none
Windows PowerShell Web Access - Authentication problem

    Question

  • Hi,


    Don't know if this is the right forum for it, but I'm testing the Windows Powershell Web Access and having some trouble to configure...


    Scenario:

    • Windows Server 2012 Standard (Virtual server name win2012.domain.local)
    • Domain joined
    • Windows Update up to date
    • Installed Windows PowerShell Web Access using the "Add Roles and Features" (Added necessary features too)
    • Used Windows PowerShell to: Install-PswaWebApplication –useTestCertificate
    • Then used: Add-PswaAuthorizationRule -UserName Domain\user -ComputerName win2012 -ConfigurationName Microsoft.Powershell
    • When I try to open the https://win2012/pswa in my computer (Windows 7, same domain) it opens with no problem.
    • When I try to login it gives me this error: "Access to the destination computer has been denied. Verify that you have access to the destination Windows PowerShell session configuration. This error can also occur if Windows PowerShell remote management has been disabled on the destination computer."
    • Already used: Enable-PSRemoting -Force
    • Already tried enabling Remote Desktop and adding my user to it

    And no joy......

    Any1?

    Friday, August 2, 2013 7:09 PM

Answers

  • Hi Vandrey,

    It appears we must provide the Admin account: 

        To establish a remote connection and run remote commands, the current user
        must be a member of the Administrators group on the remote computer. Or,
        the current user must be able to provide the credentials of an
        administrator.

    Regards, Brian


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, August 29, 2013 2:40 AM

All replies

  • Good Evening,

    Disable the windows firewalls and try again.


    Dame Luthas | thelifestrategist.wordpress.com

    Success is Something you Attract by the Person you Become

    If this post is useful, please hit the green arrow on the left & if this is the answer hit "mark as answer"

    • Proposed as answer by Dame Luthas Sunday, August 4, 2013 1:02 AM
    • Unproposed as answer by Vandrey Trindade Sunday, August 4, 2013 5:13 AM
    Sunday, August 4, 2013 1:02 AM
  • Hey Dame Luthas,

    I was thinking about that too... but disabled the firewall and still no joy...

    Thanks for the reply anyway!

    Sunday, August 4, 2013 5:14 AM
  • Hi,

    Did you follow the below article when deploy Windows Powershell Web Access:

    Install and Use Windows PowerShell Web Access

    http://technet.microsoft.com/en-us/library/hh831611.aspx

    In addition, please refer to the below article to work with Remote troubleshooting:

    http://technet.microsoft.com/en-us/library/hh847850.aspx

    Hope this helps.

    Regards,

    Yan Li

    If you have any feedback on our support, please click here .


    Cataleya Li
    TechNet Community Support

    Monday, August 5, 2013 7:27 AM
    Moderator
  • Hi Yan Li,

    Yes, I did followed those articles. I've started trying the Windows PowerShell Web Acces as a part of the MVA about PowerShell, and in one of the lessons those articles appear.

    But thanks a lot for trying!

    PS: Added one reply to the post with what I did to make it work and with another question.....

    Monday, August 5, 2013 11:47 AM
  • Finally!

    I was able to connect by changing my user permission on the server from "Remote Desktop User" to "Administrator".

    But now I ask another thing... Everyone that connects to that server must be administrator of the server?

    Monday, August 5, 2013 11:56 AM
  • You must be an admin of the remote computer to use some command.

    Thanks, Brian


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, August 15, 2013 3:55 PM
  • You must be an admin of the remote computer to use some command.

    That means the this feature is for admins only?

    Friday, August 16, 2013 11:17 AM
  • yes, you must use admin account to complete the configuration of authorization rules. Check the Technet article below:
    http://technet.microsoft.com/en-us/library/hh831611.aspx

    Sign-in failure section in  http://technet.microsoft.com/en-us/library/dn282395.aspx

    • Open the new Windows PowerShell Web Access website, https://< gateway_server_name>/pswa.

      The browser should display the Windows PowerShell Web Access console sign-in page.

      noteNote
      You cannot sign in until users have been granted access to the website by adding authorization rules.

    • In a Windows PowerShell session that has been opened with elevated user rights (Run as Administrator), run the following script, in which application_pool_name represents the name of the application pool that you created in step 3, to give the application pool access rights to the authorization file.

      $applicationPoolName = "<application_pool_name>"
      $authorizationFile = "C:\windows\web\powershellwebaccess\data\AuthorizationRules.xml"
      c:\windows\system32\icacls.exe $authorizationFile /grant ('"' + "IIS AppPool\$applicationPoolName" + '":R') > $null
      

      To view existing access rights on the authorization file, run the following command:

      c:\windows\system32\icacls.exe $authorizationFile
      

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Saturday, August 17, 2013 2:11 AM
  • Ok... tested... I have to recreate the scenario once I've deleted the last one.

    What I did:

    • Installed Windows Server 2012 Standard
    • Joined domain
    • Did Windows Update til it's all updated
    • Installed Windows PowerShell Web Access using the "Add Roles and Features" (Added necessary features too)
    • Used Windows PowerShell to: Install-PswaWebApplication –useTestCertificate

    PS: All of the steps above I used the local admin in the server.

    • Logged in as Domain Administrator
    • Then used: Add-PswaAuthorizationRule -UserName Domain\user -ComputerName win2012 -ConfigurationName Microsoft.Powershell
    • When I try to open the https://win2012ps/pswa in my computer (Windows 7, same domain) it opens with no problem.
    • When I try to login it gives me this error: "Access to the destination computer has been denied. Verify that you have access to the destination Windows PowerShell session configuration. This error can also occur if Windows PowerShell remote management has been disabled on the destination computer."

    Did the steps you told me to:

    $applicationPoolName = "<application_pool_name>" $authorizationFile = "C:\windows\web\powershellwebaccess\data\AuthorizationRules.xml" c:\windows\system32\icacls.exe $authorizationFile /grant ('"' + "IIS AppPool\$applicationPoolName" + '":R') > $null

    And received the message below:

    IIS AppPool/PSWA: No mapping between account names and security IDs was done.

    I'll try to make all the process with the domain admin account now.

    __________________________________________________

    Ok, removed PSWA and installed again using domain admin user and powershell in administrator mode.

    I was able to successfully connect only adding my user into server administrators group and enabling PSremoting.


    No joy so.... But thx a lot for your try!

    Monday, August 19, 2013 11:16 AM
  • Glad to hear it works out :)

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, August 20, 2013 8:57 AM
  • Glad to hear it works out :)

    Brian,

    Sorry but it didn't changed the result from what I've done previously...

    I still get to connect only adding my domain user as administrator of the server.

    That's why I've asked: "That means the this feature is for admins only?"

    Tuesday, August 20, 2013 10:55 AM
  • Hi Vandrey,

    It appears we must provide the Admin account: 

        To establish a remote connection and run remote commands, the current user
        must be a member of the Administrators group on the remote computer. Or,
        the current user must be able to provide the credentials of an
        administrator.

    Regards, Brian


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, August 29, 2013 2:40 AM
  • Brian,

    Thank you so much for your time and answer!

    Thursday, August 29, 2013 10:54 AM
  • Vandrey,

    As I was customizing and constricting my security for access to my server using Windows PowerShell Web Access, I came across this thread. Your thread is the only place that I found the correct value for -ConfigurationName for the cmdlet Add-PswaAuthorizationRule. Any other value other than 'Microsoft.Powershell' would prompt a denial message for attempted logons.

    Thank you.


    Friday, January 29, 2016 10:53 PM
  • Slow Hands,

    Gald to see that it helped!

    Saturday, January 30, 2016 11:22 AM