Endpoint Access Denied when using RunAsCredential

Welcome Forums General PowerShell Q&A Endpoint Access Denied when using RunAsCredential

This topic contains 2 replies, has 2 voices, and was last updated by

2 years, 11 months ago.

  • Author
  • #55468

    Topics: 1
    Replies: 1
    Points: 1
    Rank: Member

    Using the step-by-step instructions in Don Jones' Secrets of Powershell Remoting ebook, I create a new Endpoint, named TestEndPoint. Connecting to the new TestEndPoint as a domain admin works.

    However, when I set the endpoint to run as a different user (using the RunAsCredential), Enter-PSSession returns an error "Access is denied." The RunAsCredential user is a domain admin account.

    The PowerShell Operational Log reports, "WSMan reported an error with error code: 5" and "Error message: Connecting to remote server localhost failed with the following error message : Access is denied" with an EventID of 32784.

    Any ideas on what to try to troubleshoot the issue? I'm sure is a security lockdown in our environment, because it works in vanilla test systems.

  • #55469

    Topics: 13
    Replies: 4872
    Points: 1,844
    Helping HandTeam Member
    Rank: Community Hero

    It's possible that the RunAs account doesn't have the needed privileges (not the same as permissions) to log on as a background process, which is what Wsmprovhost.exe needs for it. It's also possible that the ACL on the endpoint, which determines who can connect, wasn't set correctly.

  • #55490

    Topics: 1
    Replies: 1
    Points: 1
    Rank: Member

    It is now working! Thanks Don for the point in the right direction. I knew it was a lockdown somewhere but couldn't find it, going all through the Local Security Policy as well as group policy related settings and analyzing all the privileges.

    I thought it had the correct privileges, but could not find a definitive list anywhere to verify. None of the logs (e.g., PowerShell, System, Security, etc.) had any errors.

    For the record (and hopefully to help the next guy out):

    * The ACL on the endpoint was correctly set.
    * The WSMProvHost.exe process was starting and not generating any error or warning entries in any log.

    But Don's post got the thinking and I used SysInternals ProcMon to check up on WSMProvHost.exe. It turns out it was a registry permission issue. Specifically, Network Service needed Write (I gave it Full Control) to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\AutoRestartList. It created an entry called TestEndpoint (the name of my new PowerShell endpoint) of type REG_DWORD with a value of 0. As soon as that permission change was made, it started working.

The topic ‘Endpoint Access Denied when using RunAsCredential’ is closed to new replies.