i am trying to update the certification revocation list on a root server and want to update it on an issuing CA server. But i am facing a strange problem as below -
1. when i am trying to publish the .crl on the issuing CA using the following command from powershell , it is working as expected. I am using the domain admin account to login to the machine and then executing the command on powershell with admin privilege
cmd /c "certutil -f -dspublish C:\<crl_name>.crl"
it is working fine
whoami
<domain_name>\administrator
2. now if i execute the same command from a jenkins pipeline, i am trying to do the same using invoke-command with the same admin credentials .. but it is not working and throwing the following error -
try {
Invoke-Command -ScriptBlock { cmd /c "certutil -f -dspublish C:\<crl_name>.crl" } -ComputerName localhost -Credential (New-Object System.Management.Automation.PSCredential $username,(ConvertTo-SecureString $password -AsPlainText -Force))
} catch { echo $_.Exception.Message }
for $username i am passing the value <domain_name>\administrator
but the error is -
ldap:///CN=XXXX,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=<domain_name>,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint?certificateRevocationList
ldap: 0x1: 000004DC: LdapErr: DSID-0C090DE7, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580
CertUtil: -dsPublish command FAILED: 0x800704dc (WIN32: 1244 ERROR_NOT_AUTHENTICATED)
CertUtil: The operation being requested was not performed because the user has not been authenticated.
i am using the same credentials which i am using to login to the machine as admin to execute the command and that time it is working but the same credentials if i use on invoke-command it is failing.
Can anybody please help me on this.
Basically what's happening here is that the PowerShell context you are using has credential delegation disabled, which means that the credentials you are using to run the command cannot be used for the LDAP connection, hence the user is "not authenticated".
The solution depends on what exactly your context is, usually boils down to either enabling delegation or using CredSSP instead of Kerberos. In my case, I was using Kerberos on Ansible, which allows delegation but it is not enabled by default, so my solution was adding
ansible_winrm_kerberos_delegation: yesin the inventory.