Wednesday, June 1, 2016

New-PSSession - Access Denied

I recently took on a project to automate some of our new employee on-boarding via SharePoint workflows.  Unfortunately SharePoint online cannot directly execute PowerShell but can execute a remote URL.  So, I stood up a C# based web service to broker this work.  When running the code locally, there were no issues.  This was obvious since Visual Studio is running as admin and so was IIS express.  Once I moved the code to an actual server, the following error came up:

Connecting to remote server outlook.office365.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.

Since I am running PowerShell within a C# web service via PowerShell.Create(), this somewhat made sense.  This error also came up directly after calling New-PSSession.  Obviously the PowerShell was executing, but something else was going on (So, the execution policies were not an issue).  Adding the application pool account to the local admin group addressed the issue.  Obviously, this is NOT an acceptable solution, but did prove the issue was permission related.

After reproducing the error with ProcessMonitor running, I could see the code was attempting to write to the following registry key:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WSMAN\Client\ConnectionCookies

I gave the "IIS APPPOOL\[App Pool Name]" account Full access to this key and everything started to work!  Figured I would share this with others since I could not find the solution directly online.
Posted by at

6 comments:

  1. ridySeptember 21, 2017 at 9:19 AM

    Hello Mike,

    I am facing the same issue. May i know how did you gave the access to that key for the apppool account?

    ReplyDelete
  2. MikeSeptember 21, 2017 at 9:31 AM

    Hi Ridy - I simply used Regedit. You apply the ACL like you would any other Windows based ACL. Right click on the ConnectionCookies key, select Permissions and apply your apppool account.

    Mike

    ReplyDelete
  3. ridySeptember 22, 2017 at 1:47 AM

    Thanks Mike. with in my organization, group policy overwrites the registry values daily. So I am back to square one.

    But I was able to solve the issue. What I observed is that the service account that I am using doesn't have any access to the IIS. I resolved the issue by changing the App Pool Identity to Network Service. With this, I don't have to touch registry values and problem is solved.

    ReplyDelete
    Replies
    1. MikeSeptember 22, 2017 at 12:50 PM

      Yes, Network Service will certainly work as well. However, keep in mind the security implications of running as Network Service account in more recent versions of IIS. Here is a good article, under "Application Pool Identity Accounts":

      https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities

      Probably not a big deal in your case, but thought I would throw that out there for you to review.

      Delete
    2. ridySeptember 24, 2017 at 4:28 AM

      Thanks Mike for letting me know this. I am deploying this web app to production server and I couldn't find the registry key entry for "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WSMAN\Client\ConnectionCookies"

      Do we have to enable it somewhere? I tried to find around Group policy but couldn't find "ConnectionCookies"

      Delete
    3. MikeSeptember 25, 2017 at 9:56 AM

      I do not believe you have to enabled it. What you may want to do is run ProcessMonitor on your IIS server (and not using Network Service), filter on Registry activity and see if you can identify an "ACCESS DENIED" ACL to any registry keys. So you do not see this key on the IIS server itself? Not sure about GPO's as we were not doing any restrictions there. Let me know

      Delete

Subscribe to: Post Comments (Atom)