question

JackChuong-8462 avatar image
0 Votes"
JackChuong-8462 asked JackChuong-8462 answered

Issues with Just Enough Administration

Hi all,
My environment : Windows server 2016 standard with OpenSSH service running , a local user "gitlab" , user gitlab can ssh to server successfully.
I want user gitlab can do

 Stop-WebAppPool -Name "mywebapppool" -Passthru
 Start-WebAppPool -Name "mywebapppool" -Passthru

But I don't want to add user gitlab into local Administrators group so I'm trying Just Enough Administration (JEA) for granting user gitlab to run some WebAdministration cmdlet (or some .ps1 file) as administrator privilege.
What I did :
Enable PowerShell module and script block logging
Create a role capability file C:\Program Files\WindowsPowerShell\Modules\gitlabJEA\RoleCapabilities\gitlabJEARole.psrc

     @{
     # ID used to uniquely identify this document
     GUID = 'xxx'
     # Author of this document
     Author = 'administrator'
     # Description of the functionality provided by these settings
     # Description = ''
     # Company associated with this document
     CompanyName = 'Unknown'
     # Copyright statement for this document
     Copyright = '(c) 2021 administrator. All rights reserved.'
     VisibleCmdlets = @{ Name = 'Stop-WebAppPool'; Parameters = @{ Name = 'Name'}, @{ Name = 'Passthru'}},
       @{ Name = 'Start-WebAppPool'; Parameters = @{ Name = 'Name'}, @{ Name = 'Passthru'}}
     VisibleExternalCommands = 'C:\myscripts\backup.ps1', 'C:\myscripts\deploy.ps1', 'C:\myscripts\extract.ps1', 'C:\myscripts\restore.ps1'
     }

Create a session configuration file gitlabJEAEndpoint.pssc

     @{
         # Version number of the schema used for this document
         SchemaVersion = '2.0.0.0'
         # ID used to uniquely identify this document
         GUID = 'xxx'
         # Author of this document
         Author = 'administrator'
         # Session type defaults to apply for this session configuration. Can be 'RestrictedRemoteServer' (recommended), 'Empty', or 'Default'
         SessionType = 'RestrictedRemoteServer'
         # Directory to place session transcripts for this session configuration
         # TranscriptDirectory = 'C:\Transcripts\'
         TranscriptDirectory = 'C:\Program Files\WindowsPowerShell\Modules\gitlabJEA\Transcripts'
         # Whether to run this session configuration as the machine's (virtual) administrator account
         RunAsVirtualAccount = $true
         # User roles (security groups), and the role capabilities that should be applied to them when applied to a session
         # RoleDefinitions = @{ 'CONTOSO\SqlAdmins' = @{ RoleCapabilities = 'SqlAdministration' }; 'CONTOSO\ServerMonitors' = @{ VisibleCmdlets = 'Get-Process' } } 
         RoleDefinitions = @{
             'myservername\gitlab' = @{ RoleCapabilities = 'gitlabJEARole' }
         }
         }

Registering JEA Configurations

     Test-PSSessionConfigurationFile -Path .\gitlabJEAEndpoint.pssc
     True
        
     Register-PSSessionConfiguration -Path .\gitlabJEAEndpoint.pssc
     -Name 'gitlabJEA' -Force
        
        WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Plugin
        
     Type            Keys                                Name
     ----            ----                                ----
     Container       {Name=gitlabJEA}                    gitlabJEA
        
     Get-PSSessionConfiguration | Select-Object Name
        
     Name
     ----
     gitlabJEA
     microsoft.powershell
     microsoft.powershell.workflow
     microsoft.powershell32
     microsoft.windows.serverma...

