0

I am trying to write a script in powershell that will install 10 servers on virual machines. It's just simple script where I'm specifying list of arguments, path of MSI package and run passive installation. If I do this manually logged as the same user that is running powershell script with the same arguments everything is fine and application is installed successfully but if I'm running the script all the time I'm getting SQL error with connecting to database. Log pasted below.

PowerShell script:

$installerPath = "$destinationPath\$application`_$versionToInstall.msi"

$sqlAuthType="SQL_AUTH"

$arguments = SQL_AUTH_TYPE = $sqlAuthType

            $exitCode = Invoke-Command -ComputerName $serverToInstall -ScriptBlock {(Start-Process -FilePath "msiexec.exe" -ArgumentList $Using:internalArgs -Wait -Passthru).ExitCode}



                if(($exitCode -eq 0) -or ($exitCode -eq 3010)){
                    WriteLog("$application is installed succesfully")

MSI logs from %temp%

PROPERTY CHANGE: Modifying LOG property. Its current value is 'RUNTIME AUTH TYPE USED TO DATABASE LOGIN: 'WINDOWS_AUTH'. 

'CONNECTION STRING 'Data Source=sqlserver\SQL1;Initial Catalog=master;Integrated Security=True;Connect Timeout=10'.

and after this log I'm getting this error:

PROPERTY CHANGE: Adding SQL_ERROR_DETAILS property. Its value is 'Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.'.
CustomAction SilentVerifySqlConnection returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

and just to test it if I run simple powershell script like this (I'm copying connection string created during my installation and trying to connect with it via PowerShell and its working):

$connString = "Data Source=sqlserver\SQL1;Initial Catalog=master;Integrated Security=True;Connect Timeout=10"
$conn = New-Object System.Data.SqlClient.SqlConnection
$conn.ConnectionString = $connString

try {
    $conn.Open()
    Write-Host "success"
    $conn.Close()
} catch {
    Write-Host "Connection failed: $($_.Exception.Message)"
}

do you have any ides why it is happening? I checked a lot of topics in stackoverflow but nothing can help in this case.

Improve this question
4
  • Are you trying to install the MSI's on Azure Windows Virtual Machine?
    – Venkat V
    Commented Jul 30, 2024 at 8:21
  • @VenkatV no, its just normal VM with windows server
    – kollodziej
    Commented Jul 30, 2024 at 8:22
  • Can you please brief your requirement clearly?
    – Venkat V
    Commented Jul 30, 2024 at 8:22
  • @VenkatV I want to run installation on machine2 from machine1 without any errors - now I'm getting error during installation saying that I cannot connect to SQL but if I'm doing it manually logging to machine2 with the same credentials that I'm running powershell script on machine1 that works properly.
    – kollodziej
    Commented Jul 30, 2024 at 8:29

1 Answer 1

Reset to default
0

What you are running into is what we call the Double Hop Issue.

When you log into another machine using Invoke-Command you are not truly logging in as yourself but as NT AUTHORITY\ANONYMOUS LOGON

When you are calling the SQL you are using your windows login as a Integrated Security=True

There are a few ways around this. This is not all the ways just the ones i prefer

Creating a PSSessionConfiguration on the remote computers. (I prefer this one) You can setup Configurations that will allow you to login as a user of your choosing. I usally setup a GMSA account for SREs to access Servers and shares.

You can get a configuration template from powershell using the Command New-PsSessionConfigurationFile

Register your file Register-PSSessionConfiguration

Then you can connect to the remote machine

Invoke-Command -ComputerName Test -ConfigurationName MyConfigNameHere -ScriptBlock { "Hey" }

Another way would be to use CredSSP (I personally haven't used this option)

Improve this answer
6
  • but I have tried printing "whoami" before executing the script with installation and it shows my user with rights to database on that SQL instance. Is it still Double Hop issue?
    – kollodziej
    Commented Jul 30, 2024 at 8:32
  • It is. It will show your user but you arent really you. Its more like windows passes a token saying you are you but that token cant be passed to the next jump
    – ArcSet
    Commented Jul 30, 2024 at 8:46
  • If you need more info Google "powershell double hop workaround"
    – ArcSet
    Commented Jul 30, 2024 at 8:51
  • I tried like you recommended but all the time getting error message: Processing data from remote server servername failed with the following error message: The I/O operation has been aborted because of either a thread exit or an application request. For more information, see the about_Remote_Troubleshooting Help topic.
    – kollodziej
    Commented Jul 30, 2024 at 9:08
  • can you show how to specify credentials in this template?
    – kollodziej
    Commented Jul 30, 2024 at 13:35

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.