Score:0

AZCopy Login Fails from remote server through PSSession

id flag

I'm having a weird authentication problem with AZCopy Login, and kicking off the script via Scheduled Task as a Group Managed Service Account. Please try to follow along as I try to explain this complicated procedure... TLDR below.

We have a manufacturing production floor Windows computer (PC) that save files based on the widgets it makes. We need to save these long term and want to as Azure Blobs. So on this PC we have a Powershell script (Sync Script) that connects to the Azure Storage Account with 'AZCopy login...' using an Azure Service Principal. It then syncs files from the PC to Azure Blob Container. This script works fine when I run it on the PC as either my own user, or from a Powershell prompt run as a Group Managed Service Account in our domain.

We have a server that we run all of our different Powershell scripts from (Tasks Server). On this Tasks Server we have another powershell script (Kickoff Script) that that will create a New-PSSession to the above mentioned PC, then use Invoke-Command with that PSSession to run the above mentioned Sync Script on the PC. This works fine when I run it on the Tasks Server as my own user, and when I run it as a scheduled task as my user.

However, When I run powershell as a gMSA on Tasks Server, it fails the AZCopy Login. Even trying to run the commands one by one, not in a script, it fails. The error is:

Failed to perform login command: failed to encrypt token, The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation.

I have run 'Enable-WSManCredSSP -role Client -DelegateComputer ', as well as 'Enable-WSManCredSSP -role Server' on the PC and the Tasks Server with no difference.

Can someone please help me understand why this is failing?

TLDR; Group Mananaged Service Account on Server1 runs a scheduled task powershell script to create PSSession and Invoke-Command on PC1. PC1 receives invocation and runs script as GMSA and runs azcopy.exe login with Service Principal and Fails.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.