6

I try to use powershell PSSession cmdlets, but I'm struggling with Access Denied Error.

What I try to do is using Administrator Account I run command New-PSSession (or Enter-PSSession) and unfortunately I receive Access Denied Error.

I follow all the instructions correctly I believe, cause on the other server I can run those commands with no troubles.

In addition I'd like to inform that test-wsman return me an response. I'm using Built-In Administrator Account and already checked Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI All the privileges seems to be ok. I have no more ideas, looking for help.

UPDATE

I found one interesting behaviour:

Let's assume that:

  • IP Address of machine is 22.222.222.222
  • I log via remote desktop using Administrator Credentials

I use following commands:

new-pssession // access denied

new-pssession localhost // access denied

new-pssession 127.0.0.1 // access denied

new-pssession 22.222.222.222 // Session created ! It's working !

new-pssession 22.222.222.222 -Credential Get-Credential // access denied (using the same administrator credentials which I'm using for RDP)

I can add that on the other server when I run exactly the same commands all commands are successful.

Any Ideas?

Piotr Czarnecki
  • 1,688
  • 3
  • 14
  • 22

4 Answers4

9

PS session is used to access remote systems. For that you have to do few configurations:

1) Make sure the winrm service is running in all the destination systems as well as in your local system too.

2) You have to enable PS Remoting. Enable-PSRemoting configures a computer to receive PowerShell remote commands sent with WS-Man.

So,Start Windows PowerShell as an administrator 

Enable-PSRemoting –Force

3) You need to add the remote computer to the list of trusted hosts for the local computer in WinRM. To do so, type: 

winrm s winrm/config/client '@{TrustedHosts="RemoteComputer"}'

4) Check the configuration using: 

winrm quickconfig

Once done, you can use the New-Pssession command to create an interactive session with the destination system.

Else, you can use Invoke-Command to perform some remote operation like below:

I have mentioned in the comment section how it has to work. Sample :

$username = "Username"
$password = "Password"
$secstr = New-Object -TypeName System.Security.SecureString
$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr

# will list all the processess in the remote system 
# if you are the entireprise admin or the domain admin then you do not have to pass the credentials. It will take the windows authentication by default.
Invoke-Command -ComputerName RemoteServer -ScriptBlock {Get-Process } -Credential $cred

Since you have updated the question: Let me tell you point wise:

127.0.0.1 and localhost -- both are pointing to local system. Means you have to add them in the trusted hosts list of the local system. It is not advisable to use PSSession for the localsystem cause you can directly run all the ps cmdlets in the PS console.

22.222.222.222 -- working cause you have add that in the trusted host list and it is using the windows authentication by default

22.222.222.222 -Credential Get-Credential ---- not working because the format is a bit wrong. Use like this:

New-PSSession -ComputerName 22.222.222.222 -Credential (Get-Credential)

Hope it helps you.

Ranadip Dutta
  • 8,857
  • 3
  • 29
  • 45
  • Thanks for answer, but as I previously mentioned I did all of that 4 points and I got access denied error. – Piotr Czarnecki Apr 03 '17 at 19:46
  • Please post the error screenshot in that case. Lets see if we can get something out of that. – Ranadip Dutta Apr 04 '17 at 03:22
  • Ranadip Dutta -please check my Update. Any Ideas what can be wrong. The machine with those issues is VPS. – Piotr Czarnecki Apr 04 '17 at 08:28
  • @PiotrCzarnecki: I have modified the answer and mentioned point wise how things are working over in your case – Ranadip Dutta Apr 04 '17 at 08:38
  • Thanks for your update, but still I got Access Denied for that command: New-PSSession -ComputerName 22.222.222.222 -Credential (Get-Credential). For that it's ok: New-PSSession -ComputerName 22.222.222.222 – Piotr Czarnecki Apr 04 '17 at 08:53
  • Since its a remote system you have to pass that system's credential... and in that system add the source system in the trusted hosts list – Ranadip Dutta Apr 04 '17 at 09:08
  • @RanadipDutta localhost is useful for testing & validating that your script behaves as expected when ran on remote machine. I'm facing the same problem as OP (access denied for localhost), and adding localhost to trusted hosts list doesn't seem to have any effect whatsoever. – huoneusto Jan 24 '20 at 13:05
  • Can you share me your private ip, 127.0.0.1 mentioned in host file or not and the trusted hosts list and how are you adding them – Ranadip Dutta Jan 27 '20 at 07:45
5

There is a possible answer to this at the end, but a bit of background may help so I'm starting with that.

