?
Solved

VBScript prompt for smart card credentials, execute under new creds

Posted on 2014-04-03
5
Medium Priority
?
1,387 Views
Last Modified: 2014-04-04
Experts,

Not sure if this is at all possible, but I'd like to field if it's an option.

In our environment, we use smart cards for admin access - and I have a VBScript that connects to remote machines to do some action/work items.

What I'd like to do, is have my vbscript prompt for smart card credentials, then execute as the authenticated admin user.  This is so the script could be run under a non-admin user session (i.e. user in the field), while a tech is over-the-shoulder fixing things.

This an option?
0
Comment
Question by:usslindstrom
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 2000 total points
ID: 39977944
Smart-cards are only supported with interactive logon events. However RUNAS does support the smartcard option... (since XP sp2 and later OS's)
RUNAS USAGE:

RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
        /user:<UserName> program

RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
        /smartcard [/user:<UserName>] program

   /noprofile        specifies that the user's profile should not be loaded.
                     This causes the application to load more quickly, but
                     can cause some applications to malfunction.
   /profile          specifies that the user's profile should be loaded.
                     This is the default.
   /env              to use current environment instead of user's.
   /netonly          use if the credentials specified are for remote
                     access only.
   /savecred         to use credentials previously saved by the user.
                     This option is not available on Windows XP Home Edition
                     and will be ignored.
   /smartcard        use if the credentials are to be supplied from a
                     smartcard.
   /user             <UserName> should be in form USER@DOMAIN or DOMAIN\USER
   program         command line for EXE.  See below for examples

Examples:
> runas /noprofile /user:mymachine\administrator cmd
> runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc"
> runas /env /user:user@domain.microsoft.com "notepad \"my file.txt\""

NOTE:  Enter user's password only when prompted.
NOTE:  USER@DOMAIN is not compatible with /netonly.
NOTE:  /profile is not compatible with /netonly.

Open in new window

-rich
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 39978905
hmmmm.   Interesting thought process...

I didn't think the runas command supported that.  I honestly don't believe it would be smart enough to read the card at that point and allow selection of the certificate to use (as in the case of ActiveClient)

But you're thinking, to try a shell out from script, then execute runas ono the script.  I'd like to explore your idea here, in that I'm not really sure if I can pull it off.

Meaning, when I would shell out to execute the script, the session would only hold the credentials for that single process.  Should there be another shell instance, I'd have to make the user reauthenticate again?
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 2000 total points
ID: 39978932
Any process that starts another process typically inherits the token/authentication. I'm not sure about your case, and it does vary from host to host.
You could use a script to call runas, launch an application as another user, and be prompted to insert your SC, once that authentication succeeds, it should run-as that user until the process terminates. Any new processes that process calls when running-as an alternate user will be stated as the same user. The issue may become however that a spawned process may not get an AD token to access remote machines, just the machine it's running on.
In the case of WMI for example, if I start a CMD prompt as a domain-admin using run-as, I can connect to remote host's using WMIC.exe (a process that is spawned from my cmd (domain admin) prompt). Not all programs work well with AD, but those that do should allow you to access remote hosts when running as a domain account. If it's a local account, it won't work remotely unless that same account exists on the remote hosts and the passwords match.
-rich
(I do not have an SC to test runas with sorry)
0
 
LVL 5

Author Closing Comment

by:usslindstrom
ID: 39979031
You've provided me with some ammo to attempt to tackle this problem.  I really had no idea the 'runas' command supported smart cards, but as you've pointed out - it does.

I just tested, and any spawned instance of shell / inherited the admin smart card permissions for executing.

The hard part's now going to be putting my shell commands into a logical flow beneith the admin credential request.  :)
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 39979034
Adding 'Thanks' - since aparently I can't proofread prior to submitting my posts.  :(

Thanks for the pointer!
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question