Setting up JEA. using a jump station

Welcome Forums General PowerShell Q&A Setting up JEA. using a jump station

Viewing 6 reply threads
  • Author
    Posts
    • #184368
      Participant
      Topics: 1
      Replies: 2
      Points: -2
      Rank: Member

      II'm looking into JEA and setting it up for users to use a jump station. I run the ps command from server1 that creates a session on server2 – from here I want to be able to run commands for several servers.

      the test below shows the get-service command failing. It works ok for sever 2(which i suppose ia m on.

      Any ideas what I am doing wrong here.

       

      [Server2]: PS> Get-Service -ComputerName Server4 -Name Dnscache
      Get-Service : Cannot find any service with service name 'Dnscache'.
      At line:25 char:23
      + $scriptCmd = {& $wrappedCmd @PSBoundParameters }
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : ObjectNotFound: (Dnscache:String) [Get-Service], ServiceCommandException
      + FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetServiceCommand

    • #184410
      Participant
      Topics: 4
      Replies: 84
      Points: 368
      Helping Hand
      Rank: Contributor

      Sounds like you might be using a local virtual account? I suspect you want to configure the "GroupManagedServiceAccountName" in your .pssc file.

      https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/jea/security-considerations?view=powershell-6

    • #184488
      Senior Moderator
      Topics: 8
      Replies: 1140
      Points: 3,922
      Helping Hand
      Rank: Community Hero

      There is a bug in Get-Service command which gives same error and it is when the computer is not available, it gives an error saying cannot find service.

    • #184503
      Participant
      Topics: 2
      Replies: 135
      Points: 708
      Helping Hand
      Rank: Major Contributor

      Thanks, @kvprasoon for the info. Any reference for the same?

      Glesga188853, you can use Get-CIMInstance instead of Get-Service in this scenario...
      Get-CimInstance -ClassName CIM_Service -ComputerName Server4 | where name -eq Dnscache

       

    • #184532
      Participant
      Topics: 1
      Replies: 2
      Points: -2
      Rank: Member

      Sounds like you might be using a local virtual account? I suspect you want to configure the "GroupManagedServiceAccountName" in your .pssc file.

      https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/jea/security-considerations?view=powershell-6

      Hi,

       

      I tried using a groupmanaged service account.

      I get this error when trying to create the session

      PS C:\Users\Administrator.LAB> Enter-PSSession -ComputerName Server2 -ConfigurationName Helpdesk -Credential LAB\user1

      Enter-PSSession : Connecting to remote server Server2 failed with the following error message : The verification of the Managed Service
      Account failed with error 5. Ensure that the account is valid. For more information, see the about_Remote_Troubleshooting Help topic.
      At line:1 char:1
      + Enter-PSSession -ComputerName Server2 -ConfigurationName Helpdesk -Cr ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : InvalidArgument: (Server2:String) [Enter-PSSession], PSRemotingTransportException
      + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

      If i run Test-ADServiceAccount JEAacct on server 2 it comes back as true.

      any help appreciated. there just seems to be a lck of documentation on this JEA stuff.

       

    • #184538
      Participant
      Topics: 1
      Replies: 2
      Points: -2
      Rank: Member

      There is a bug in Get-Service command which gives same error and it is when the computer is not available, it gives an error saying cannot find service.

      The server is available though

    • #184622
      Participant
      Topics: 4
      Replies: 84
      Points: 368
      Helping Hand
      Rank: Contributor

      I was doing some reading in the JEA Documentation. Maybe Resource-Based Constrained Kerberos Delegation is the method to achieving this? Anyway, this doc covers various methods to overcoming the second-hop scenario. Hope this is helpful.

      https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-6#resource-based-kerberos-constrained-delegation

Viewing 6 reply threads
  • You must be logged in to reply to this topic.