This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 21%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJC%3C/text%3E%3C/svg%3E)
Hi all,
My environment : Windows server 2016 standard with OpenSSH service running , a local user "gitlab" , user gitlab can ssh to server successfully.
I want user gitlab can do
Stop-WebAppPool -Name "mywebapppool" -Passthru
Start-WebAppPool -Name "mywebapppool" -Passthru
But I don't want to add user gitlab into local Administrators group so I'm trying Just Enough Administration (JEA) for granting user gitlab to run some WebAdministration cmdlet (or some .ps1 file) as administrator privilege.
What I did :
Enable PowerShell module and script block logging
Create a role capability file C:\Program Files\WindowsPowerShell\Modules\gitlabJEA\RoleCapabilities\gitlabJEARole.psrc
@{
# ID used to uniquely identify this document
GUID = 'xxx'
# Author of this document
Author = 'administrator'
# Description of the functionality provided by these settings
# Description = ''
# Company associated with this document
CompanyName = 'Unknown'
# Copyright statement for this document
Copyright = '(c) 2021 administrator. All rights reserved.'
VisibleCmdlets = @{ Name = 'Stop-WebAppPool'; Parameters = @{ Name = 'Name'}, @{ Name = 'Passthru'}},
@{ Name = 'Start-WebAppPool'; Parameters = @{ Name = 'Name'}, @{ Name = 'Passthru'}}
VisibleExternalCommands = 'C:\myscripts\backup.ps1', 'C:\myscripts\deploy.ps1', 'C:\myscripts\extract.ps1', 'C:\myscripts\restore.ps1'
}
Create a session configuration file gitlabJEAEndpoint.pssc
@{
# Version number of the schema used for this document
SchemaVersion = '2.0.0.0'
# ID used to uniquely identify this document
GUID = 'xxx'
# Author of this document
Author = 'administrator'
# Session type defaults to apply for this session configuration. Can be 'RestrictedRemoteServer' (recommended), 'Empty', or 'Default'
SessionType = 'RestrictedRemoteServer'
# Directory to place session transcripts for this session configuration
# TranscriptDirectory = 'C:\Transcripts\'
TranscriptDirectory = 'C:\Program Files\WindowsPowerShell\Modules\gitlabJEA\Transcripts'
# Whether to run this session configuration as the machine's (virtual) administrator account
RunAsVirtualAccount = $true
# User roles (security groups), and the role capabilities that should be applied to them when applied to a session
# RoleDefinitions = @{ 'CONTOSO\SqlAdmins' = @{ RoleCapabilities = 'SqlAdministration' }; 'CONTOSO\ServerMonitors' = @{ VisibleCmdlets = 'Get-Process' } }
RoleDefinitions = @{
'myservername\gitlab' = @{ RoleCapabilities = 'gitlabJEARole' }
}
}
Registering JEA Configurations
Test-PSSessionConfigurationFile -Path .\gitlabJEAEndpoint.pssc
True
Register-PSSessionConfiguration -Path .\gitlabJEAEndpoint.pssc
-Name 'gitlabJEA' -Force
WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Plugin
Type Keys Name
---- ---- ----
Container {Name=gitlabJEA} gitlabJEA
Get-PSSessionConfiguration | Select-Object Name
Name
----
gitlabJEA
microsoft.powershell
microsoft.powershell.workflow
microsoft.powershell32
microsoft.windows.serverma...