Intro

It is important to note that my answer is only related to loopback (localhost) sessions. It does not address problems with remote sessions.

Loopback sessions are useful as they enable a user with administrator rights to invoke user commands or scripts on the local host. An example of this is a toast message to a logged in user from a system monitoring program run under the System user. (Yes, there may be better ways of doing this but that's not what is being discussed here).

Background

I had exactly the same problem with exactly the same results as what is shown in the updates section of @Piotr's original question. I searched extensively on Google for an answer, but this yielded no working answers—even though a few people were reporting very similar issues.

Specs

As most people using Powershell remoting seem to not have this problem, it may be related to my machine's specs:

  • Windows 10 Home Version 1803.
  • Private network using WiFi connection
PS Env:\> $PSVersionTable
    
Name                           Value
----                           -----
PSVersion                      5.1.17134.858
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17134.858
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Possible Answer

The EnableNetworkAccess option worked for me, but I don't know why yet. It is confirmed to work for the PowerShell commands New-PSSession and Invoke-Command, and may work for others as well.

Examples

To configure PowerShell remoting, the following command is needed once—though it will not harm anything if it is repeated. It will only work on private (not public) networks.

PS Env:\> Enable-PSRemoting -force

The following examples don't require an entry in Trusted Hosts.

LAPTOP-XZ is the computer name == $env:COMPUTERNAME

. = dot alias for localhost

Invoke-Command -ComputerName . -ScriptBlock { dir } -EnableNetworkAccess
    
New-PSSession -EnableNetworkAccess
New-PSSession localhost -EnableNetworkAccess
New-PSSession 127.0.0.1 -EnableNetworkAccess
New-PSSession LAPTOP-XZ -EnableNetworkAccess

The IPv4 Address of the computer (192.168.1.103, in my case) will only work if it is included in Trusted Hosts. The EnableNetworkAccess option isn't needed in this case.

PS Env:\> Set-Item WSMan:\localhost\Client\TrustedHosts -Value "192.168.1.103"
    
New-PSSession 192.168.1.103

Note that including localhost and its other aliases in Trusted Hosts doesn't work in the above example (-EnableNetworkAccess is needed).

Community
  • 1
  • 1
Andy Bruin
  • 136
  • 1
  • 3
  • Wow, this is a really thorough and well-presented first answer. Thank you for your contribution, and keep up the great work! – Jeremy Caney Jun 02 '20 at 21:07
  • 1
    Thanks for the heads up Jeremy! Also big thanks for editing and adding the extra styling. Really brings out the content and makes it super clear. I now found these options under the styling menu so I will use them in the future. – Andy Bruin Jun 03 '20 at 01:13
  • the `EnableNetworkAccess` fixed our issue after we applied server hardening. The weird thing is that it worked perfectly fine before and we were unable to find anything obvious that got changed. – xorinzor Oct 24 '22 at 10:56
  • This answer needs to be upvoted. It provided me the solution i was looking for – Nitin J Feb 27 '23 at 00:03
2

I was having this exact issue and found that the username I was passing in needed to be the FQDN. i.e. username@domain.com rather than just username. once I updated to that it worked.

Scott
  • 21
  • 1
0

Try this out: https://www.powershellgallery.com/packages/Invoke-PSSession

It Invokes a Session, then Registers a PSSessionConfiguration with the Credentials that you provided. Basically providing the credentials for that DoubleHop

Marc Kellerman
  • 466
  • 3
  • 10