Help: How to start a process with different credential remotely

Here is my script (test.ps1) on remote server:

 
$ProcessInfo = New-Object System.Diagnostics.ProcessStartInfo 
$ProcessInfo.FileName = "whoami" 
$ProcessInfo.RedirectStandardError = $true 
$ProcessInfo.RedirectStandardOutput = $true 
$ProcessInfo.UseShellExecute = $false 
$ProcessInfo.WorkingDirectory = "C:\Windows\System32"
if ($AddCred) {
    $ProcessInfo.Domain = ""
    $ProcessInfo.UserName = "localuser"
    $ProcessInfo.Password = ConvertTo-SecureString -String "password" -AsPlainText -Force
}
$Process = New-Object System.Diagnostics.Process 
$Process.StartInfo = $ProcessInfo 
$Process.Start() | Out-Null 

I verified the script is working locally.

Now on client side from my desktop, I use my domain account to create session and enter it and then run it:

  1. If I run it without using different credential, I get the result as expect:
    [server.sas.com]: PS C:\testing> .\test.ps1
    Start Process with credential
    carynt\cdtauto

However, once I use the domain and credential portion of it by adding “-AddCred”, it is no longer working:
[server.sas.com]: PS C:\testing> .\jane1.ps1 -AddCred
Start Process with credential
Exception calling “Start” with “0” argument(s): “Access is denied”
At C:\testing\jane1.ps1:22 char:1

  • $Process.Start() | Out-Null
  •   + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
      + FullyQualifiedErrorId : Win32Exception
    
    

Exception calling “WaitForExit” with “0” argument(s): “No process is associated with this object.”
At C:\testing\jane1.ps1:23 char:1

  • $Process.WaitForExit()
  •   + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
      + FullyQualifiedErrorId : InvalidOperationException
    
    

You cannot call a method on a null-valued expression.
At C:\testing\jane1.ps1:24 char:1

  • $output = $Process.StandardOutput.ReadToEnd()
  •   + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
      + FullyQualifiedErrorId : InvokeMethodOnNull

I’m not sure it’s possible to get that working through Remoting. Remoting doesn’t pass your credential to the remote computer; it uses Kerberos by default, and the way that delegation works… well, Windows’ security system is complex. I’m not sure a delegated credential could be used to assert a new process under a different token.

The “right way” to do this would be to set up an endpoint on the remote machine, and have that endpoint “run as” your alternate credential. This is what the JEA module is all about.