New-PSSession with Exchange On premises failing "Access is denied"

powershell exchange-2013

5,081

The problem is that it's not possible to open a kerberos based session to another server unless the user has local admin rights, so the answer is to install the exchange tools on the originating server then open a CredSSP based session with itself using the provided elevated credentials and import the exchange commands that I need.

********** edit

As per comment below, I did in fact end up using Invoke-Command instead of a CredSSP session:

Invoke-Command -ComputerName "localhost" -EnableNetworkAccess -Credential $creds -ScriptBlock { 
  param($creds, $username) 
  & 'C:\Program Files\Microsoft\Exchange Server\V15\Bin\RemoteExchange.ps1' | out-null;
  Connect-OnPremExchange -ComputerName "exchangeserver" -Credential $creds;
  try{
    Enable-RemoteMailbox "$($username)" -RemoteRoutingAddress "$($username)@network.mail.onmicrosoft.com" | out-null
  }catch [Exception]{
    $errorFlag = "error"
  }finally{
  }
  return $errorFlag
} -ArgumentList $creds, $request['username']

An interesting note too is that while this works for the exchange commands, Active Directory lightweight services does not like working in the same way. When I tried to invoke-command with raised credentials on localhost to Add-ADGroupMember it could not contact the server or recognise that AD was running, this still works using New-PSSession on the localhost via CredSSP though.

5,081

Stangg

Updated on September 18, 2022

Comments

Stangg almost 2 years
I have a script that runs from a web server via a web page that connects to an exchange server (exchange 2013 on windows 2012 R2). The web server is running Windows 2012 R2. The script runs under the context of the user connected to the website.

Doing some tests the following scenarios happen:
- Connect to the website as a domain user, run the script and provide elevated user credentials (any account that has access to the exchange server) : fails
- Connect to the website as an elevated user, run the script and provide elevated user credentials: succeeds
- Make the domain user local admin on the origin server, connect to the website as that user and provide elevated user credentials : succeeds
  
  The code that connects to exchange looks like this:
```
$pw = ConvertTo-SecureString $request['pass'] -AsplainText -Force
$user = $request['login']
$creds = New-Object System.Management.Automation.PSCredential($user,$pw)
$onPremSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "http://exchangeserver/PowerShell/" -Credential $creds -Authentication Kerberos
```
The $request objects are how the script receives the credentials to connect to exchange and work correctly, as proven by the texts.

I thought it might be a second hop issue but that wouldn't explain why it works when the user is a local admin on the server the script is running from?

The only thing that appears to matter is whether the user that is running the script is a local administrator on the server it's running from, then the connection succeeds as long as credentials are provided that have access to exchange.

Upon further investigation, I think I need to somehow run the New-PSSession command under the context of the elevated user its sending, as that has local admin rights on the server, but I'm not sure how to achieve this as I'm not technically calling a script so I can open a new Powershell.exe instance as the elevated user.

I should also add that it's not an option to simply use a shell to do this, the point of the site is to remove the reliance on the users connecting to a powershell remote instance and running commands manually.
Colyn1337 over 8 years

Did you think of trying Invoke-Command with the -EnableNetworkAccess switch?
Colyn1337 over 8 years

I think that was added with v3 so I wasn't sure if it was something you could have evaluated. Be interesting to see if it works in your case.
David Makogon almost 8 years

Not sure what this means. Also, there's an accepted answer from 8 months ago.