Exchange remote PS logon

This topic contains 2 replies, has 2 voices, and was last updated by  Mark Prior 2 weeks, 6 days ago.

  • Author
    Posts
  • #84628

    Mark Prior
    Participant

    Hi All

    this has bothered me for some time, but now i have some free time to investigate, below is how i would import a ps-session for any GUI i develop with Sapien that needs to connect to exchange (minus the remove session straight after, this in performed on close), these apps are pushed to a servicedesk that have no exchange access hence the need for static creds

    $Username = "global\User.Name"
    			$Password = ConvertTo-SecureString "Password" -AsPlainText -Force
    			$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
    			
    			$SESJA_EX = New-PSSession -Credential $cred -ConnectionUri http://eurxhub02/powershell -ConfigurationName microsoft.exchange
    			
    Remove-PSSession $SESJA_EX

    now this works fine for my credentials i can open and close multiple times an never get an issue, however if i use a service account it works for a while and then connections are refused with the below

    New-PSSession : [eurxhub02] Connecting to remote server eurxhub02 failed with the following error message : Access is denied. For more information, see the 
    about_Remote_Troubleshooting Help topic.
    At line:5 char:16
    + ... $SESJA_EX = New-PSSession -Credential $cred -ConnectionUri http://eur ...
    +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
        + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed
    

    group memberships are the same, no difference in the accounts that i can see, but i get the difference in behaviour. Its not just on one server either have 3x hub servers and all the same. The account will not connect when it gets this error for a good 30-40 minutes.

    It looks to be an account issue but i am lost as to what the issue is. the service account & my account are both in the Adminitrators group of the server (EURXHUB01,2,3) also.

    any help appreciated.

  • #84649

    postanote
    Participant

    Your DUA is a static long term credential AD object, so, yep, this should always work. However, depending on how your DSA is set, you could have a catch22.

    Are you saying the SA is a normal domain user account functioning as the service account or is it a MSA / gMSA that of course has auto password changes, which of course you would never know what password is / was.

    'technet.microsoft.com/en-us/library/ff641729%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396'
    'blog.stangroome.com/2013/07/28/avoid-password-management-with-group-managed-service-accounts'

    Hence no static creds in MSA / gMSA unlike DUA's.

    Hence I'd suggest not using MSA / gMSA for what you are doing, but use a static DUA as the SA. However, based on your corporate risk posture, this may be out of your control.

  • #84677

    Mark Prior
    Participant

    Hi Yes Static / Standrad service account with PW never expire

    Here is hat i get, however the number of attempts can vary

    
    PS C:\> $Username = "scorch.service"
    			$Password = ConvertTo-SecureString "PASSWORDGOESHERE" -AsPlainText -Force
    			$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
    			
    			$SESJA_EX = New-PSSession -Authentication Kerberos -Credential $cred -ConnectionUri http://eurxhub03/powershell -ConfigurationName microsoft.exchange
    			
    Remove-PSSession $SESJA_EX
    
    PS C:\> $Username = "scorch.service"
    			$Password = ConvertTo-SecureString "PASSWORDGOESHERE" -AsPlainText -Force
    			$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
    			
    			$SESJA_EX = New-PSSession -Authentication Kerberos -Credential $cred -ConnectionUri http://eurxhub03/powershell -ConfigurationName microsoft.exchange
    			
    Remove-PSSession $SESJA_EX
    
    PS C:\> $Username = "scorch.service"
    			$Password = ConvertTo-SecureString "PASSWORDGOESHERE" -AsPlainText -Force
    			$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
    			
    			$SESJA_EX = New-PSSession -Authentication Kerberos -Credential $cred -ConnectionUri http://eurxhub03/powershell -ConfigurationName microsoft.exchange
    			
    Remove-PSSession $SESJA_EX
    
    PS C:\> $Username = "scorch.service"
    			$Password = ConvertTo-SecureString "PASSWORDGOESHERE" -AsPlainText -Force
    			$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
    			
    			$SESJA_EX = New-PSSession -Authentication Kerberos -Credential $cred -ConnectionUri http://eurxhub03/powershell -ConfigurationName microsoft.exchange
    			
    Remove-PSSession $SESJA_EX
    
    PS C:\> $Username = "scorch.service"
    			$Password = ConvertTo-SecureString "PASSWORDGOESHERE" -AsPlainText -Force
    			$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
    			
    			$SESJA_EX = New-PSSession -Authentication Kerberos -Credential $cred -ConnectionUri http://eurxhub03/powershell -ConfigurationName microsoft.exchange
    			
    Remove-PSSession $SESJA_EX
    New-PSSession : [eurxhub03] Connecting to remote server eurxhub03 failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
    At line:5 char:16
    + ... $SESJA_EX = New-PSSession -Authentication Kerberos -Credential $cred  ...
    +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
        + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed
    Remove-PSSession : Cannot validate argument on parameter 'Id'. The argument is null. Provide a valid value for the argument, and then try running the command again.
    At line:7 char:18
    + Remove-PSSession $SESJA_EX
    +                  ~~~~~~~~~
        + CategoryInfo          : InvalidData: (:) [Remove-PSSession], ParameterBindingValidationException
        + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.RemovePSSessionCommand

You must be logged in to reply to this topic.