Issue 1 : Using JEA interactively
From my workstation client (Windows 10 build 19042.1263) I can't start a JEA session

 $nonAdminCred = Get-Credential
 enter myservername\gitlab and password
    
 Enter-PSSession -ComputerName myservername -ConfigurationName gitlabJEA -Credential $nonAdminCred
 Enter-PSSession : Connecting to remote server myservername failed with the following error message : WinRM cannot process
 the request. The following error with errorcode 0x8009030e occurred while using Kerberos authentication: A specified
 logon session does not exist. It may already have been terminated.
  Possible causes are:
   -The user name or password specified are invalid.
   -Kerberos is used when no authentication method and no user name are specified.
   -Kerberos accepts domain user names, but not local user names.
   -The Service Principal Name (SPN) for the remote computer name and port does not exist.
   -The client and remote computers are in different domains and there is no trust between the two domains.
  After checking for the above issues, try the following:
   -Check the Event Viewer for events related to authentication.
   -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
 use HTTPS transport.
  Note that computers in the TrustedHosts list might not be authenticated.
    -For more information about WinRM configuration, run the following command: winrm help config. For more
 information, see the about_Remote_Troubleshooting Help topic.
 At line:1 char:1
 + Enter-PSSession -ComputerName myservername -ConfigurationName gitlabJEA  ...
 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo          : InvalidArgument: (myservername:String) [Enter-PSSession], PSRemotingTransportException
     + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

Issue 2 : From my Windows 2016 server (administrator login RDP), open powershell , I can start a JEA session but cannot run cmdlet

 $nonAdminCred = Get-Credential
 enter myservername\gitlab and password
    
 Enter-PSSession -ComputerName localhost -ConfigurationName gitlabJEA -Credential $nonAdminCred
 [localhost]: PS>Stop-WebAppPool -Name "mywebapppool" -Passthru
 The term 'Stop-WebAppPool' is not recognized as the name of a cmdlet, function, script file, or operable program.
 Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
     + CategoryInfo          : ObjectNotFound: (Stop-WebAppPool:String) [], CommandNotFoundException
     + FullyQualifiedErrorId : CommandNotFoundException
    
 [localhost]: PS>exit
 PS C:\Program Files\WindowsPowerShell\Modules\gitlabJEA> Enter-PSSession -ComputerName myservername -ConfigurationName gitlabJEA -Credential $nonAdminCred
 [myservername]: PS>Stop-WebAppPool -Name "mywebapppool" -Passthru
 The term 'Stop-WebAppPool' is not recognized as the name of a cmdlet, function, script file, or operable program.
 Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
     + CategoryInfo          : ObjectNotFound: (Stop-WebAppPool:String) [], CommandNotFoundException
     + FullyQualifiedErrorId : CommandNotFoundException
    
 [ETMS-TEST]: PS>Get-Command
    
 CommandType     Name                                               Version    Source
 -----------     ----                                               -------    ------
 Function        Clear-Host
 Function        Exit-PSSession
 Function        Get-Command
 Function        Get-FormatData
 Function        Get-Help
 Function        Measure-Object
 Function        Out-Default
 Function        Select-Object

I think something is wrong here, get-command should return more, right ?

Issue 3 : user gitlab ssh to Windows server 2016 has powershell as default shell, I don't know how to start a JEA session after this.

Please give some advice, thank you very much.

windows-server-powershellwindows-server-2016
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RichMatheisen-8856 avatar image
0 Votes"
RichMatheisen-8856 answered JackChuong-8462 edited

"myservername\gitlab" is a local user?

If so, this is probably your problem:

-Kerberos accepts domain user names, but not local user names.







· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes it is a local user.
My Windows 2016 server is a member of Active Directory domain , but I'm trying to test so I use a local user.
Is it possible ? what should I do to archive it ?
If it is impossible, I should create a domain user gitlab and update session configuration file ?
RoleDefinitions = @{
'mydomain\gitlab' = @{ RoleCapabilities = 'gitlabJEARole' }

Does gitlab user (whatever local or domain) need to allow RDP to my server ?

