Web Front End for PS script - issues with PS remoting

Question

Hi, I am evaluating Web Front End solution for backend PowerShell scripts - every single time backend PowerShell script fails here:

$session = New-PSSession -ComputerName dcName -ConfigurationName DomainAdmins

Invoke-Command -Session $session -ScriptBlock {...}
								
Error: Cannot validate argument on parameter 'Session'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again. [dcName] An error has occurred which PowerShell cannot handle. A remote session might have ended.

Service Account Web App Pool is running under has permissions on DomainAdmins JEA endpoint. Outside of Web Front End, New-PSSession command above works without issues under Service Account credential.

This is major showstopper since I prefer using JEA concept whenever possible. Any help would be appreciated.

Answer 1

You are absolutely right - there is IIS, Web Front End app is running on, calling background PowerShell script and passing parameter values end user entered in Web Front End GUI Form. PowerShell script itself connects remotely to target server - so there are 2 servers in total.

As I mentioned above, without PowerShell remoting, everything works fine - having delegated proper permission to Service Account, Add-ADGroupMember ... was executed in PowerShell script without issues. To do so, connection to dcName on tcp/9389 had to be established (ADWS).

Answer 2

Yep, it listed NETLOGON and SYSVOL shared folders on Domain Controller. One more thing I have noticed - when I use PowerShell remoting in the script executed by Web Front End app, I do not see a single entry in Wireshark:

ip.dst == 10.3.3.10 && tcp.dstport == 5985