Constrained endpoints with proxy functions

This topic contains 9 replies, has 2 voices, and was last updated by Profile photo of Don Jones Don Jones 9 months ago.

  • Author
    Posts
  • #36038
    Profile photo of Chris Liquori
    Chris Liquori
    Participant

    I have created a constrained endpoint on an admin tools server that can only run certain modules, scripts, and proxy function. One script in particular installs a shared network printer to the print server and adds a cname record in dns utilizing Add-Printer and Add-DnsServerRecsourceRecordCNAME pointing to the and . If I run the script on a localhost with a elevated powershell, the scripts run correctly. However, if I attempt to run the script as the constrained endpoint using Enter-PsSession using the configuration file, the scripts fails to connect to the dns server or print server.

    Can this be done using Enter-PsSession? or is there an alternative method to connect to a dns and print server.

    Thank you in advance for your help.

  • #36057
    Profile photo of Don Jones
    Don Jones
    Keymaster

    You're very likely hitting the double-hop authentication problem, because you're having the endpoint reach out to another machine. See https://powershell.org/kb/the-double-hop-authentication-problem/.

  • #36077
    Profile photo of Chris Liquori
    Chris Liquori
    Participant

    Don,

    If I understand correctly, after enabling CredSSP on the client and server machines, we should be able to use the delegated computer to extend those credentials? Or would we need to explicitly enter credentials to use CredSSP correctly?

  • #36078
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Once CredSSP is set up you ought to be fine.

  • #36084
    Profile photo of Chris Liquori
    Chris Liquori
    Participant

    I have adding the dns record working properly with CredSSP. When i attempt to create the printer on the print server. I get the following error.

    add-Printer : The specified server does not exist, or the server or printer name is invalid. Names may not contain
    ',' or '\' characters.
    + CategoryInfo : NotSpecified: (MSFT_Printer:ROOT/StandardCimv2/MSFT_Printer) [Add-Printer], CimException
    + FullyQualifiedErrorId : HRESULT 0x80070709,Add-Printer

    If I login into the admin tools server using RDP. I can run that command just fine. The syntax I'm using is:

    Add-Printer -ComputerName printserver -Name name -ShareName name -Shared -PortName name -DriverName name

    There are no "," or "\" in the print name.

  • #36085
    Profile photo of Don Jones
    Don Jones
    Keymaster

    So, the difficulty with printers and Remoting is that printers always live within a user profile. When you RDP in, you're adding the printer to your user profile. But Remoting doesn't load a full user profile. So that's one possibility.

    But from the error message, I'm guessing that's not it. And I'm guessing that's not the actual syntax you're using, either 😉 because it would definitely not work with the extra dashes you've put in. I'm assuming you're just giving me an idea of what you're running, which is fine.

    On the whole, it would definitely appear as if the machine hosting the endpoint is having trouble resolving the server name. From within that endpoint, can you ping by name? Have you done some basic troubleshooting at that level?

    Troubleshooting from within an RDP session is interesting, but it isn't solid troubleshooting technique, because you're comparing apples and Volkswagens. The Remoting endpoint can be significantly more constrained, lacks a full user profile, etc. So you'll need to go down to basics within the endpoint, and troubleshoot there.

  • #36086
    Profile photo of Chris Liquori
    Chris Liquori
    Participant

    Ok. Makes sense. So I narrowed it down to the -ComputerName parameter. If I remove the parameter, the command will run. But, if I try to specify the print server I want to add the printer to, it throws that error. Is it possible that the OS version is causing the issue? The print server is 2008 R2.

  • #36087
    Profile photo of Don Jones
    Don Jones
    Keymaster

    No, it should just be using normal name resolution. As I said, I'd probably make sure I could ping the server, using the same server name, from within the endpoint. Or at least use Nslookup from within the endpoint to make sure the server can resolve the name correctly. Basic TCP/IP.

  • #36146
    Profile photo of Chris Liquori
    Chris Liquori
    Participant

    Yes, I have done all the basic troubleshooting. I cannot use the get-printer -computername command on any server or client. I have made sure I've enabled CredSSP on both servers and clients. Maybe this cannot be done in a remote session.

    Thanks for your help.

  • #36158
    Profile photo of Don Jones
    Don Jones
    Keymaster

    It's possible. As I noted earlier, printers tend to get tied to a user profile, and a Remote endpoint doesn't technically have a full user profile.

You must be logged in to reply to this topic.