Endpoint Access Denied when using RunAsCredential

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of Dallas Dallas 1 month, 2 weeks ago.

  • Author
    Posts
  • #55468
    Profile photo of Dallas
    Dallas
    Participant

    Using the step-by-step instructions in Don Jones' Secrets of Powershell Remoting ebook, I create a new Endpoint, named TestEndPoint. Connecting to the new TestEndPoint as a domain admin works.

    However, when I set the endpoint to run as a different user (using the RunAsCredential), Enter-PSSession returns an error "Access is denied." The RunAsCredential user is a domain admin account.

    The PowerShell Operational Log reports, "WSMan reported an error with error code: 5" and "Error message: Connecting to remote server localhost failed with the following error message : Access is denied" with an EventID of 32784.

    Any ideas on what to try to troubleshoot the issue? I'm sure is a security lockdown in our environment, because it works in vanilla test systems.

  • #55469
    Profile photo of Don Jones
    Don Jones
    Keymaster

    It's possible that the RunAs account doesn't have the needed privileges (not the same as permissions) to log on as a background process, which is what Wsmprovhost.exe needs for it. It's also possible that the ACL on the endpoint, which determines who can connect, wasn't set correctly.

  • #55490
    Profile photo of Dallas
    Dallas
    Participant

    It is now working! Thanks Don for the point in the right direction. I knew it was a lockdown somewhere but couldn't find it, going all through the Local Security Policy as well as group policy related settings and analyzing all the privileges.

    I thought it had the correct privileges, but could not find a definitive list anywhere to verify. None of the logs (e.g., PowerShell, System, Security, etc.) had any errors.

    For the record (and hopefully to help the next guy out):

    * The ACL on the endpoint was correctly set.
    * The WSMProvHost.exe process was starting and not generating any error or warning entries in any log.

    But Don's post got the thinking and I used SysInternals ProcMon to check up on WSMProvHost.exe. It turns out it was a registry permission issue. Specifically, Network Service needed Write (I gave it Full Control) to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\AutoRestartList. It created an entry called TestEndpoint (the name of my new PowerShell endpoint) of type REG_DWORD with a value of 0. As soon as that permission change was made, it started working.

You must be logged in to reply to this topic.