Go Premium for a chance to win a PS4. Enter to Win


VBScript prompt for smart card credentials, execute under new creds

Posted on 2014-04-03
Medium Priority
Last Modified: 2014-04-04

Not sure if this is at all possible, but I'd like to field if it's an option.

In our environment, we use smart cards for admin access - and I have a VBScript that connects to remote machines to do some action/work items.

What I'd like to do, is have my vbscript prompt for smart card credentials, then execute as the authenticated admin user.  This is so the script could be run under a non-admin user session (i.e. user in the field), while a tech is over-the-shoulder fixing things.

This an option?
Question by:usslindstrom
  • 3
  • 2
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 2000 total points
ID: 39977944
Smart-cards are only supported with interactive logon events. However RUNAS does support the smartcard option... (since XP sp2 and later OS's)

RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
        /user:<UserName> program

RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
        /smartcard [/user:<UserName>] program

   /noprofile        specifies that the user's profile should not be loaded.
                     This causes the application to load more quickly, but
                     can cause some applications to malfunction.
   /profile          specifies that the user's profile should be loaded.
                     This is the default.
   /env              to use current environment instead of user's.
   /netonly          use if the credentials specified are for remote
                     access only.
   /savecred         to use credentials previously saved by the user.
                     This option is not available on Windows XP Home Edition
                     and will be ignored.
   /smartcard        use if the credentials are to be supplied from a
   /user             <UserName> should be in form USER@DOMAIN or DOMAIN\USER
   program         command line for EXE.  See below for examples

> runas /noprofile /user:mymachine\administrator cmd
> runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc"
> runas /env /user:user@domain.microsoft.com "notepad \"my file.txt\""

NOTE:  Enter user's password only when prompted.
NOTE:  USER@DOMAIN is not compatible with /netonly.
NOTE:  /profile is not compatible with /netonly.

Open in new window


Author Comment

ID: 39978905
hmmmm.   Interesting thought process...

I didn't think the runas command supported that.  I honestly don't believe it would be smart enough to read the card at that point and allow selection of the certificate to use (as in the case of ActiveClient)

But you're thinking, to try a shell out from script, then execute runas ono the script.  I'd like to explore your idea here, in that I'm not really sure if I can pull it off.

Meaning, when I would shell out to execute the script, the session would only hold the credentials for that single process.  Should there be another shell instance, I'd have to make the user reauthenticate again?
LVL 38

Accepted Solution

Rich Rumble earned 2000 total points
ID: 39978932
Any process that starts another process typically inherits the token/authentication. I'm not sure about your case, and it does vary from host to host.
You could use a script to call runas, launch an application as another user, and be prompted to insert your SC, once that authentication succeeds, it should run-as that user until the process terminates. Any new processes that process calls when running-as an alternate user will be stated as the same user. The issue may become however that a spawned process may not get an AD token to access remote machines, just the machine it's running on.
In the case of WMI for example, if I start a CMD prompt as a domain-admin using run-as, I can connect to remote host's using WMIC.exe (a process that is spawned from my cmd (domain admin) prompt). Not all programs work well with AD, but those that do should allow you to access remote hosts when running as a domain account. If it's a local account, it won't work remotely unless that same account exists on the remote hosts and the passwords match.
(I do not have an SC to test runas with sorry)

Author Closing Comment

ID: 39979031
You've provided me with some ammo to attempt to tackle this problem.  I really had no idea the 'runas' command supported smart cards, but as you've pointed out - it does.

I just tested, and any spawned instance of shell / inherited the admin smart card permissions for executing.

The hard part's now going to be putting my shell commands into a logical flow beneith the admin credential request.  :)

Author Comment

ID: 39979034
Adding 'Thanks' - since aparently I can't proofread prior to submitting my posts.  :(

Thanks for the pointer!

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question