Issue 1 : Using JEA interactively
From my workstation client (Windows 10 build 19042.1263) I can't start a JEA session
$nonAdminCred = Get-Credential
enter myservername\gitlab and password
Enter-PSSession -ComputerName myservername -ConfigurationName gitlabJEA -Credential $nonAdminCred
Enter-PSSession : Connecting to remote server myservername failed with the following error message : WinRM cannot process
the request. The following error with errorcode 0x8009030e occurred while using Kerberos authentication: A specified
logon session does not exist. It may already have been terminated.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more
information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName myservername -ConfigurationName gitlabJEA ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (myservername:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
Issue 2 : From my Windows 2016 server (administrator login RDP), open powershell , I can start a JEA session but cannot run cmdlet
$nonAdminCred = Get-Credential
enter myservername\gitlab and password
Enter-PSSession -ComputerName localhost -ConfigurationName gitlabJEA -Credential $nonAdminCred
[localhost]: PS>Stop-WebAppPool -Name "mywebapppool" -Passthru
The term 'Stop-WebAppPool' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
+ CategoryInfo : ObjectNotFound: (Stop-WebAppPool:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
[localhost]: PS>exit
PS C:\Program Files\WindowsPowerShell\Modules\gitlabJEA> Enter-PSSession -ComputerName myservername -ConfigurationName gitlabJEA -Credential $nonAdminCred
[myservername]: PS>Stop-WebAppPool -Name "mywebapppool" -Passthru
The term 'Stop-WebAppPool' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
+ CategoryInfo : ObjectNotFound: (Stop-WebAppPool:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
[ETMS-TEST]: PS>Get-Command
CommandType Name Version Source
----------- ---- ------- ------
Function Clear-Host
Function Exit-PSSession
Function Get-Command
Function Get-FormatData
Function Get-Help
Function Measure-Object
Function Out-Default
Function Select-Object
I think something is wrong here, get-command should return more, right ?
Issue 3 : user gitlab ssh to Windows server 2016 has powershell as default shell, I don't know how to start a JEA session after this.
Please give some advice, thank you very much.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
"myservername\gitlab" is a local user?
If so, this is probably your problem:
-Kerberos accepts domain user names, but not local user names.
Yes it is a local user.
My Windows 2016 server is a member of Active Directory domain , but I'm trying to test so I use a local user.
Is it possible ? what should I do to archive it ?
If it is impossible, I should create a domain user gitlab and update session configuration file ?
RoleDefinitions = @{
'mydomain\gitlab' = @{ RoleCapabilities = 'gitlabJEARole' }
Does gitlab user (whatever local or domain) need to allow RDP to my server ?
I delete local user "gitlab" and create a domain user gitlab, import ssh key, register JEA session Configurations again
RoleDefinitions = @{
'mydomain\gitlab' = @{ RoleCapabilities = 'gitlabJEARole' }
Issue 1: Still cannot using JEA interactively, although I can open remote powershell to Windows server from my client workstation Win 10
$nonAdminCred = Get-Credential
enter mydomain\gitlab and password
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
Enter-PSSession -ComputerName myservername -ConfigurationName gitlabJEA -Credential $nonAdminCred
[myservername]: PS>get-command
CommandType Name Version Source
----------- ---- ------- ------
Function Clear-Host
Function Exit-PSSession
Function Get-Command
Function Get-FormatData
Function Get-Help
Function Measure-Object
Function Out-Default
Function Select-Object
[ETMS-TEST]: PS>Stop-WebAppPool -Name "mywebapppool" -Passthru
The term 'Stop-WebAppPool' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
+ CategoryInfo : ObjectNotFound: (Stop-WebAppPool:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Issue 3 : Domain user gitlab can ssh to Windows server succesfully, but cannot stop web app pool
PS C:\Users\gitlab.mydomain> Stop-WebAppPool -Name "mywebapppool" -Passthru
Process should have elevated status to access IIS configuration data.
stop-webitem : Cannot find drive. A drive with the name 'IIS' does not exist.
At line:1 char:1
+ Stop-WebAppPool -Name "mywebapppool" -Passthru
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (IIS:String) [Stop-WebItem], Dri
veNotFoundException
+ FullyQualifiedErrorId : DriveNotFound,Microsoft.IIs.PowerShell.Provider.