0 Votes 0 ·
JackChuong-8462 avatar image
0 Votes"
JackChuong-8462 answered JackChuong-8462 edited

I delete local user "gitlab" and create a domain user gitlab, import ssh key, register JEA session Configurations again

 RoleDefinitions = @{
 'mydomain\gitlab' = @{ RoleCapabilities = 'gitlabJEARole' }

Issue 1: Still cannot using JEA interactively, although I can open remote powershell to Windows server from my client workstation Win 10

 $nonAdminCred = Get-Credential
 enter mydomain\gitlab and password
 cmdlet Get-Credential at command pipeline position 1
 Supply values for the following parameters:
 Credential
 Enter-PSSession -ComputerName myservername -ConfigurationName gitlabJEA -Credential $nonAdminCred
 [myservername]: PS>get-command
    
 CommandType     Name                                               Version    Source
 -----------     ----                                               -------    ------
 Function        Clear-Host
 Function        Exit-PSSession
 Function        Get-Command
 Function        Get-FormatData
 Function        Get-Help
 Function        Measure-Object
 Function        Out-Default
 Function        Select-Object
    
    
 [ETMS-TEST]: PS>Stop-WebAppPool -Name "mywebapppool" -Passthru
 The term 'Stop-WebAppPool' is not recognized as the name of a cmdlet, function, script file, or operable program.
 Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
     + CategoryInfo          : ObjectNotFound: (Stop-WebAppPool:String) [], CommandNotFoundException
     + FullyQualifiedErrorId : CommandNotFoundException

Issue 3 : Domain user gitlab can ssh to Windows server succesfully, but cannot stop web app pool

     PS C:\Users\gitlab.mydomain> Stop-WebAppPool -Name "mywebapppool" -Passthru
     Process should have elevated status to access IIS configuration data.
     stop-webitem : Cannot find drive. A drive with the name 'IIS' does not exist.
     At line:1 char:1
     + Stop-WebAppPool -Name "mywebapppool" -Passthru
     + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         + CategoryInfo          : ObjectNotFound: (IIS:String) [Stop-WebItem], Dri
        veNotFoundException
         + FullyQualifiedErrorId : DriveNotFound,Microsoft.IIs.PowerShell.Provider.
        StopItemCommand

I also try to open using JEA powershell from putty, after ssh , but it doesn't work, I don't specify credential here because I login ssh with domain user gitlab

 Enter-PSSession -ComputerName myservername -ConfigurationName gitlabJEA    
 Enter-PSSession : Connecting to remote server myservername failed with the
 following error message : Access is denied. For more information, see the
 about_Remote_Troubleshooting Help topic.
 At line:1 char:1
 + Enter-PSSession -ComputerName myservername -ConfigurationName gitlabJEA
 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo          : InvalidArgument: (myservername:String) [Enter-PSSes
    sion], PSRemotingTransportException
     + FullyQualifiedErrorId : CreateRemoteRunspaceFailed
    
 PS C:\inetpub\eTMS-Tools> Enter-PSSession -ComputerName localhost -ConfigurationName gitlabJEA
    
 Enter-PSSession : Connecting to remote server localhost failed with the
 following error message : Access is denied. For more information, see the
 about_Remote_Troubleshooting Help topic.
 At line:1 char:1
 + Enter-PSSession -ComputerName localhost -ConfigurationName gitlabJEA
 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo          : InvalidArgument: (localhost:String) [Enter-PSSes
    sion], PSRemotingTransportException
     + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

From Windows server

     $nonAdminCred = Get-Credential
     enter mydomain\gitlab and password
     cmdlet Get-Credential at command pipeline position 1
     Supply values for the following parameters:
     Credential
     Enter-PSSession -ComputerName localhost -ConfigurationName gitl
     abJEA -Credential $nonAdminCred
     [localhost]: PS>Get-Command
    
 CommandType     Name                                               Version    Source
 -----------     ----                                               -------    ------
 Function        Clear-Host
 Function        Exit-PSSession
 Function        Get-Command
 Function        Get-FormatData
 Function        Get-Help
 Function        Measure-Object
 Function        Out-Default
 Function        Select-Object
    
    
 [localhost]: PS>Stop-WebAppPool -Name "mywebapppool" -Passthru
 The term 'Stop-WebAppPool' is not recognized as the name of a cmdlet, function, script file, or operable program.
 Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
     + CategoryInfo          : ObjectNotFound: (Stop-WebAppPool:String) [], CommandNotFoundException
     + FullyQualifiedErrorId : CommandNotFoundException

