2 Replies Latest reply on Jul 31, 2014 8:24 AM by Steve Cupp

    Running a Citrix powershell module with BSA

    Steve Cupp

      We use a Citrix Powershell module, Add-XAWorkerGroupServer, that adds a server to a worker group in the Citrix environment. This module defaults to using the credentials of the user executing the module, there is no other authentication method available. When we deploy the powershell script to the target server using BSA, it is using the local Windows account we have setup and therefore it is this account that this module uses to connect to the Citrix environment. This fails since the Citrix environment only uses AD Domain accounts for authentication.


      So I guess we are stuck with trying to come up with a way of executing the powershell script with other credentials via BSA, this doesn't seem to be as easy as it sounds.


      The Citrix web site, suggests using "Runas" to launch the powershell script which looked promising at first. It turns out that "Runas" doesn't have a way of passing the password through, you are forced to enter it at a prompt, so much for automation.


      My BMC professional services contact, Naveen Anne, who we have working with us on a project to convert our many Altiris jobs to BSA packages/jobs, suggested Automation Principles. This also looked promising but Naveen explained that the BSA environment must have a NSH proxy setup, which right now we do not have.


      So with all that said, I'm asking for any other suggestions from the community on how to accomplish our goal.



        • 1. Re: Running a Citrix powershell module with BSA
          Scott Carter

          As far as I know, there are three different ways. 


          First off, you can use psexec. With a BLPackage, add an external command line like this:


          ??psexec_path_win??\PsExec.exe \\??TARGET.NAME?? /accepteula -u ??ctx_usr?? -p ??ctx_pwd?? -h  -i 0 cmd /C "powershell -InputFormat none ??psexec_path_win??\main.ps1"


          The /accepteula is required to not have to say OK to use it, the -h is necessary to run with elevated token for Vista or higher, the -i 0 was necessary for it to return data (interactive).  Use -u and -p to specify a user and password, or use the -s switch has the process run as the SYSTEM account.  The user instantiating psexec must have admin rights for the server you are executing it on because it spawns a service.


          You can also do it with Task Scheduler (source Re: enable Powershell remoting).   External command:


          schtasks /create /tn "test" /tr "powershell C:\temp\ps_invoke\main.ps1" /sc once /st 01:00 /ru ??ctxusr?? /rp ??ctxpwd??

          schtasks /run /tn "test"

          powershell -command "& {start-sleep -s 60}"

          schtasks /delete /tn "test" /f

          This creates a scheduled task, then executes it by name.  The sleep is because the delete will fail if it happens too soon.


          For these first two methods, I think in 8.3 it won’t expose the user/pass in logs, but not tested yet.  However, the password can be exposed in logs in earlier versions, certainly 8.1 and earlier. 

          The last way is using Automation Principals.  That lets you run the powershell scripts directly as the AP user your role maps to.  As you said though, this requires an NSH proxy.


          Hope this helps.

          • 2. Re: Running a Citrix powershell module with BSA
            Steve Cupp

            Sorry for not responding to your reply sooner. This all good info for us to consider as we figure out how to handle issues like this. Thanks very much.