Run SCVMM PowerShell scripts C# work on console but not MVC APP

Question

Hello, I really need help !
Two week and no result.

We have a simple code to get LogicalNetwork.
if we run this code on console all work fine.
But if we run this code on Web Page we have a issue.

French error :
"Vous ne pouvez pas accéder au serveur d'administration VMM (NO_PARAM).
Contactez l'administrateur Virtual Machine Manager afin de vérifier que votre compte est membre d'un rôle d'utilisateur valide, puis recommencez l'opération.
"

"You cannot access VMM management "

Thank you

using System;
using System.Collections.Generic;
using System.Collections.ObjectModel;
using System.Linq;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Text;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;

namespace WebApplication1
{
    public partial class _Default : Page
    {
        public static Collection<PSObject> ExecutePowerShellCommandTesting(string psCommand, string[] modules)
        {

            using (var localRunspacePool = RunspaceFactory.CreateRunspacePool())
            {
                string moduleImportString = "Import-Module";
                localRunspacePool.Open();
                using (var engine = PowerShell.Create())
                {
                    engine.RunspacePool = localRunspacePool;
                    if (modules.Length > 0)
                    {
                        foreach (string module in modules)
                        {
                            engine.AddCommand(moduleImportString);
                            engine.AddParameter("Name", module);
                        }
                    }
                    var result = engine.Invoke();
                    engine.Commands.Clear();
                    engine.AddCommand(psCommand);
                    var commandIter = engine.Invoke();
                    return commandIter;
                }
            }
        }


        protected void Page_Load(object sender, EventArgs e)
        {
            var results = ExecutePowerShellCommandTesting("Get-SCLogicalNetwork", null, new[] { "virtualmachinemanager" });
        }
    }
}

Answer 1

But if we run this code on Web Page we have a issue.

I am not familiar with SCVMM, but since you are getting an access error, I might be able to help with IIS.

When you execute the code on the console, the Powershell.exe process runs as the account you are logged on to the desktop with. When you try to connect to network resources, (\Server\Share) the local server authenticates your account with the remote server.

In IIS "the account" could be the client user account, but it could also be the IUSR account, or the worker process identify for the site. It all depends on your code and how you configured the site.

Is the site set up for anonymous access or do you authenticate the user? If you authenticate, do you also have impersonation set for the user?

Will every user that accesses the web site have access to the SCVMM server? (I apologize for my lack of knowledge of that environment.) Is the "SCVMM server" running on the same machine as the web site?

If the web site is on the same machine as the SCVMM service that you connect to, then you should be able to configure the site to impersonate the user. That way SCVMM will "see" who the user is.

https://learn.microsoft.com/en-us/previous-versions/aspnet/134ec8tc(v=vs.100)

If the web site on a different server, then you have 3 machines involved in the process. The client running Edge/Chrome, the web server running IIS, and the SCVMM server. In that case you might run into the infamous kerberos double hop problem.

https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/understanding-kerberos-double-hop/ba-p/395463

One workaround to that is to authenticate, but not impersonate the end user. Then set the IIS worker process for the site to use an account that has access to SCVMM. The problem with doing that is that every user who accesses the site has the same access to SCVMM. You have to programmatically control "who can do what" with the web site code.

I think that's enough for now. Hope this helps.

Answer 2

Hello @MotoX80 ,
Thank you for your anwser !
but, I know yet.

I changed the user account IIS for same User console, but issue.
More ! If I run IISEXPRESS from visualstudio with same user console, always same issue.

Issue with IISEXPRESS:

Work on console

Issue with IIS:

Answer 3

I'm sorry, I am out of town this week and will be limited with my responses. I won't have any way to test IIS Express.

If you have w3wp.exe running as an admin account, that's the equivalent of worker process identify. In IIS, there is a setting that allows the user to use that account in place of IUSR. See if you can find that. Hopefully IIS Express has an equivalent setting.

Answer 4

You must not apologize for not being able to answer me right now.
On the other hand, I am not sure that you are understood correctly.
IIS or IISEXPRESS is the same problem.
Let's only talk about IIS.
I did use an administrator account, the same as that of the console. Yet it does not work. See the screenshots.

Answer 5

I am going completely crazy.
In order to simplify the test with IIS, I create a powershell session with authentication in order to be certain of the user.
Even in this case VMM refuses the connection whereas with a console I have no problem.
Powershell / VMM must identify something other than login and block when it comes from IIS.

Sample on IIS :

protected void Page_Load(object sender, EventArgs e)  
        {  
            Runspace runspace = RunspaceFactory.CreateRunspace();  
            runspace.Open();  
  
            Pipeline pipeline = runspace.CreatePipeline();  
            string scripttext = "$secpasswd = ConvertTo-SecureString 'password' -AsPlainText –Force";  
            string scripttext1 = @"$mycreds = New-object -typename System.Management.Automation.PSCredential('login',$secpasswd)";  
            string scripttext2 = "$s = New-PSSession -ComputerName scvmm -Credential $mycreds";  
            string scripttext3 = "Import-PSSession -Session $s";  
            string scripttext4 = "Import-Module virtualmachinemanager";  
            string scripttext5 = "Get-SCLogicalNetwork";  
  
            pipeline.Commands.AddScript(scripttext);  
            pipeline.Commands.AddScript(scripttext1);  
            pipeline.Commands.AddScript(scripttext2);  
            pipeline.Commands.AddScript(scripttext3);  
            pipeline.Commands.AddScript(scripttext4);  
            pipeline.Commands.AddScript(scripttext5);  
  
            Collection<PSObject> results = pipeline.Invoke();  
  
            runspace.Close();  
}  

english message :You cannot access Virtual Machine Manager server. Ensure that your account is a member of a valid user role, and then try the operation again

Sample on Console :

 static void Main(string[] args)  
        {  
  
  
            Runspace runspace = RunspaceFactory.CreateRunspace();  
            runspace.Open();  
  
            Pipeline pipeline = runspace.CreatePipeline();  
            string scripttext = "$secpasswd = ConvertTo-SecureString 'password' -AsPlainText –Force";  
            string scripttext1 = @"$mycreds = New-object -typename System.Management.Automation.PSCredential('login',$secpasswd)";  
            string scripttext2 = "$s = New-PSSession -ComputerName scvmm -Credential $mycreds";  
            string scripttext3 = "Import-PSSession -Session $s";  
            string scripttext4 = "Import-Module virtualmachinemanager";  
            string scripttext5 = "Get-SCLogicalNetwork";  
  
            pipeline.Commands.AddScript(scripttext);  
            pipeline.Commands.AddScript(scripttext1);  
            pipeline.Commands.AddScript(scripttext2);  
            pipeline.Commands.AddScript(scripttext3);  
            pipeline.Commands.AddScript(scripttext4);  
            pipeline.Commands.AddScript(scripttext5);  
  
            Collection<PSObject> results = pipeline.Invoke();  
  
            foreach (var item in results)  
            {  
                Console.WriteLine(item.BaseObject.ToString());  
            };  
            Console.ReadLine();  
  
            runspace.Close();  
  
        }