Access Denied: Invoke-Command with Alternate Credentials

This topic contains 1 reply, has 2 voices, and was last updated by Profile photo of Don Jones Don Jones 2 months, 1 week ago.

  • Author
    Posts
  • #70681
    Profile photo of Alan Roberson
    Alan Roberson
    Participant

    I am trying to execute a scriptblock from within a parent script using a different set of credentials. Both the
    Parent script and Called scriptBlock are using non-Local Admin accounts. Currently I am attempting to use Invoke-Command
    to accomplish this.

    Test Setup:
    I logged on to the local server (Win 2012R2. UAC disabled. ) as a local admin
    I then Open a command prompt as the same ID (Non-Admin) as I will use for the Invoke-Command

    Test script: I am attempting the same steps inside and outside of the Invoke-Command to
    demonstrate the difference in results. If the RunAs account is added to the local Administrators group this runs
    as desired. I do not want to use an admin account as the RunAs account.

    #
      WhoAmi
      "Check ExecutionPolicy"
      Get-executionPolicy
      "Import Module"
      Import-Module WFTFS  
      "Ready to Invoke-Command (RunAs)"
       invoke-command -scriptblock {
            WhoAmi
            Try
                {"Check ExecutionPolicy"
                get-executionPolicy -ErrorAction Stop}
            Catch {"ERROR : $($Error[0].exception)."}
            Try
                {"import Module"
                import-module WFTFS -Force -ErrorAction Stop}
            Catch {"ERROR : $($Error[0].exception)"}
            } -computername ECS-I-AUTD-01 -Credential $TFSCred
    #
    

    Test Results:
    I do not understand how/why I am getting the Access Denied CIM Exception. The ecs-auto-tfs-svc account has full control
    granted via Set-PSSessionConfiguration for microsoft.Powershell

    PS > .\RunAs-Demo.ps1
    
        ad-ent\ecs-auto-tfs-svc
    Check ExecutionPolicy
        Unrestricted
    Import Module
    Ready to Invoke-Command (RunAs)
        ad-ent\ecs-auto-tfs-svc
    Check ExecutionPolicy
        ERROR : Microsoft.Management.Infrastructure.CimException: Access denied
           at Microsoft.Management.Infrastructure.Internal.Operations.CimSyncEnumeratorBase`1.MoveNext()
    import Module
        ERROR : System.Management.Automation.PSSecurityException: AuthorizationManager check failed. --->         
        Microsoft.Management.Infrastructure.CimException: Access denied
        at Microsoft.Management.Infrastructure.Internal.Operations.CimSyncEnumeratorBase`1.MoveNext()
    

    Thoughts, suggestions, solutions all greatly appreciated. Or alternative methods of executing a scriptblock
    within a script, under a different set of non-admin credentials than the parent script.

    Thanks

  • #70747
    Profile photo of Don Jones
    Don Jones
    Keymaster

    The default configuration on the WMI repository (which is what CIM uses) is to only allow remote queries by members of the Administrators group. Similarly, the default configuration on the default Remoting endpoint only allows connections by members of the local Administrators or Remote Administrators groups.

    Additionally, you're mixing some metaphors. While CIM uses WS-MAN, it does not use Remoting. Setting permissions on session configurations doesn't impact CIM in any way.

    I don't see your code using CIM at all – is it being used by that WFTFS module? Without knowing exactly what that is trying to do, I'd guess that the WMI repository isn't liking its permissions. You could also be running into a double-hop issue. You've "used up" your first hop with Invoke-Command, and your delegated credential can't, by default, be passed along any other remote connections – which would include a query via CIM, even if to the local box.

You must be logged in to reply to this topic.