Share via

Web Front End for PS script - issues with PS remoting

Bojan Zivkovic 461 Reputation points
2024-10-04T19:01:07.87+00:00

Hi, I am evaluating Web Front End solution for backend PowerShell scripts - every single time backend PowerShell script fails here:

$session = New-PSSession -ComputerName dcName -ConfigurationName DomainAdmins

Invoke-Command -Session $session -ScriptBlock {...}
								
Error: Cannot validate argument on parameter 'Session'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again. [dcName] An error has occurred which PowerShell cannot handle. A remote session might have ended.

Service Account Web App Pool is running under has permissions on DomainAdmins JEA endpoint. Outside of Web Front End, New-PSSession command above works without issues under Service Account credential.

This is major showstopper since I prefer using JEA concept whenever possible. Any help would be appreciated.

Internet Information Services
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,123 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,570 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,535 questions
0 comments

7 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. MotoX80 33,916 Reputation points
    2024-10-05T20:11:47.9066667+00:00

    I always used a "normal" AD account (with password) for my worker processes. I can't help you with JEA, but here are some things to check.

    Just to verify... you have an ASPX page that is shelling out Powershell.exe on the web server and you are capturing stdout and stderr (or transcript file) and that's where you see that error, correct?

    Look at your web.config for "identity impersonate=true". The request might be running as the client user.

    Maybe add in a call to whoami to verify that Powershell is executing as the account that you have configured. 

    whoami.exe 
$session = New-PSSession -ComputerName dcName -ConfigurationName DomainAdmins
Invoke-Command -Session $session -ScriptBlock {...}

    Check the Security event log on the remote computer to see if there are any authentication errors.

    There is also a Microsoft-Windows-WinRM/Operational event log under "Applications and Services logs". It may also show as "Windows Remote Managememt". See if there are any related events in there on the remote computer.

    You have this tagged as a Windows Server Powershell question. I would recommend that you add the tags for Windows Server, Active Directory and IIS. That might help reaching out to forum users with JEA experience.

    1 person found this answer helpful.
    0 comments
  2. Bojan Zivkovic 461 Reputation points
    2024-10-07T07:06:39.79+00:00

    There is no line "identity impersonate=true" in web.config file. Just to point out something here - when I give Service Account Web App Pool is running under required permission in AD, PowerShell script works fine but, in that case, I do not use JEA but Add-ADGroupMember ... directly (ADWS) so it seems that PowerShell script does run under Service Account Web App Pool is running under. I am facing a problem only when trying to establish remote PS session to JEA endpoint.

    1 person found this answer helpful.
  3. Bojan Zivkovic 461 Reputation points
    2024-10-09T13:26:39.4+00:00

    Having executed script on the web server

    Start-Transcript -Path C:\Temp\Log.log
$result = Invoke-Command -ComputerName dcName -ScriptBlock {$env:USERNAME}    
Stop-Transcript

    In transcript file I get: OpenError: An error has occurred which PowerShell cannot handle. A remote session might have ended.

    Both Username and RunAs User point to Service Account.

    1 person found this answer helpful.
  4. Bojan Zivkovic 461 Reputation points
    2024-10-11T11:04:35.35+00:00

    Vendor cites double-hop issue as possible problem here although error above is very generic and does not point to double-hop whatsoever. With free solution WebJEA everything works like a charm.

    1 person found this answer helpful.
  5. Bojan Zivkovic 461 Reputation points
    2024-10-12T05:38:46.43+00:00

    We can't use CredSSP as far as I know. All Kerberos methods according to document do not support the second hop for WinRM which is a bit strange since these are referred to in Windows Admin Center to configure Single Sign-on (second hop).

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.