install"
; Detailed help for command line argument ENU has not been defined yet.
ENU="True"
; Setup will not display any user interface.
QUIET="False"
IACCEPTSQLSERVERLICENSETERMS="True"
; Setup will display progress only, without any user interaction.
QUIETSIMPLE="True"
; Specify whether SQL Server Setup should discover and include product updates. The valid values are True and False or 1 and 0. By default SQL Server Setup will include updates that are found.
UpdateEnabled="True"
; Specifies features to install, uninstall, or upgrade. The list of top-level features include SQL, AS, RS, IS, MDS, and Tools. The SQL feature will install the Database Engine, Replication, Full-Text, and Data Quality Services (DQS) server. The Tools feature will install Management Tools, Books online components, SQL Server Data Tools, and other shared components.
FEATURES=SQLENGINE,CONN,FULLTEXT
; Specify the location where SQL Server Setup will obtain product updates. The valid values are "MU" to search Microsoft Update, a valid folder path, a relative path such as .\MyUpdates or a UNC share. By default SQL Server Setup will search Microsoft Update or a Windows Update service through the Window Server Update Services.
UpdateSource="MU"
; Displays the command line parameters usage
HELP="False"
; Specifies that the detailed Setup log should be piped to the console.
INDICATEPROGRESS="False"
; Specifies that Setup should install into WOW64. This command line argument is not supported on an IA64 or a 32-bit system.
X86="False"
; Specify the root installation directory for shared components. This directory remains unchanged after shared components are already installed.
INSTALLSHAREDDIR="C:\Program Files\Microsoft SQL Server"
; Specify the root installation directory for the WOW64 shared components. This directory remains unchanged after WOW64 shared components are already installed.
INSTALLSHAREDWOWDIR="C:\Program Files (x86)\Microsoft SQL Server"
; Specify a default or named instance. MSSQLSERVER is the default instance for non-Express editions and SQLExpress for Express editions. This parameter is required when installing the SQL Server Database Engine (SQL), Analysis Services (AS), or Reporting Services (RS).
INSTANCENAME="MSSQLSERVER"
; Specify that SQL Server feature usage data can be collected and sent to Microsoft. Specify 1 or True to enable and 0 or False to disable this feature.
SQMREPORTING="False"
; Specify the Instance ID for the SQL Server features you have specified. SQL Server directory structure, registry structure, and service names will incorporate the instance ID of the SQL Server instance.
INSTANCEID="MSSQLSERVER"
; Specify if errors can be reported to Microsoft to improve future SQL Server releases. Specify 1 or True to enable and 0 or False to disable this feature.
ERRORREPORTING="False"
; Specify the installation directory.
INSTANCEDIR="C:\Program Files\Microsoft SQL Server"
; Agent account name
AGTSVCACCOUNT="NT Service\SQLSERVERAGENT"
; Auto-start service after installation.
AGTSVCSTARTUPTYPE="Automatic"
; CM brick TCP communication port
COMMFABRICPORT="0"
; How matrix will use private networks
COMMFABRICNETWORKLEVEL="0"
; How inter brick communication will be protected
COMMFABRICENCRYPTION="0"
; TCP port used by the CM brick
MATRIXCMBRICKCOMMPORT="0"
; Startup type for the SQL Server service.
SQLSVCSTARTUPTYPE="Automatic"
; Level to enable FILESTREAM feature at (0, 1, 2 or 3).
FILESTREAMLEVEL="0"
; Set to "1" to enable RANU for SQL Server Express.
ENABLERANU="False"
; Specifies a Windows collation or an SQL collation to use for the Database Engine.
SQLCOLLATION="Latin1_General_CI_AS"
; Account for SQL Server service: Domain\User or system account.
SQLSVCACCOUNT="NT Service\MSSQLSERVER"
; Windows account(s) to provision as SQL Server system administrators.
SQLSYSADMINACCOUNTS=".\Administrator"
; The default is Windows Authentication. Use "SQL" for Mixed Mode Authentication.
SECURITYMODE="SQL"
SAPWD="Opleelan8"
; Provision current user as a Database Engine system administrator for SQL Server 2012 Express.
ADDCURRENTUSERASSQLADMIN="False"
; Specify 0 to disable or 1 to enable the TCP/IP protocol.
TCPENABLED="1"
; Specify 0 to disable or 1 to enable the Named Pipes protocol.
