Welcome Forums General PowerShell Q&A Endpoint Access Denied when using RunAsCredential

Viewing 2 reply threads
  • Author
    Posts
    • #55468
      Participant
      Topics: 1
      Replies: 1
      Points: 1
      Rank: Member

      Using the step-by-step instructions in Don Jones’ Secrets of Powershell Remoting ebook, I create a new Endpoint, named TestEndPoint. Connecting to the new TestEndPoint as a domain admin works.

      However, when I set the endpoint to run as a different user (using the RunAsCredential), Enter-PSSession returns an error “Access is denied.” The RunAsCredential user is a domain admin account.

      The PowerShell Operational Log reports, “WSMan reported an error with error code: 5” and “Error message: Connecting to remote server localhost failed with the following error message : Access is denied” with an EventID of 32784.

      Any ideas on what to try to troubleshoot the issue? I’m sure is a security lockdown in our environment, because it works in vanilla test systems.

    • #55469
      Keymaster
      Topics: 13
      Replies: 4872
      Points: 1,896
      Helping HandTeam Member
      Rank: Community Hero

      It’s possible that the RunAs account doesn’t have the needed privileges (not the same as permissions) to log on as a background process, which is what Wsmprovhost.exe needs for it. It’s also possible that the ACL on the endpoint, which determines who can connect, wasn’t set correctly.

    • #55490
      Participant
      Topics: 1
      Replies: 1
      Points: 1
      Rank: Member

      It is now working! Thanks Don for the point in the right direction. I knew it was a lockdown somewhere but couldn’t find it, going all through the Local Security Policy as well as group policy related settings and analyzing all the privileges.

      I thought it had the correct privileges, but could not find a definitive list anywhere to verify. None of the logs (e.g., PowerShell, System, Security, etc.) had any errors.

      For the record (and hopefully to help the next guy out):

      * The ACL on the endpoint was correctly set.
      * The WSMProvHost.exe process was starting and not generating any error or warning entries in any log.

      But Don’s post got the thinking and I used SysInternals ProcMon to check up on WSMProvHost.exe. It turns out it was a registry permission issue. Specifically, Network Service needed Write (I gave it Full Control) to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\AutoRestartList. It created an entry called TestEndpoint (the name of my new PowerShell endpoint) of type REG_DWORD with a value of 0. As soon as that permission change was made, it started working.

Viewing 2 reply threads
  • The topic ‘Endpoint Access Denied when using RunAsCredential’ is closed to new replies.