Update: I think something wrong with session configuration file (although I tested it and return true) for role config file , Stop-WebAppPool , Start-WebAppPool are not included in this check

 Get-PSSessionCapability -ConfigurationName gitlabJEA -Username 'mydomain\gitlab'    
 CommandType     Name                                               Version    Source
 -----------     ----                                               -------    ------
 Alias           clear -> Clear-Host
 Alias           cls -> Clear-Host
 Alias           exsn -> Exit-PSSession
 Alias           gcm -> Get-Command
 Alias           measure -> Measure-Object
 Alias           select -> Select-Object
 Function        Clear-Host
 Function        Exit-PSSession
 Function        Get-Command
 Function        Get-FormatData
 Function        Get-Help
 Function        Measure-Object
 Function        Out-Default
 Function        Select-Object

How can I trouble shoot it ?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JackChuong-8462 avatar image
0 Votes"
JackChuong-8462 answered

I change gitlabJEARole.psrc from
VisibleCmdlets = @{ Name = 'Stop-WebAppPool'; Parameters = @{ Name = 'Name'}, @{ Name = 'Passthru'}}, @{ Name = 'Start-WebAppPool'; Parameters = @{ Name = 'Name'}, @{ Name = 'Passthru'}}
to
VisibleCmdlets = 'Stop-WebAppPool', 'Start-WebAppPool'
Register session config again
Get-PSSessionCapability -ConfigurationName gitlabJEA -Username 'mydomain\gitlab'

 CommandType     Name                                               Version    Source
 -----------     ----                                               -------    ------
 Alias           clear -> Clear-Host
 Alias           cls -> Clear-Host
 Alias           exsn -> Exit-PSSession
 Alias           gcm -> Get-Command
 Alias           measure -> Measure-Object
 Alias           select -> Select-Object
 Function        Clear-Host
 Function        Exit-PSSession
 Function        Get-Command
 Function        Get-FormatData
 Function        Get-Help
 Function        Measure-Object
 Function        Out-Default
 Function        Select-Object
 Cmdlet          Start-WebAppPool                                   1.0.0.0    WebAdministration
 Cmdlet          Stop-WebAppPool                                    1.0.0.0    WebAdministration
    
 Enter-PSSession -ComputerName myservername -ConfigurationName gitlabJEA -Credential $nonAdminCred
 [myservername]: PS>Get-Command -CommandType All
    
 CommandType     Name                                               Version    Source
 -----------     ----                                               -------    ------
 Alias           clear -> Clear-Host
 Alias           cls -> Clear-Host
 Alias           exsn -> Exit-PSSession
 Alias           gcm -> Get-Command
 Alias           measure -> Measure-Object
 Alias           select -> Select-Object
 Function        Clear-Host
 Function        Exit-PSSession
 Function        Get-Command
 Function        Get-FormatData
 Function        Get-Help
 Function        Measure-Object
 Function        Out-Default
 Function        Select-Object
 Cmdlet          Start-WebAppPool                                   1.0.0.0    WebAdministration
 Cmdlet          Stop-WebAppPool                                    1.0.0.0    WebAdministration

But I still cannot stop web app pool

     [myservername]: PS>Stop-WebAppPool -Name "mywebapppool" -Passthru
     Cannot find a provider with the name 'Variable'.
         + CategoryInfo          : ObjectNotFound: (Variable:String) [Stop-WebAppPool], ProviderNotFoundException
         + FullyQualifiedErrorId : ProviderNotFound,Microsoft.IIs.PowerShell.Provider.StopAppPoolCommand


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JackChuong-8462 avatar image
0 Votes"
JackChuong-8462 answered

I changed gitlabJEARole.psrc to

     VisibleCmdlets = 'Stop-WebAppPool', 'Start-WebAppPool'
     VisibleProviders = 'Variable', 'WebAdministraion'

It works, I can stop/start web app pool from remote powershell with JEA

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.