usslindstrom
asked on
VBScript prompt for smart card credentials, execute under new creds
Experts,
Not sure if this is at all possible, but I'd like to field if it's an option.
In our environment, we use smart cards for admin access - and I have a VBScript that connects to remote machines to do some action/work items.
What I'd like to do, is have my vbscript prompt for smart card credentials, then execute as the authenticated admin user. This is so the script could be run under a non-admin user session (i.e. user in the field), while a tech is over-the-shoulder fixing things.
This an option?
Not sure if this is at all possible, but I'd like to field if it's an option.
In our environment, we use smart cards for admin access - and I have a VBScript that connects to remote machines to do some action/work items.
What I'd like to do, is have my vbscript prompt for smart card credentials, then execute as the authenticated admin user. This is so the script could be run under a non-admin user session (i.e. user in the field), while a tech is over-the-shoulder fixing things.
This an option?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You've provided me with some ammo to attempt to tackle this problem. I really had no idea the 'runas' command supported smart cards, but as you've pointed out - it does.
I just tested, and any spawned instance of shell / inherited the admin smart card permissions for executing.
The hard part's now going to be putting my shell commands into a logical flow beneith the admin credential request. :)
I just tested, and any spawned instance of shell / inherited the admin smart card permissions for executing.
The hard part's now going to be putting my shell commands into a logical flow beneith the admin credential request. :)
ASKER
Adding 'Thanks' - since aparently I can't proofread prior to submitting my posts. :(
Thanks for the pointer!
Thanks for the pointer!
ASKER
I didn't think the runas command supported that. I honestly don't believe it would be smart enough to read the card at that point and allow selection of the certificate to use (as in the case of ActiveClient)
But you're thinking, to try a shell out from script, then execute runas ono the script. I'd like to explore your idea here, in that I'm not really sure if I can pull it off.
Meaning, when I would shell out to execute the script, the session would only hold the credentials for that single process. Should there be another shell instance, I'd have to make the user reauthenticate again?