Creating JEA endpoint for Remote Desktop Services

This topic contains 7 replies, has 2 voices, and was last updated by Profile photo of Robert Robert 5 months ago.

  • Author
    Posts
  • #45819
    Profile photo of Robert
    Robert
    Participant

    Hi,

    I've been asked to create a tool so that "regular" users can see and logoff an RDS user session. I'm trying to create an endpoint for which a group of users can connect to and then run a specific set of commands under the credentials of another account.

    This is my lab:
    DC01
    BG01 (broker/gateway)
    SH01 (session host)
    all of them running Windows Server 2012 R2.

    I begin with creating the sesssionconfigurationfile with the follwing command:
    New-PSSessionConfigurationFile -Path C:\admin.pssc -SessionType RestrictedRemoteServer -VisibleFunctions 'Get-NetIPAddress' -ModulesToImport 'NetTCPIP'

    Then I register it:
    Register-PSSessionConfiguration -Path .\admin.pssc -Name admin -RunAsCredential $cred -Force -Confirm:$false -SecurityDescriptorSddl "O:NSG:BAD:P(A;;GA;;;BA)(A;;GXGWGR;;;S-1-5-21-3029544977-3128121203-2081689124-1107)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)"

    And finally I connect to that endpoint with a user that is part of the group specified in the SDDL. Up until this point I don't experience any problems at all. I cannot import any other modules and except from a few basic cmdlets I can only run "Get-NetIPAddress".

    But when I try to change the ModulesToImport parameter to 'RemoteDesktop' and the VisibleFunctions to 'Get-RDUserSession', 'Invoke-RDUserLogOff' it stops working.

    Then, when I try to connect to the endpoint, which worked perfectly before I get the following error:

    Enter-PSSession : Processing data from remote server robama-bg01 failed with the following error message: The request f
    or the Windows Remote Shell with ShellId 55B8749F-561E-4D4A-9BE1-1F615F01281F failed because the shell was not found on
    the server. Possible causes are: the specified ShellId is incorrect or the shell no longer exists on the server. Provi
    de the correct ShellId or create a new shell and retry the operation. For more information, see the about_Remote_Troubl
    eshooting Help topic.
    At line:1 char:1
    + Enter-PSSession -ComputerName BG01 -ConfigurationName admin
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (BG01:String) [Enter-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

    I remove the PSSessionConfiguration and then tried again but the problem persists. I even repeated the process with the NetTCPIP module and a couple of other modules and everything worked fine. I tried the same thing in a colleagues LAB and it was the same thing.

    Any ideas? Thanks..

  • #45825
    Profile photo of Don Jones
    Don Jones
    Keymaster

    As a troubleshooting step, try changing SessionType RestrictedRemoteServer to something less restrictive. It's possible that the module you're trying to load won't operate under that restriction, meaning it's exploding when PowerShell tries to spin up the instance, and so the endpoint winds up "not existing."

    Because RestrictedRemoteServer is _so_ restrictive, if the RemoteDesktop module is trying to do anything unusual, the runspace won't allow it.

  • #45829
    Profile photo of Robert
    Robert
    Participant

    Ok, So when I changed the SessionType to 'Default' it was the same thing but when I set it to 'Empty' I got this:

    Enter-PSSession : One or more errors occurred processing the module 'RemoteDesktop' specified in the InitialSessionStat
    e object used to create this runspace. See the ErrorRecords property for a complete list of errors. The first error was
    : The term 'Add-Type' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
    spelling of the name, or if a path was included, verify that the path is correct and try again.

    however.. If I set the SessionType to Default and comment out "VisibleFunctions" and "ModulesToImport" I can connect to that endpoint, manually import the module and then run the cmd (functions). Is it possible that the module "RemoteDesktop" has dependencies in form of other modules?

  • #45831
    Profile photo of Don Jones
    Don Jones
    Keymaster

    It's entirely possible, and difficult to tell. But the fact that it's erroring on Add-Type is weird, because that's core. You might try explicitly including the core modules in the endpoint to see if that helps.

  • #45856
    Profile photo of Robert
    Robert
    Participant

    Here's what I've tried so far (with errors):

    SessionType = Empty
    ModulesToImport = 'RemoteDesktop'
    Everything else = Comented out

    Enter-PSSession : One or more errors occurred processing the module 'RemoteDesktop' specified in the InitialSessionStat
    e object used to create this runspace. See the ErrorRecords property for a complete list of errors. The first error was
    : The term 'Import-Module' is not recognized as the name of a cmdlet, function, script file, or operable program. Check
    the spelling of the name, or if a path was included, verify that the path is correct and try again.
    At line:1 char:1
    ———————————————————————-

    SessionType = Empty
    ModulesToImport = 'RemoteDesktop', 'Microsoft.PowerShell.Core'
    Everything else = Comented out

    ? : The term '?' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spell
    ing of the name, or if a path was included, verify that the path is correct and try again.
    At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\RemoteDesktop\Utility.psm1:27 char:42
    + $ParameterName | ?{$BoundParameters.ContainsKey($_)} | % ...
    + ~
    + CategoryInfo : ObjectNotFound: (?:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    ? : The term '?' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spell
    ing of the name, or if a path was included, verify that the path is correct and try again.
    At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\RemoteDesktop\Utility.psm1:27 char:42
    + $ParameterName | ?{$BoundParameters.ContainsKey($_)} | % ...
    + ~
    + CategoryInfo : ObjectNotFound: (?:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    This actually gives me the output I'm looking for but first it prints these errors.
    The problem is that allthough I only specified the Core module it loads every module available (I think, there's a lot of them anyway)

    So obviously.. running the module in an endpoint isn't the problem but running it without importing and showing everything else is..

    ————————–

    SessionType = Empty
    ModulesToImport = 'RemoteDesktop', 'Microsoft.PowerShell.Core'
    VisibleFunctions = 'Get-RDUserSession'
    Everything else = Comented out

    Now I'm back on the first errormessage again but instead of "Import-Module" it's back to "Add-Type".

    I'm running out of ideas.
    and I'm not sure that I understand the "Empty" sessiontype anymore.. It doesn't appear to do what the help says it should.

  • #45858
    Profile photo of Robert
    Robert
    Participant

    This really threw me off:

    ? : The term '?' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spell
    ing of the name, or if a path was included, verify that the path is correct and try again.
    At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\RemoteDesktop\Utility.psm1:27

    Added the fullpath (C:\Windows\system32\WindowsPowerShell\v1.0\Modules\RemoteDesktop\Utility.psm1) to modulestoimport without any luck. That file really exists there.

  • #45860
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Yeah, oy. It looks like they're using aliases like ? in the module, instead of cmdlet names (Where-Object), and with a stripped-down runspace, you might not have the alias. You may simply have run across a badly-made module that isn't going to run in anything less than a full runspace. If that's the case, all you can do is file it as a bug with the product team that made it. If it's a script module, you could in theory open it up and fix it – but that could be a long slog.

  • #45865
    Profile photo of Robert
    Robert
    Participant

    hmm... here's the line 27-28 in that script module.

    $ParameterName | ?{$BoundParameters.ContainsKey($_)} | %{$params[$_] = $BoundParameters[$_]}
    break

    they're using aliases for both where-object and foreach-object..

    Even if this isn't the only thing that makes this so difficult it sure seems like it's a part of the problem and they should have a look at it anyway. I'll report this as a bug!

    It didn't help to put ? and % into visiblealiases either!

    Thank you Don!

You must be logged in to reply to this topic.