我正在尝试通过Powershell为具有Cloudformation的AWS Windows实例上的无人值守部署创建证书模板。
说明来自第3节: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_ldap.html#setupca
我有一些Powershell似乎可以满足我的需求。 经过一番混乱后,我想出了如何加入域,而Powershell从本地管理员切换到域管理员的唯一方法是使用:
$Credential = New-Object System.Management.Automation.PSCredential -ArgumentList "$DomainNetBIOSName\$Username", $Pass
start-job -Scriptblock $scriptblock -Credential $Credential
可行,我可以将$scriptblock设置为{whoami}并查看domain\admin,但它需要运行:
Install-AdcsCertificationAuthority -CAType EnterpriseRootCa -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -KeyLength 2048 -HashAlgorithmName SHA1 -ValidityPeriod Years -ValidityPeriodUnits 10 -Force
哪个会导致错误:
CCertSrvSetup::InitializeDefaults: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
+ CategoryInfo : NotSpecified: (:) [Install-AdcsCertificationAuthority], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.CertificateServices.Deployment.Commands.CA.
InstallADCSCertificationAuthority
+ PSComputerName : localhost
我认为那需要“海拔”?
因此,回到绘图板。有建议您可以使用-Authentication Credssp来实现。
但是,这样会抱怨“客户端配置中当前禁用了CredSSP身份验证”。我假设我需要一个高级会议来启用它。它还开始讨论使用gpedit更改某些设置。从脚本来看,所有这些都不是真正可行的。 例如:
PS> Invoke-Command -Authentication Credssp -Scriptblock $ScriptBlock -ComputerName $env:COMPUTERNAME -Credential $Credential
[EC2AMAZ-I1PNQVH] Connecting to remote server EC2AMAZ-I1PNQVH failed with the following error message : The WinRM
client cannot process the request. CredSSP authentication is currently disabled in the client configuration. Change
the client configuration and try the request again. CredSSP authentication must also be enabled in the server
configuration. Also, Group Policy must be edited to allow credential delegation to the target computer. Use gpedit.msc
and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials
Delegation -> Allow Delegating Fresh Credentials.
因此,如何使我的Windows服务器自动运行明智的部署脚本,而无需登录并单击“允许”?