invoke-runbook security?

Forum: Orchestrator
Viewing 5 posts - 1 through 5 (of 5 total)
  • #227041

    curtmcgirt
    Participant

    I have a runbook that initializes data with one parameter that gets passed to a powershell script that queries AD for some stuff about that one parameter, and returns data. for testing, I currently also have it sending an email with the returned data.

    this all works as expected in the runbook tester. but running it from the orchestrator web interface, it doesn’t return any data. I assumed this is because the orchestrator runbook service doesn’t have the right AD permissions, and I do (since it works in the runbook tester as me). so I created a new runbook, which invokes this runbook, and set the security on the “invoke runbook” activity to use my domain credentials (again, for testing). it still doesn’t return any data.

    I added the runbook service account to domain admins. after a restart of the runbook service, the runbook returns data.

    why is my runbook still running as the runbook service account, even when the Security tab on the “invoke runbook” activity is telling it run it as me?

    #227043

    Greg Charman
    Participant

    The reason the Runbook doesn’t use your permissions is because entering in the credentials into the security options of an Activity, tells Orchestrator to use these credentials just to Run this Activity.  They don’t pass through to other Runbooks or activities.

    To use your credentials rather than the Runbook Service Account for execution you would have to enter them into the Security Credentials tab of each AD Activity.

    #227054

    curtmcgirt
    Participant

    Greg,
    I am not using any AD activities. I am using “Run .Net Script,” which does not have a security tab.

    what is the point of the security tab of the *Invoke Runbook* activity, if not to run everything in the invoked runbook as the credentials I want?

    do I have to include credentials in the powershell script to get orchestrator to run a powershell script as credentials other than the runbook service account?

    #227066

    Greg Charman
    Participant

    Had you used the free Active Directory Integration Pack from Microsoft you could have provided a dedicated set of credentials for the IP to use to communicate with AD.  These would have superseded the Runbook Server Service Account.

    I can only assume the security credentials on Invoke Runbook is a hang over from Opalis.

    Yes you would have to include credentials in your PowerShell script to get it to run as something other than the Runbook Server service account.

    #227085

    Noah Stahl
    Participant

    Within a Run .Net Script activity, the script will run as the runbook service account by default, so as long as this account has proper permissions, it should work. One potential issue is double-hop authentication restriction which can come into play when using Invoke-Command.

    A practice I often use when needing to provide specific credentials to PowerShell in Orchestrator is to pass in the username and password and create a PSCredential object to use as a -Credential parameter value on cmdlets.

    Beyond that, you might try using this template with the trace logging technique to get better troubleshooting clues.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.