What -RunAsCredential limitations of Register-PSSessionConfiguration are?

This topic contains 4 replies, has 3 voices, and was last updated by Profile photo of Ondrej Zilinec Ondrej Zilinec 2 years, 2 months ago.

  • Author
    Posts
  • #18836
    Profile photo of GS
    GS
    Participant

    Hello,

    I'm trying to have constrained endpoint which will run with credentials from different domain (no trust between domain where computer is and what endpoint shall be running under. Is it possible? Trying to register this endpoing ends up in error

    Error Message = The verification of the runAs user credentials failed with the error 1326.
    Fully Qualified Error ID = System.InvalidOperationException,Microsoft.PowerShell.Commands.SetItemCommand

    Context:
    Severity = Warning
    Host Name = ConsoleHost
    Host Version = 4.0
    Host ID = e0fc0707-f4e5-4563-acc3-8f89c6947a94
    Engine Version = 4.0
    Runspace ID = 4bffa899-03c7-4641-bf6f-68bcf0b3c6de
    Pipeline ID = 51
    Command Name = Set-Item
    Command Type = Cmdlet
    Script Name =
    Command Path =
    Sequence Number = 2050
    User = PROD\gs
    Shell ID = Microsoft.PowerShell

    User Data:

  • #18839
    Profile photo of Don Jones
    Don Jones
    Keymaster

    The computer registering the endpoint, and the machine where the endpoint will be, need to be able to resolve the credential.

  • #18840
    Profile photo of GS
    GS
    Participant

    They can resolve the credential, question is wether you can run endpoint under credentials in different domain. Say I can use those credentials to access file shares from this box but I can not use them to run endpoint as.

  • #18841
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Ah, I see.

    A file share isn't the ideal test of that; the endpoint RunAs credential needs certain rights, like the right to create process objects and tokens. That's different from being able to just access a file share. It's more like being able to log on interactively, although not exactly the same. You probably won't be able to use a RunAs credential from an un trusted domain.

    • #18859
      Profile photo of Ondrej Zilinec
      Ondrej Zilinec
      Participant

      You will not be able to runas from untrusted domain for sure 🙂

You must be logged in to reply to this topic.