Author Posts

November 20, 2017 at 11:26 am

Hi All

this has bothered me for some time, but now i have some free time to investigate, below is how i would import a ps-session for any GUI i develop with Sapien that needs to connect to exchange (minus the remove session straight after, this in performed on close), these apps are pushed to a servicedesk that have no exchange access hence the need for static creds

$Username = "global\User.Name"
			$Password = ConvertTo-SecureString "Password" -AsPlainText -Force
			$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
			
			$SESJA_EX = New-PSSession -Credential $cred -ConnectionUri http://eurxhub02/powershell -ConfigurationName microsoft.exchange
			
Remove-PSSession $SESJA_EX

now this works fine for my credentials i can open and close multiple times an never get an issue, however if i use a service account it works for a while and then connections are refused with the below

New-PSSession : [eurxhub02] Connecting to remote server eurxhub02 failed with the following error message : Access is denied. For more information, see the 
about_Remote_Troubleshooting Help topic.
At line:5 char:16
+ ... $SESJA_EX = New-PSSession -Credential $cred -ConnectionUri http://eur ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed

group memberships are the same, no difference in the accounts that i can see, but i get the difference in behaviour. Its not just on one server either have 3x hub servers and all the same. The account will not connect when it gets this error for a good 30-40 minutes.

It looks to be an account issue but i am lost as to what the issue is. the service account & my account are both in the Adminitrators group of the server (EURXHUB01,2,3) also.

any help appreciated.

November 20, 2017 at 6:26 pm

Your DUA is a static long term credential AD object, so, yep, this should always work. However, depending on how your DSA is set, you could have a catch22.

Are you saying the SA is a normal domain user account functioning as the service account or is it a MSA / gMSA that of course has auto password changes, which of course you would never know what password is / was.

'technet.microsoft.com/en-us/library/ff641729%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396'
'blog.stangroome.com/2013/07/28/avoid-password-management-with-group-managed-service-accounts'

Hence no static creds in MSA / gMSA unlike DUA's.

Hence I'd suggest not using MSA / gMSA for what you are doing, but use a static DUA as the SA. However, based on your corporate risk posture, this may be out of your control.

November 21, 2017 at 8:16 am

Hi Yes Static / Standrad service account with PW never expire

Here is hat i get, however the number of attempts can vary


PS C:\> $Username = "scorch.service"
			$Password = ConvertTo-SecureString "PASSWORDGOESHERE" -AsPlainText -Force
			$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
			
			$SESJA_EX = New-PSSession -Authentication Kerberos -Credential $cred -ConnectionUri http://eurxhub03/powershell -ConfigurationName microsoft.exchange
			
Remove-PSSession $SESJA_EX

PS C:\> $Username = "scorch.service"
			$Password = ConvertTo-SecureString "PASSWORDGOESHERE" -AsPlainText -Force
			$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
			
			$SESJA_EX = New-PSSession -Authentication Kerberos -Credential $cred -ConnectionUri http://eurxhub03/powershell -ConfigurationName microsoft.exchange
			
Remove-PSSession $SESJA_EX

PS C:\> $Username = "scorch.service"
			$Password = ConvertTo-SecureString "PASSWORDGOESHERE" -AsPlainText -Force
			$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
			
			$SESJA_EX = New-PSSession -Authentication Kerberos -Credential $cred -ConnectionUri http://eurxhub03/powershell -ConfigurationName microsoft.exchange
			
Remove-PSSession $SESJA_EX

PS C:\> $Username = "scorch.service"
			$Password = ConvertTo-SecureString "PASSWORDGOESHERE" -AsPlainText -Force
			$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
			
			$SESJA_EX = New-PSSession -Authentication Kerberos -Credential $cred -ConnectionUri http://eurxhub03/powershell -ConfigurationName microsoft.exchange
			
Remove-PSSession $SESJA_EX

PS C:\> $Username = "scorch.service"
			$Password = ConvertTo-SecureString "PASSWORDGOESHERE" -AsPlainText -Force
			$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
			
			$SESJA_EX = New-PSSession -Authentication Kerberos -Credential $cred -ConnectionUri http://eurxhub03/powershell -ConfigurationName microsoft.exchange
			
Remove-PSSession $SESJA_EX
New-PSSession : [eurxhub03] Connecting to remote server eurxhub03 failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:5 char:16
+ ... $SESJA_EX = New-PSSession -Authentication Kerberos -Credential $cred  ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed
Remove-PSSession : Cannot validate argument on parameter 'Id'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:7 char:18
+ Remove-PSSession $SESJA_EX
+                  ~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Remove-PSSession], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.RemovePSSessionCommand