Author Posts

September 16, 2014 at 5:41 am

Hello,

I'm trying to have constrained endpoint which will run with credentials from different domain (no trust between domain where computer is and what endpoint shall be running under. Is it possible? Trying to register this endpoing ends up in error

Error Message = The verification of the runAs user credentials failed with the error 1326.
Fully Qualified Error ID = System.InvalidOperationException,Microsoft.PowerShell.Commands.SetItemCommand

Context:
Severity = Warning
Host Name = ConsoleHost
Host Version = 4.0
Host ID = e0fc0707-f4e5-4563-acc3-8f89c6947a94
Engine Version = 4.0
Runspace ID = 4bffa899-03c7-4641-bf6f-68bcf0b3c6de
Pipeline ID = 51
Command Name = Set-Item
Command Type = Cmdlet
Script Name =
Command Path =
Sequence Number = 2050
User = PROD\gs
Shell ID = Microsoft.PowerShell

User Data:

September 16, 2014 at 6:48 am

The computer registering the endpoint, and the machine where the endpoint will be, need to be able to resolve the credential.

September 16, 2014 at 6:51 am

They can resolve the credential, question is wether you can run endpoint under credentials in different domain. Say I can use those credentials to access file shares from this box but I can not use them to run endpoint as.

September 16, 2014 at 6:58 am

Ah, I see.

A file share isn't the ideal test of that; the endpoint RunAs credential needs certain rights, like the right to create process objects and tokens. That's different from being able to just access a file share. It's more like being able to log on interactively, although not exactly the same. You probably won't be able to use a RunAs credential from an un trusted domain.

September 17, 2014 at 12:24 am

You will not be able to runas from untrusted domain for sure 🙂