NPENABLED="1"
; Startup type for Browser Service.
BROWSERSVCSTARTUPTYPE="Automatic"
My Install script
#Importeer ServerManager
Import-Module ServerManager
#Install IIS
Add-WindowsFeature Web-Server -IncludeAllSubFeature
#Installeer .Net-Framework
Add-WindowsFeature net-Framework
#Importeer WebAdministration & Web-Mgmt-Service
Import-Module WebAdministration
#Installeer Web-Mgmt-Service
Add-WindowsFeature Web-Mgmt-Service
#Installeer .NET 4
./dotNetFx40_Full_x86_x64_SC.exe
write-host ".NET installed"
# Install Web Deploy
Write-Host "Installing Web Deploy"
.\WebDeploy_amd64_en-US.msi ADDLOCAL=ALL /qn
Write-Host "INSTALLED Web Deploy"
# Install Microsoft® Core XML Services, needed for SMO
Write-Host "Installing Microsoft Core XML SERVICES"
.\msxml6_x64.msi ADDLOCAL=ALL /qn
Write-Host "Installed Microsoft Core XML SERVICES"
#Install CLR Types
Write-Host "Installing CLR TYPES"
.\SQLSysClrTypes.msi ADDLOCAL=ALL /qn
Write-Host "Installed CLR TYPES"
# Install MS SQL Server Management Objects.
Write-Host "Installing MS SQL Server Management Objects"
./SharedManagementObjects.msi ADDLOCAL=ALL /qn
Write-Host "Installed MS SQL Server Management Objects"
#Install SQL SERVER
Write-Host "Installing SQL SERVER"
.\setup.exe /ConfigurationFile=ConfigurationFile.ini
Write-Host "INSTALLED SQL SERVER"
Clear-Host
$teamnaam = "ErosRammazani"
$teampass = "Opleelan8"
$sitePort="8007"
$sqlServerInstanceName="MSSQLSERVER"
$sqlServerName=$sqlServerInstanceName
$databaseAdminUser="sa"
$databaseAdminPassword="Opleelan8"
$Sitedir="C:\inetpub"
$Settingsdir="C:\inetprofiles"
$Scriptdir="C:\Program Files\IIS\Microsoft Web Deploy V3\Scripts"
$AppCmd="C:\Windows\System32\inetsrv\appcmd.exe"
# .NET toegang geven tot databank
$aspnet="C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
# Path tests
Set-Location -Path "$Scriptdir"
if (!(Test-Path -path $Sitedir)) {New-Item $Sitedir -Type Directory}
if (!(Test-Path -path $Settingsdir)) {New-Item $Settingsdir -Type Directory}
if (!(Test-Path ".\SetupSiteForPublish.ps1"))
{ Write-Host -NoNewline "Installeer Wdeploy.exe"; Exit 1 }
##################### User per team aanmaken
net user $teamnaam $teampass /add /passwordchg:no /expires:never /active:yes /fullname:$teamnaam /comment:$teamnaam
# Set the FTP user account’s password not to expire
$WMI = gwmi win32_useraccount | where {$_.name -eq $teamnaam}
$WMI.PasswordExpires = $False
$WMI.put()
###################### Site publiceren in IIS . Elk team een eigen App Pool
Write-Host -NoNewline "publiceren site $teamnaam"
$siteName=$teamnaam
$sitePhysicalPath=$Sitedir+"\"+$siteName
$siteAppPoolName=$teamnaam+"AppPool"
$deploymentUserName=$teamnaam
$deploymentUserPassword=$teampass
$managedRunTimeVersion="v4.0"
.\SetupSiteForPublish.ps1 -siteName $siteName -sitePhysicalPath $sitePhysicalPath -siteAppPoolName $siteAppPoolName -sitePort $sitePort -deploymentUserName $deploymentUserName -deploymentUserPassword $deploymentUserPassword -publishSettingSavePath $Settingsdir -publishSettingFileName $siteName".PublishSettings" -managedRunTimeVersion $managedRunTimeVersion
################### SQL db aanmaken
Write-Host -NoNewline "SQL db aanmaken voor $teamnaam"
$databaseName="db$teamnaam"
$databaseUserName="dbuser$teamnaam"
$databaseUserPassword=$teampass
Set-Location -Path "$Scriptdir"
.\CreateSqlDatabase.ps1 -databaseName $databaseName -databaseUserName $databaseUserName -databaseUserPassword $databaseUserPassword -databaseAdminUser $databaseAdminUser -databaseAdminPassword $databaseAdminPassword -sqlServerInstanceName $sqlServerInstanceName -publishSettingSavePath $Settingsdir -publishSettingFileName $databaseName".PublishSettings"
#################### Default pagina klaarzetten op de site
echo "<html><body><h2>Default pagina $teamnaam</h2><p><%Response.Write(now())
%></p></body></html>" | Out-File $sitePhysicalPath\default.aspx
