Windows Admin Center RBAC

RvM 26 Reputation points
2021-02-10T20:05:19.19+00:00

Hello,

I have setup Windows Admin Center in Gateway mode. Also a commercial certificate is installed.

The problem is that I have setup RBAC and added a user to the Hyper-V Administrators group, but I cannot login unless I add this test user to the local administrators group.

I was thinking it has to do something with RBAC and tried to download the configuration package using this command

$WindowsAdminCenterGateway = 'https://windowsadmincenter.contoso.com'
Invoke-RestMethod -Uri "$WindowsAdminCenterGateway/api/nodes/all/features/jea/endpoint/export" -Method POST -UseDefaultCredentials -OutFile "~\Desktop\WindowsAdminCenter_RBAC.zip"

But I cannot get this to work and it has to do something with the SSL. When I run the command on my W10 machine it runs fine.

Any ideas?

Windows Server Management
Windows Server Management
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Management: The act or process of organizing, handling, directing or controlling something.
424 questions
{count} votes

5 answers

Sort by: Most helpful
  1. RvM 26 Reputation points
    2021-02-11T07:17:32.827+00:00

    The OS is Windows Server 2019 build 9600 with the latest version of WAC.

    Thats right I have also tested with WAC on a Windows 10. There I Was able to create the configuration package.

    0 comments No comments

  2. RvM 26 Reputation points
    2021-02-11T07:20:20.337+00:00

    The error I get when running the command is “could not establish trust relationship for the ssl/tls secure channel

    0 comments No comments

  3. RvM 26 Reputation points
    2021-02-11T08:15:39.663+00:00

    I found some sort of a solution by ignoring the certificate (see script below), but only by using localhost. I also cannot login to WAC using the fqdn (not authorised)

    This works: Invoke-RestMethod -Uri "https://localhost:443/api/nodes/all/features/jea/endpoint/export"
    This doesn't: Invoke-RestMethod -Uri "https://fqdn:443/api/nodes/all/features/jea/endpoint/export"

    Ignore certificate

    if (-not ([System.Management.Automation.PSTypeName]'ServerCertificateValidationCallback').Type)
    {
    $certCallback = @"
    using System;
    using System.Net;
    using System.Net.Security;
    using System.Security.Cryptography.X509Certificates;
    public class ServerCertificateValidationCallback
    {
    public static void Ignore()
    {
    if(ServicePointManager.ServerCertificateValidationCallback ==null)
    {
    ServicePointManager.ServerCertificateValidationCallback +=
    delegate
    (
    Object obj,
    X509Certificate certificate,
    X509Chain chain,
    SslPolicyErrors errors
    )
    {
    return true;
    };
    }
    }
    }
    "@
    Add-Type $certCallback
    }

    0 comments No comments

  4. RvM 26 Reputation points
    2021-02-11T09:02:13.973+00:00

    Issue is resolved. I had to run the command from a remote host.

    Thanks!

    Robin

    0 comments No comments

  5. RvM 26 Reputation points
    2021-02-11T16:08:17.42+00:00

    There is still an issue that has somthing to do with RBAC.

    I have added a test user to the Windows Admin Center Hyper-V Administrators group, but when I click on Virtual machines in WAC, there is an error.

    This operation was blocked by role based access control settings.

    0 comments No comments