Access Denied Importing Certificate on Remote Machine

powershell certificate

5,395

Solution 1

The problem you are running into is the second-hop credential passing with PowerShell remoting. See excerpt directly below from the article I linked.

The first hop was from your client to ServerA. The second is from ServerA to the other machine to which you’re trying to connect. The problem arises because your credentials can’t be delegated a second time.

That’s actually a security feature, designed to prevent your credential from being passed around without your knowledge. So your second hop operation fails, because ServerA isn’t able to send any credentials along for the ride.

There are some ways around this, namely to copy the cert file locally to the server you are importing it first, which you have already stated works without issue.

You can also use CredSSP for second-hop remoting.

Solution 2

You can also distribute certificates to the trusted roots store (and other stores) via GPO. Using this method has the advantage of the proper certs being in place on new machines as they are built and joined to the domain.

Right click the store name, import the public key file, link the GPO, wait 90 minutes for GPO to refresh on the targets.

5,395

EAndrus

Updated on September 18, 2022

Comments

EAndrus almost 2 years
I'm trying to come up with a way to push out a certificate for install on multiple machines. The method I came up with is:
```
Invoke-Command ServerName {Import-Certificate -FilePath "path" ` 
CertStoreLocation Cert:\LocalMachine\Root}
```
And I get:
```
Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
    + CategoryInfo          : NotSpecified (:) [Import-Certificate], Exception
    + FullyQualifiedErrorID : System.Exception,Microsoft.CertificationServices.Commands.ImportCertificateCommand
    + PSComputerName        : ServerName
```
I'm running my local PowerShell as administrator, and my account is an administrator on the target machine. And I have verified that I can install certificates.

EDIT: If I log onto the target machine and run the code in the {}'s it works fine, but only if I Run As Administrator. So while on my machine I'm launching as Administrator, it doesn't seem to be translating that over to the target.
- bentek over 8 years
  
  Is the path to the certificate file local or on a network share?
- Mass Nerder over 8 years
  
  Can you import the certificate using the certificates MMC? Is the certificate file on the network? If so you could be running into the double hop problem. try copying the cert to the local drive and then importing it blogs.msdn.com/b/clustering/archive/2009/06/25/9803001.aspx
- EAndrus over 8 years
  
  The Path is a UNC path to my desktop where the Cert is. If I run the code on the target machine exactly as-is above, it works fine. But only if I Run As Administrator on the target, so I think that might be part of the problem.
- Art.Vandelay05 over 8 years
  
  Just curious is PSRemoting enabled on the target machine?
- Colyn1337 over 8 years
  
  Is your "path" hard coded or is that a variable?
- bentek over 8 years
  
  @EAndrus - see my answer below.