Distribution of Autodesk software with ODIS installer and PowerShell avoiding the double-hop problem¶
Since Autodesk switched its deployment system to the ODIS installer, all deployments that are rolled out unattended via the SYSTEM account continue to run endlessly without success code.
The exact error message in the ODIS log is:
2023-06-15T15:17:04.012 [DDA: 2196, single] [Installer INFO] [ Autodesk::DDA::SdkAgent::Listen::<lambda_8f7c2cafda285d6f3324fbe86a24bae4>::operator () ] [IPC] ChannelWin::Listen: WaitForSingleObject timeout. error_code: 997, pipe_name: \\.\pipe\adsk_dda_sdk
After a while, the installer service also appears to be terminated, but no longer sends an exit code.
I have tried many deployment suites, but the result is always the same when the SYSTEM account is used.
To solve the problem temporarily until Autodesk recognizes and fixes the problem, I have now developed solutions that help me here at work.
My planned approach was to implement the distribution via PowerShell, but in doing so I again encountered another hurdle that Kerberos authentication brings with it: the so-called double-hop problem, since my software packages are stored in CIFS shares.
Kerberos does not allow further authentication to be carried out via this endpoint to other remote destinations after authentication on a remote PC. So there is no second hop. To get around the problem, there are few but complicated ways or one that everyone will now say, “Oh my God, don’t do that,” but I’ll just throw it out there.
The solution is to use CredSSP only temporarily as a point-to-point connection and to deactivate it again after deployment. Under no circumstances should it be allowed company-wide.
Important
CredSSP has no single-hop constraint. Authentications can continue to be used in a CredSSP session. If this is allowed company-wide and permanently, it can lead to considerable security problems.
Here is the script for all those who are facing the same problem.
The script described here is deliberately kept flat to make it easy to understand and to make further expansion by you as simple as possible.
Grade
Please note that CredSSP is only used temporarily in this example and is deactivated again after deployment. In addition, only the specified remote computer is delegated and not the entire network.
After thorough validation, this approach has proven to be a safe and simple way to achieve the desired goal.
Important
This script must be run with administrative rights to enable and disable CredSSP authentication.
# Define the parameters with your own values
param (
[string]$Computer = "<remote-computer>",
[string]$Name = "Autodesk Revit 2024",
[string]$Installer = '<share>\Autodesk Revit 2024\image\Installer.exe',
[string]$Argument = '"<share>\Autodesk Revit 2024\image\Installer.exe" -i deploy --offline_mode -q -o "<share>\Autodesk Revit 2024\image\Collection.xml" --installer_version "2.9.0.31"'
)
# Prompt for user credentials
$cred = Get-Credential -Message "Enter your credentials"
try {
# Enable CredSSP on the client
$null = Enable-WSManCredSSP -Role Client -DelegateComputer $Computer -Force
# Enable CredSSP on the server (if not already enabled)
Invoke-Command -ComputerName $Computer -Credential $cred -ScriptBlock {
$null = Enable-WSManCredSSP -Role Server -Force
}
# Create a new PSSession with CredSSP authentication
$session = New-PSSession -ComputerName $Computer -Credential $cred -Authentication Credssp
# Execute the script on the remote computer
Invoke-Command -Session $session -ScriptBlock {
param ($Name, $Installer, $Argument)
# Output a message before starting the installation process
Write-Host "$Name is being installed..."
# Start the installation process
$process = Start-Process -FilePath $Installer -ArgumentList $Argument -PassThru
# Output the process ID
Write-Host "The installation process has started. Process ID: $($process.Id)"
# Wait for the installation process to complete
$process.WaitForExit()
Write-Host "The installation process completed with exit code $($process.ExitCode)."
} -ArgumentList $Name, $Installer, $Argument
}
finally {
# Close the PSSession
if ($session) {
Remove-PSSession -Session $session
}
# Disable CredSSP on the server
Invoke-Command -ComputerName $Computer -Credential $cred -ScriptBlock {
Disable-WSManCredSSP -Role Server
}
# Disable CredSSP on the client
Disable-WSManCredSSP -Role Client
}
Let us now explain the individual steps of the script:
# Define the parameters with your own values
param (
[string]$Computer = "<remote-computer>",
[string]$Name = "Autodesk Revit 2024",
[string]$Installer = '<share>\Autodesk Revit 2024\image\Installer.exe',
[string]$Argument = '"<share>\Autodesk Revit 2024\image\Installer.exe" -i deploy --offline_mode -q -o "<share>\Autodesk Revit 2024\image\Collection.xml" --installer_version "2.9.0.31"'
)
The script can either be called with parameters or you can enter your specific values directly. The necessary information for the installer and the arguments can be found in the corresponding installation script after the image has been built. A typical name for a Revit installation could be ‘Install Autodesk Revit 2024.bat’, for example.
The parameters for silent installation and uninstallation are also stored there. These parameters enable unattended installation and uninstallation of the software, which is particularly advantageous in large IT environments.
For more details and a detailed guide to deploying Autodesk software, please visit the following article:
https://www.autodesk.com/support/download-install/admins/account-deploy/deploy-from-autodesk-account
# Prompt for user credentials
$cred = Get-Credential -Message "Enter your credentials"
To start a PowerShell session using CredSSP, we need the credentials of a user with the necessary rights to perform installations. In most cases, this is the domain admin. A dialog box is displayed in which you can enter the credentials.
try {
# Enable CredSSP on the client
$null = Enable-WSManCredSSP -Role Client -DelegateComputer $Computer -Force
# Enable CredSSP on the server (if not already enabled)
Invoke-Command -ComputerName $Computer -Credential $cred -ScriptBlock {
$null = Enable-WSManCredSSP -Role Server -Force
}
Here CredSSP is activated on both the client and the server. It is helpful to use the terms “distributor” (client) and “recipient” (server) to define the roles more clearly. The try block includes all potentially error-prone actions and can be customized as desired. For starters, this structure is simple and robust.
# Create a new PSSession with CredSSP authentication
$session = New-PSSession -ComputerName $Computer -Credential $cred -Authentication Credssp
A new PowerShell session with CredSSP authentication is built here.
# Execute the script on the remote computer
Invoke-Command -Session $session -ScriptBlock {
param ($Name, $Installer, $Argument)
# Output a message before starting the installation process
Write-Host "$Name is being installed..."
# Start the installation process
$process = Start-Process -FilePath $Installer -ArgumentList $Argument -PassThru
# Output the process ID
Write-Host "The installation process has started. Process ID: $($process.Id)"
# Wait for the installation process to complete
$process.WaitForExit()
Write-Host "The installation process completed with exit code $($process.ExitCode)."
} -ArgumentList $Name, $Installer, $Argument
}
Here the script is run on the remote computer. The name, the installer and the arguments are passed as parameters. The try block ends at this point.
finally {
# Close the PSSession
if ($session) {
Remove-PSSession -Session $session
}
# Disable CredSSP on the server
Invoke-Command -ComputerName $Computer -Credential $cred -ScriptBlock {
Disable-WSManCredSSP -Role Server
}
# Disable CredSSP on the client
Disable-WSManCredSSP -Role Client
}
The Finally block closes the PowerShell session and deactivates CredSSP on the server and client. The Finally block is always run, regardless of whether the Try block was successful or not. Please note that errors can also be intercepted via a possible exception block. I leave this to the resourceful reader.
This script now serves as the basis for my own extensions. I will now work on developing a higher-level script to control and monitor the installations in large quantities.
Source information