none
Add Clusternodes with powershell as different user

    Question

  • Hi all,

    We've been automating our cluster roll-outs with Powershell, and especially adding nodes to an existing cluster.

    The situation we're in is the following:

    We've build a webbased application that runs under IIS and start powershell scripts on the IIS server. These scripts will remotely install SQL Server, configure it, and will try to add the computer to an existing cluster if a "HA" flag is provided. Now this adding to the cluster is causing us security issues. The problem is that the function Add-Clusternode will not accept Credentials, so there are 2 different ways in doing this:

    1. We run it as the service account under which IIS is ran, however this service account then requires local admin rights on all the nodes within the cluster, not just the one we're trying to add. This is quite a security issue since this would in turn mean that it's possible to run malicious code on all cluster nodes when you gain access to the IIS environment.

    2. Trying this remotely through Invoke-Command, however this requires CredSSP to be enabled if I want to do it as an installation user. Enabling CredSSP in itself is not a problem, however that this has to be ran from an elevated Powershell prompt, which causes prompts. And since this is started from a webinterface there's no actual powershell screen (or prompt).

    Does anybody have any experience with this and perhaps has a third option or other possible workaround for this issue?

    Thank you in advance!

    Regards,

    Danny

    Thursday, April 18, 2019 9:17 AM

All replies

  • Hi L4rko,

     

    I suggest that you also send a thread to the windows server forum, because this permission issue is not very relevant to sql server, people here may be difficult to give you very good advice.

     

    I also recommend that you communicate with your domain administrator about this permission assignment.

     

    Hope this could help you .

    Best regards,

    Dedmon Dai


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com

    Friday, April 19, 2019 6:05 AM