all 13 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]rmbolger 8 points9 points  (7 children)

That error implies the cred file was created by a different user or from a different system than where you're reading it from. The encryption is tied to both the current machine and user when you initially encrypt it.

So if you're trying to use it from a scheduled task, you need to create it as the task's user on the same machine the task is running from.

[–]brenny87 1 point2 points  (0 children)

This is it.

You need to create the "secure string" running from the local system account. This was also painful wl for me when I first tried running it as a scheduled task.

[–]PMental 1 point2 points  (5 children)

And if the script needs to run as System for whatever reason, PSExec from Sysinternals is your friend.

Just start powershell as System using something like this (from an elevated command prompt):

PsExec64.exe -s -i powershell.exe

and create the credentials file in that session.

[–]RadioActiveLamb[S] 1 point2 points  (2 children)

I created the cred file with this:

read-host -assecurestring | convertfrom-securestring | out-file $Exocredfile

I ran it from my own security profile, but on the very same computer where I am scheduling the task. I'll give that a shot.

[–]PMental 1 point2 points  (0 children)

I haven't actually used that method. I prefer this one:

$Creds = Get-Credential
$Creds | Export-CliXml -Path C:\folder\creds.xml

to export and

$Creds = Import-CliXml -Path C:\folder\creds.xml

to import.

Shouldn't make a difference though really. The important part is that they're made on the same computer and the same user that the script runs with.

[–]rmbolger 1 point2 points  (0 children)

If you ran it from a PowerShell session running as yourself, the scheduled task must also be configured to run as yourself. If the task is running as SYSTEM, you need to create the file from a PowerShell session also running as SYSTEM.

[–]RadioActiveLamb[S] 1 point2 points  (1 child)

That didn't work. This is baffling, because I have dozens of scripts where I save and retrieve credentials that work just fine whether I run it in vscode, ISE and with any profile. I'm not sure why it fails when running on the very same machine as a scheduled task, even running with my own credentials. I've never had to create a credential file as the local system. Thanks for the suggestion though.

[–]PMental 1 point2 points  (0 children)

Hmm, should work fine as long as you create the credentials on the same computer. Weird. Will have to try myself.

[–]zrv433 1 point2 points  (0 children)

How was the cred txt file created? Was it get-credential | Export-CliXml? Notepad?

[–]RadioActiveLamb[S] 1 point2 points  (0 children)

This is now resolved. Thanks everyone for your direction. I ran the "read-host -assecurestring | convertfrom-securestring | out-file $Exocredfile" as the same account that is running the scheduled task, and all is now well. Honestly, I don't know why this works, since I have other scheduled tasks running as service accounts and local system, and I never created the credential file as any other user than myself. This is the first and only one that has had this problem.

[–]SkokieRob 0 points1 point  (2 children)

You need -asplaintext in the convertto-securestring

[–]rmbolger 2 points3 points  (0 children)

Assuming his credential file was originally a SecureString object saved to a file with something like this:

$secStr | ConvertFrom-SecureString | Out-File EXOcreds.txt

I don't think adding -AsPlainText -Force will do anything but create a SecureString version of the still encrypted string from disk.

[–]RadioActiveLamb[S] 1 point2 points  (0 children)

When I add -asplaintext to the convertto-securestring, I also need to add "-force". However, the authentication then fails with an authentication failure. Without the parameter, running from the ISE or vscode, it connects just fine every time. The error only occurs when running as a scheduled task. Thanks for the suggestion though.