Running New-StoredCredential over WinRM produce error

[rockraft7]

Hi,

I'm trying to execute the New-StoredCredential over WinRM session, and I'm getting this error:

ERROR: CredWrite failed with the error code 1312.
windows-2016-x64-virtualbox: ERROR: at , C:\Users\vagrant\set-proxy.ps1: line 22 ERROR: at , : line 1
windows-2016-x64-virtualbox: ERROR EXCEPTION: System.Exception: CredWrite failed with the error code 1312. ERROR EXCEPTION: at PSCredentialManager.Api.CredentialManager.WriteCred(NativeCredential credential) ERROR EXCEPTION: at PSCredentialManager.Cmdlet.NewStoredCredential.ProcessRecord()

This is the snippet I was running:

Write-Host "Setting credential manager"
Import-Module CredentialManager
New-StoredCredential -Target $env:PROXY_HOST -UserName $env:PROXY_USERNAME -Password $env:PROXY_PASSWORD -Type GENERIC -Persist ENTERPRISE

Is there any way I can work around this restriction?

Thank you

[shurick81]

Same for Get-StoredCredential

[derrix060]

Could anyone fix it?

[carceneaux]

Just passing through and saw this. Has anyone tried WinRM with CredSSP enabled? That typically resolves these types of errors.

[shurick81]

Yepp, I'm 95% sure I have tried CredSSP

[argRegEater]

I'm facing precisely the same issue. I've done the following troubleshooting:

• I've tried it with a successful CredSSP session (same session works for a cred-delegating installation)
• I've confirmed that LocalSecPol is not preventing the creation of stored credentials
• The WinRM session is being run in the context of an administrative user on the remote machine.

My troubleshooting research has indicated that the 1312 error frequently revolves around this statement: "A specified logon session does not exist. It may already have been terminated", and a lot of posts say you need an interactive session to create a full profile before Cred Manager interactions can occur.

That said, I've tried establishing an interactive login session thus creating a local profile (and consequently logging off my interactive session), before running the WinRM command. The result was the same. Below is an exploded view of the error passed back by "invoke-command" when running new-storedcredential in a scriptblock:

Error message follows

CommandName
New-StoredCredential

Position
At line:5 char:9
+     try{new-storedcredential -target "SSUnsealKey" -username "SSUnsea ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Category
InvalidOperation: (PSCredentialManager.Common.Credential:Credential) [New-StoredCredential], 

Exception

ErrorID
1,PSCredentialManager.Cmdlet.NewStoredCredential

Exception Message
CredWrite failed with the error code 1312.

HResult
-2146233088

InnerException

StackTrace
   at PSCredentialManager.Api.CredentialManager.WriteCred(NativeCredential credential)
   at PSCredentialManager.Cmdlet.NewStoredCredential.ProcessRecord()

ScriptStackTrace
at <ScriptBlock>, <No file>: line 5

ErrorDetails
new-storedcredential : CredWrite failed with the error code 1312.
At line:5 char:9
+     try{new-storedcredential -target "SSUnsealKey" -username "SSUnsea ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (PSCredentialManager.Common.Credential:Credential) [New-StoredCredential], Exception
    + FullyQualifiedErrorId : 1,PSCredentialManager.Cmdlet.NewStoredCredential

[argRegEater]

Additional information:
In the scenario above both of these commands caused the same 1312 failure, so it doesn't seem to care how you pass the credential information in.

new-storedcredential -target 'SSUnsealKey' -username 'SSUnsealKey' -password $MyPass -persist LocalMachine
new-storedcredential -target 'SSUnsealKey' -credential $myPSCredObj -persist LocalMachine

[argRegEater]

For those looking into this issue, I did find a workaround. new-storedcredential does not like to be run remotely, but you can do the following (pseudocode because in a hurry):

invoke-command  -cn <computerName> -scriptblock{
  ## Create PS1 containing "new-storedcredential -target <targetName> -username <username> -password <password>"
  ## Create Scheduled task components that will execute once, 10 seconds after you create it
  $action = New-ScheduledTaskAction -Execute "Powershell.exe" -Argument "-NoProfile -WindowStyle Hidden -file $newCredScriptPath"
    $trigger = New-ScheduledTaskTrigger -once -At (get-date).AddSeconds(10)
    $settings = New-ScheduledTaskSettingsSet -MultipleInstances Parallel

    ## Prepare our 'Register-ScheduledTask' args 
    $scheduledTaskArgs = @{
        action = $action
        trigger = $trigger
        Settings = $settings
        user = <username>
        password = <password>
        TaskName = $taskName
        Description = "TempNewCredential"
    }

   ## Register scheduled task
   Register-ScheduledTask @scheduledTaskArgs -Force -ErrorAction stop | out-null

  ## Wait for the scheduled task to run (you could add your own check to see if cred was actually created. Here I'm just waiting a bit
    write-host "Waiting for task to complete"
    sleep -s 20

   ## Clean up your temp task and temp PS1
    write-host "Removing scheduled task"
    unregister-scheduledtask -taskname $taskName
    
    write-host "Deleting temp PS1 scheduled task"
    remove-item -path $newCredScriptPath 

}

Congrats! You will now find your stored credential in the context of the user you supplied in the scheduled task configuration.