VBScript prompt for smart card credentials, execute under new creds

Posted on 2014-04-03
Last Modified: 2014-04-04

Not sure if this is at all possible, but I'd like to field if it's an option.

In our environment, we use smart cards for admin access - and I have a VBScript that connects to remote machines to do some action/work items.

What I'd like to do, is have my vbscript prompt for smart card credentials, then execute as the authenticated admin user.  This is so the script could be run under a non-admin user session (i.e. user in the field), while a tech is over-the-shoulder fixing things.

This an option?
Question by:usslindstrom
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 500 total points
ID: 39977944
Smart-cards are only supported with interactive logon events. However RUNAS does support the smartcard option... (since XP sp2 and later OS's)

RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
        /user:<UserName> program

RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
        /smartcard [/user:<UserName>] program

   /noprofile        specifies that the user's profile should not be loaded.
                     This causes the application to load more quickly, but
                     can cause some applications to malfunction.
   /profile          specifies that the user's profile should be loaded.
                     This is the default.
   /env              to use current environment instead of user's.
   /netonly          use if the credentials specified are for remote
                     access only.
   /savecred         to use credentials previously saved by the user.
                     This option is not available on Windows XP Home Edition
                     and will be ignored.
   /smartcard        use if the credentials are to be supplied from a
   /user             <UserName> should be in form USER@DOMAIN or DOMAIN\USER
   program         command line for EXE.  See below for examples

> runas /noprofile /user:mymachine\administrator cmd
> runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc"
> runas /env / "notepad \"my file.txt\""

NOTE:  Enter user's password only when prompted.
NOTE:  USER@DOMAIN is not compatible with /netonly.
NOTE:  /profile is not compatible with /netonly.

Open in new window


Author Comment

ID: 39978905
hmmmm.   Interesting thought process...

I didn't think the runas command supported that.  I honestly don't believe it would be smart enough to read the card at that point and allow selection of the certificate to use (as in the case of ActiveClient)

But you're thinking, to try a shell out from script, then execute runas ono the script.  I'd like to explore your idea here, in that I'm not really sure if I can pull it off.

Meaning, when I would shell out to execute the script, the session would only hold the credentials for that single process.  Should there be another shell instance, I'd have to make the user reauthenticate again?
LVL 38

Accepted Solution

Rich Rumble earned 500 total points
ID: 39978932
Any process that starts another process typically inherits the token/authentication. I'm not sure about your case, and it does vary from host to host.
You could use a script to call runas, launch an application as another user, and be prompted to insert your SC, once that authentication succeeds, it should run-as that user until the process terminates. Any new processes that process calls when running-as an alternate user will be stated as the same user. The issue may become however that a spawned process may not get an AD token to access remote machines, just the machine it's running on.
In the case of WMI for example, if I start a CMD prompt as a domain-admin using run-as, I can connect to remote host's using WMIC.exe (a process that is spawned from my cmd (domain admin) prompt). Not all programs work well with AD, but those that do should allow you to access remote hosts when running as a domain account. If it's a local account, it won't work remotely unless that same account exists on the remote hosts and the passwords match.
(I do not have an SC to test runas with sorry)

Author Closing Comment

ID: 39979031
You've provided me with some ammo to attempt to tackle this problem.  I really had no idea the 'runas' command supported smart cards, but as you've pointed out - it does.

I just tested, and any spawned instance of shell / inherited the admin smart card permissions for executing.

The hard part's now going to be putting my shell commands into a logical flow beneith the admin credential request.  :)

Author Comment

ID: 39979034
Adding 'Thanks' - since aparently I can't proofread prior to submitting my posts.  :(

Thanks for the pointer!

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question