# Virtuele dir op default website
& $appcmd ADD vdir /app.name:"Default Web Site/" /path:/$teamnaam /physicalPath:C:\$Sitedir\$teamnaam
# .NET toegang geven tot databank
# -A toegang tot alle features -E login/pass van huidige user gebruiken
Write-Host -NoNewline ".NET toegang tot db"
& $aspnet -S $sqlServerName -d $databaseName -A all -E
# FTP toegang tot site , FTP site was manueel aangemaakt in IIS
if (!(Test-Path -path $sitePhysicalPath)) {New-Item $sitePhysicalPath -Type Directory}
& $AppCmd set config "FTP" -section:system.ftpServer/security/authorization /+"[accessType='Allow',users='$teamnaam',permissions='Read, Write']" /commit:apphost
######### open extra ports in firewall
Write-Host -NoNewline "Setting Windows Firewall rules for $teamnaam "
netsh advfirewall firewall add rule name="Projecten-$teamnaam-IN" dir=in action=allow protocol=TCP localport=$sitePort
netsh advfirewall firewall add rule name="Projecten-$teamnaam-OUT" dir=out action=allow protocol=TCP remoteport=$sitePort
I have two VM's(Windows server 2008 r2) with ip
172.17.178.10
and
172.17.178.11
.
I have created a folder named
"share"
on vm with ip 172.17.178.10 that has an iso.
I logined into vm with ip 172.17.178.11 and run the following command
"Mount-DiskImage \\172.17.178.10\share\xyz.iso"
.It mounted successfully i can see the Drive in my computer.
Now i logined into 172.17.178.10 and took a remote session using powershell command
Enter-PSSession -ComputerName 172.17.178.11 -Credential Administrator
.
Now when i run the command
"Mount-DiskImage \\172.17.178.10\share\xyz.iso"
.
I get the following error:
MOUNT-DISKIMAGE : Access is denied.
+ CategoryInfo : PermissionDenied: (MSFT_DiskImage:ROOT/Microsoft/.../MSFT_DiskImage) [Mount-DiskImage],
CimException
+ FullyQualifiedErrorId : HRESULT 0x80070005,Mount-DiskImage
I have provided full permissions to the
share
folder.
The issue here is that powershell remoting will not allow for a second-hop authentication unless credssp is enabled. Basically what happens is that when when authenticate to the server you are remoting to it only verifies that you have access to it, it does not actually store your credentials for security reasons, so it is not able to connect to any other server in your environment. I've attached some links below with info on setting up CredSSP, which will allow you to perform second-hop remoting once it is configured.
https://support.microsoft.com/en-us/kb/951608
https://technet.microsoft.com/en-us/library/hh849872.aspx
you could also probably set your share/NTFS permissions to allow everyone read permissions but I have not tested that.
I'm new to PowerShell. I'm looking to run PowerShell command on a remote PC running Windows 7.
On the remote PC, I ran the following PowerShell commands:
Enable-PSRemoting -Force
Set-Item WSMAN:\localhost\client\trustedhosts <host_ip>
Restart-Service WinRM
I performed the last two commands on the host PC (but using <remote_ip>).
I confirmed this worked OK with:
Invoke-Command -ComputerName <name> -Credential <username> -ScriptBlock { Get-ChildItem C:\ }
My question: Is this secure on a public network? Should I be doing something else? Or should I be using SSL? If so, how do I go about this?
If you use the default authentication when using Invoke-Command the user is authenticated on the remote host using either NTLM or Kerberos. So I don't think you need to worry too much about the password being sniffed out on the network. Also, by default, remoting endpoints can only be used by administrators on that machine. Finally, if you need to allow non-admins access, you can configure a remoting endpoint that is restricted. It can be restricted in the cmdlets available and it can be restricted in language capability. This tutorial on remoting covers setting up a restricted session.