VBScript prompt for smart card credentials, execute under new creds


Not sure if this is at all possible, but I'd like to field if it's an option.

In our environment, we use smart cards for admin access - and I have a VBScript that connects to remote machines to do some action/work items.

What I'd like to do, is have my vbscript prompt for smart card credentials, then execute as the authenticated admin user.  This is so the script could be run under a non-admin user session (i.e. user in the field), while a tech is over-the-shoulder fixing things.

This an option?
Who is Participating?
Rich RumbleConnect With a Mentor Security SamuraiCommented:
Any process that starts another process typically inherits the token/authentication. I'm not sure about your case, and it does vary from host to host.
You could use a script to call runas, launch an application as another user, and be prompted to insert your SC, once that authentication succeeds, it should run-as that user until the process terminates. Any new processes that process calls when running-as an alternate user will be stated as the same user. The issue may become however that a spawned process may not get an AD token to access remote machines, just the machine it's running on.
In the case of WMI for example, if I start a CMD prompt as a domain-admin using run-as, I can connect to remote host's using WMIC.exe (a process that is spawned from my cmd (domain admin) prompt). Not all programs work well with AD, but those that do should allow you to access remote hosts when running as a domain account. If it's a local account, it won't work remotely unless that same account exists on the remote hosts and the passwords match.
(I do not have an SC to test runas with sorry)
Rich RumbleConnect With a Mentor Security SamuraiCommented:
Smart-cards are only supported with interactive logon events. However RUNAS does support the smartcard option... (since XP sp2 and later OS's)

RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
        /user:<UserName> program

RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
        /smartcard [/user:<UserName>] program

   /noprofile        specifies that the user's profile should not be loaded.
                     This causes the application to load more quickly, but
                     can cause some applications to malfunction.
   /profile          specifies that the user's profile should be loaded.
                     This is the default.
   /env              to use current environment instead of user's.
   /netonly          use if the credentials specified are for remote
                     access only.
   /savecred         to use credentials previously saved by the user.
                     This option is not available on Windows XP Home Edition
                     and will be ignored.
   /smartcard        use if the credentials are to be supplied from a
   /user             <UserName> should be in form USER@DOMAIN or DOMAIN\USER
   program         command line for EXE.  See below for examples

> runas /noprofile /user:mymachine\administrator cmd
> runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc"
> runas /env /user:user@domain.microsoft.com "notepad \"my file.txt\""

NOTE:  Enter user's password only when prompted.
NOTE:  USER@DOMAIN is not compatible with /netonly.
NOTE:  /profile is not compatible with /netonly.

Open in new window

usslindstromAuthor Commented:
hmmmm.   Interesting thought process...

I didn't think the runas command supported that.  I honestly don't believe it would be smart enough to read the card at that point and allow selection of the certificate to use (as in the case of ActiveClient)

But you're thinking, to try a shell out from script, then execute runas ono the script.  I'd like to explore your idea here, in that I'm not really sure if I can pull it off.

Meaning, when I would shell out to execute the script, the session would only hold the credentials for that single process.  Should there be another shell instance, I'd have to make the user reauthenticate again?
usslindstromAuthor Commented:
You've provided me with some ammo to attempt to tackle this problem.  I really had no idea the 'runas' command supported smart cards, but as you've pointed out - it does.

I just tested, and any spawned instance of shell / inherited the admin smart card permissions for executing.

The hard part's now going to be putting my shell commands into a logical flow beneith the admin credential request.  :)
usslindstromAuthor Commented:
Adding 'Thanks' - since aparently I can't proofread prior to submitting my posts.  :(

Thanks for the pointer!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.