StopItemCommand
I also try to open using JEA powershell from putty, after ssh , but it doesn't work, I don't specify credential here because I login ssh with domain user gitlab
Enter-PSSession -ComputerName myservername -ConfigurationName gitlabJEA
Enter-PSSession : Connecting to remote server myservername failed with the
following error message : Access is denied. For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName myservername -ConfigurationName gitlabJEA
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (myservername:String) [Enter-PSSes
sion], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
PS C:\inetpub\eTMS-Tools> Enter-PSSession -ComputerName localhost -ConfigurationName gitlabJEA
Enter-PSSession : Connecting to remote server localhost failed with the
following error message : Access is denied. For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName localhost -ConfigurationName gitlabJEA
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (localhost:String) [Enter-PSSes
sion], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
From Windows server
$nonAdminCred = Get-Credential
enter mydomain\gitlab and password
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
Enter-PSSession -ComputerName localhost -ConfigurationName gitl
abJEA -Credential $nonAdminCred
[localhost]: PS>Get-Command
CommandType Name Version Source
----------- ---- ------- ------
Function Clear-Host
Function Exit-PSSession
Function Get-Command
Function Get-FormatData
Function Get-Help
Function Measure-Object
Function Out-Default
Function Select-Object
[localhost]: PS>Stop-WebAppPool -Name "mywebapppool" -Passthru
The term 'Stop-WebAppPool' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
+ CategoryInfo : ObjectNotFound: (Stop-WebAppPool:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Update: I think something wrong with session configuration file (although I tested it and return true) for role config file , Stop-WebAppPool , Start-WebAppPool are not included in this check
Get-PSSessionCapability -ConfigurationName gitlabJEA -Username 'mydomain\gitlab'
CommandType Name Version Source
----------- ---- ------- ------
Alias clear -> Clear-Host
Alias cls -> Clear-Host
Alias exsn -> Exit-PSSession
Alias gcm -> Get-Command
Alias measure -> Measure-Object
Alias select -> Select-Object
Function Clear-Host
Function Exit-PSSession
Function Get-Command
Function Get-FormatData
Function Get-Help
Function Measure-Object
Function Out-Default
Function Select-Object
How can I trouble shoot it ?
I change gitlabJEARole.psrc from
VisibleCmdlets = @{ Name = 'Stop-WebAppPool'; Parameters = @{ Name = 'Name'}, @{ Name = 'Passthru'}}, @{ Name = 'Start-WebAppPool'; Parameters = @{ Name = 'Name'}, @{ Name = 'Passthru'}}
to
VisibleCmdlets = 'Stop-WebAppPool', 'Start-WebAppPool'
Register session config again
Get-PSSessionCapability -ConfigurationName gitlabJEA -Username 'mydomain\gitlab'
CommandType Name Version Source
----------- ---- ------- ------
Alias clear -> Clear-Host
Alias cls -> Clear-Host
Alias exsn -> Exit-PSSession
Alias gcm -> Get-Command
Alias measure -> Measure-Object
Alias select -> Select-Object
Function Clear-Host
Function Exit-PSSession
Function Get-Command
Function Get-FormatData
Function Get-Help
Function Measure-Object
Function Out-Default
Function Select-Object
Cmdlet Start-WebAppPool 1.0.0.0 WebAdministration
Cmdlet Stop-WebAppPool 1.0.0.0 WebAdministration
Enter-PSSession -ComputerName myservername -ConfigurationName gitlabJEA -Credential $nonAdminCred
[myservername]: PS>Get-Command -CommandType All
CommandType Name Version Source
----------- ---- ------- ------
Alias clear -> Clear-Host
Alias cls -> Clear-Host
Alias exsn -> Exit-PSSession
Alias gcm -> Get-Command
Alias measure -> Measure-Object
Alias select -> Select-Object
Function Clear-Host
Function Exit-PSSession
Function Get-Command
Function Get-FormatData
Function Get-Help
Function Measure-Object
Function Out-Default
Function Select-Object
Cmdlet Start-WebAppPool 1.0.0.0 WebAdministration
Cmdlet Stop-WebAppPool 1.0.0.0 WebAdministration
But I still cannot stop web app pool
[myservername]: PS>Stop-WebAppPool -Name "mywebapppool" -Passthru
Cannot find a provider with the name 'Variable'.
+ CategoryInfo : ObjectNotFound: (Variable:String) [Stop-WebAppPool], ProviderNotFoundException
+ FullyQualifiedErrorId : ProviderNotFound,Microsoft.IIs.PowerShell.Provider.StopAppPoolCommand
I changed gitlabJEARole.psrc to
VisibleCmdlets = 'Stop-WebAppPool', 'Start-WebAppPool'
VisibleProviders = 'Variable', 'WebAdministraion'
It works, I can stop/start web app pool from remote powershell with JEA