PS Remoting

Welcome Forums General PowerShell Q&A PS Remoting

This topic contains 5 replies, has 2 voices, and was last updated by

 
Keymaster
8 months, 1 week ago.

  • Author
    Posts
  • #95735

    Participant
    Points: 21
    Rank: Member

    I have setup powershell remoting on two servers. I can confirm this by being able to access ServerB from ServerA with enter-pssession. When attempting to run scripts from ServerA to ServerB using Invoke-command I come across these two roadblocks:

    1) When attempting to recycle app pool on ServerB from ServerA-
    Error: Process should have elevated status to access IIS configuration data.

    2) When attempting to access a file on ServerB from ServerA-
    Error: Access to the path denied.

    Two things I think may be happening- seems as though the script is not running as admin on ServerB, or I have not given proper rights to ServerB.

    Any help on how to resolve this would be appreciated.

    Thanks!

  • #95736

    Keymaster
    Points: 1,638
    Helping HandTeam Member
    Rank: Community Hero

    It's more likely a double-hop problem. The remote machine has to connect to a "remote service" (even if that's running on the same machine), and so you lose your credential delegation. "Secrets of PowerShell Remoting" discusses the double-hop problem and some of the major solutions. IIS is particularly challenging because of how it's built, and the fact that nobody at Microsoft really seems to really "own" IIS anymore in terms of moving its architecture forward.

    • #95742

      Participant
      Points: 21
      Rank: Member

      Thanks for your quick response.

      I am actually not making a second-hop. I am RDP'ing to ServerA, running a script on ServerA and attempting to run that same script on ServerB using invoke-command. These two servers are on the same subnet. I am able to do this with no errors with the built in administrator account but with other admin accounts is where I run into the issue.

      This part of your documentation is what I think is my answer besides that fact that my servers are on the same domain.

      Administrators from Other Domains

      There's a quirk in Windows that tends to strip the Administrator account token for
      administrator accounts coming in from other domains, meaning they end up running under
      standard user privileges – which often isn't sufficient. In the target domain, you need to
      change that behavior.

      To do so, run this on the target computer (type this all in one line and then hit Enter):

      New-ItemProperty -Name LocalAccountTokenFilterPolicy
      -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\
      Policies\System -PropertyType Dword -Value 1

      That should fix the problem. Note that this does disable User Account Control (

  • #95748

    Keymaster
    Points: 1,638
    Helping HandTeam Member
    Rank: Community Hero

    So... let's be specific.

    RDP to ServerA.
    ServerA uses Invoke-Command to run script on ServerB
    World explodes.

    Is that the pattern?

  • #95757

    Participant
    Points: 21
    Rank: Member

    RDP to ServerA.
    ServerA uses Invoke-Command to run script on ServerB
    World explodes.

    The pattern isn't quite that destructive, but close.

    I appreciate your help, I think you gave me enough to proceed.

  • #95759

    Keymaster
    Points: 1,638
    Helping HandTeam Member
    Rank: Community Hero

    Yup!

    Just so you know, that last pre-explosion step _is_ a second hop. When the script runs on ServerB, it actually has to connect to the IISAdmin service, which goes out over the network regardless of whether it's actually running on the same machine or not. It's like running Get-ADUser on a domain controller – it's still a network call, and that's where the double hop can bite you.

    Good luck!

The topic ‘PS Remoting’ is closed to new replies.