Web Front End for PS script - issues with PS remoting

Question

Hi, I am evaluating Web Front End solution for backend PowerShell scripts - every single time backend PowerShell script fails here:

$session = New-PSSession -ComputerName dcName -ConfigurationName DomainAdmins

Invoke-Command -Session $session -ScriptBlock {...}
								
Error: Cannot validate argument on parameter 'Session'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again. [dcName] An error has occurred which PowerShell cannot handle. A remote session might have ended.

Service Account Web App Pool is running under has permissions on DomainAdmins JEA endpoint. Outside of Web Front End, New-PSSession command above works without issues under Service Account credential.

This is major showstopper since I prefer using JEA concept whenever possible. Any help would be appreciated.

Answer 1

I always used a "normal" AD account (with password) for my worker processes. I can't help you with JEA, but here are some things to check.

Just to verify... you have an ASPX page that is shelling out Powershell.exe on the web server and you are capturing stdout and stderr (or transcript file) and that's where you see that error, correct?

Look at your web.config for "identity impersonate=true". The request might be running as the client user.

Maybe add in a call to whoami to verify that Powershell is executing as the account that you have configured.

whoami.exe 
$session = New-PSSession -ComputerName dcName -ConfigurationName DomainAdmins
Invoke-Command -Session $session -ScriptBlock {...}

Check the Security event log on the remote computer to see if there are any authentication errors.

There is also a Microsoft-Windows-WinRM/Operational event log under "Applications and Services logs". It may also show as "Windows Remote Managememt". See if there are any related events in there on the remote computer.

You have this tagged as a Windows Server Powershell question. I would recommend that you add the tags for Windows Server, Active Directory and IIS. That might help reaching out to forum users with JEA experience.

Answer 2

There is no line "identity impersonate=true" in web.config file. Just to point out something here - when I give Service Account Web App Pool is running under required permission in AD, PowerShell script works fine but, in that case, I do not use JEA but Add-ADGroupMember ... directly (ADWS) so it seems that PowerShell script does run under Service Account Web App Pool is running under. I am facing a problem only when trying to establish remote PS session to JEA endpoint.

Answer 3

Having executed script on the web server

Start-Transcript -Path C:\Temp\Log.log
$result = Invoke-Command -ComputerName dcName -ScriptBlock {$env:USERNAME}    
Stop-Transcript

In transcript file I get: OpenError: An error has occurred which PowerShell cannot handle. A remote session might have ended.

Both Username and RunAs User point to Service Account.

Answer 4

Vendor cites double-hop issue as possible problem here although error above is very generic and does not point to double-hop whatsoever. With free solution WebJEA everything works like a charm.

Answer 5

We can't use CredSSP as far as I know. All Kerberos methods according to document do not support the second hop for WinRM which is a bit strange since these are referred to in Windows Admin Center to configure Single Sign-on (second hop).