GRGrayban
asked on
Access denied using asp.net on IIS 7.5 to access remote powershell
I am having issues making a clean connection from my IIS 7.5 Server to my Exchange 2010 Server both running on seporate servers and both running Server 2008 R2. The Powershell Log on the IIS Server shows that the initial connection is being authenticated with the website user, but then the transport is being initiated with the user of the pool. Below is a snippet of code:
-------------------------- ------
Imports System.Management.Automati on.Runspac es
Imports System.Text
Imports System.Security
Imports System.Security.Principal
Imports System.Runtime.InteropServ ices
Imports System.Collections.ObjectM odel
Partial Class ASP_testing_Glen_PS
Inherits System.Web.UI.Page
Protected Sub Page_Load(sender As Object, e As System.EventArgs) Handles Me.Load
Dim username As String = System.Security.Principal. WindowsIde ntity.GetC urrent().N ame
Dim securePassword As New System.Security.SecureStri ng()
Dim c As Char
Dim PSPassword As String = "ourpassword"
For Each c In PSPassword
securePassword.AppendChar( c)
Next
Dim secureUser As String = "domain\user"
Dim pCredential As PSCredential = New PSCredential(secureUser, securePassword)
Dim pConnectionInfo As New WSManConnectionInfo(New Uri("http://myexchangefqdn/PowerShell?serializationLevel=Full"), "http://schemas.microsoft.com/powershell/Microsoft.Exchange", pCredential)
pConnectionInfo.Authentica tionMechan ism = AuthenticationMechanism.Ke rberos
pConnectionInfo.SkipCAChec k = True
pConnectionInfo.SkipCNChec k = True
pConnectionInfo.NoEncrypti on = False
pConnectionInfo.MaximumCon nectionRed irectionCo unt = 4
Dim pRunspace As Runspace
pRunspace = System.Management.Automati on.Runspac es.Runspac eFactory.C reateRunsp ace(pConne ctionInfo)
Try
pRunspace.Open()
Catch ex As InvalidExpressionException
MyMailBox.text = ex.Message
End Try
-------------------------- ---------- --------
Debug information:
System.Management.Automati on.Remotin g.PSRemoti ngTranspor tException : Processing data from remote server failed with the following error message: Access is denied. For more information, see the about_Remote_Troubleshooti ng Help topic.
Line 44: pRunspace.Open()
-------------------------- ---------- --------
Powershell Log on IIS Server:
-------------------------- ---------- --------
1. PowerShell (Microsoft-Windows-PowerSh ell) 8193 Connect
2. PowerShell (Microsoft-Windows-PowerSh ell) 8194 Connect
3. PowerShell (Microsoft-Windows-PowerSh ell) 8195 Connect
4. PowerShell (Microsoft-Windows-PowerSh ell) 32784 None - Failed and shows application pool user instead of site user.
5. PowerShell (Microsoft-Windows-PowerSh ell) 32784 None - Failed and shows application pool user instead of site user.
4 and 5 are WSMan errors. Is there a way to impersonate for this web page as the transport to the remote server cannot be the local application pool user.
Please let me know if you need anymore information. Thanks for all your help.
--------------------------
Imports System.Management.Automati
Imports System.Text
Imports System.Security
Imports System.Security.Principal
Imports System.Runtime.InteropServ
Imports System.Collections.ObjectM
Partial Class ASP_testing_Glen_PS
Inherits System.Web.UI.Page
Protected Sub Page_Load(sender As Object, e As System.EventArgs) Handles Me.Load
Dim username As String = System.Security.Principal.
Dim securePassword As New System.Security.SecureStri
Dim c As Char
Dim PSPassword As String = "ourpassword"
For Each c In PSPassword
securePassword.AppendChar(
Next
Dim secureUser As String = "domain\user"
Dim pCredential As PSCredential = New PSCredential(secureUser, securePassword)
Dim pConnectionInfo As New WSManConnectionInfo(New Uri("http://myexchangefqdn/PowerShell?serializationLevel=Full"), "http://schemas.microsoft.com/powershell/Microsoft.Exchange", pCredential)
pConnectionInfo.Authentica
pConnectionInfo.SkipCAChec
pConnectionInfo.SkipCNChec
pConnectionInfo.NoEncrypti
pConnectionInfo.MaximumCon
Dim pRunspace As Runspace
pRunspace = System.Management.Automati
Try
pRunspace.Open()
Catch ex As InvalidExpressionException
MyMailBox.text = ex.Message
End Try
--------------------------
Debug information:
System.Management.Automati
Line 44: pRunspace.Open()
--------------------------
Powershell Log on IIS Server:
--------------------------
1. PowerShell (Microsoft-Windows-PowerSh
2. PowerShell (Microsoft-Windows-PowerSh
3. PowerShell (Microsoft-Windows-PowerSh
4. PowerShell (Microsoft-Windows-PowerSh
5. PowerShell (Microsoft-Windows-PowerSh
4 and 5 are WSMan errors. Is there a way to impersonate for this web page as the transport to the remote server cannot be the local application pool user.
Please let me know if you need anymore information. Thanks for all your help.
ASKER
Just to add information, I have enabled remoting and all the other prerequisites. I can remote directly through powershell on the IIS Server and import the exchange applets and execute them on the remote Exchange server.
You might need to do this
http://technet.microsoft.com/en-us/library/ff793352%28v=office.14%29.aspx
http://msdn.microsoft.com/en-us/library/exchange/bb204095%28v=exchg.140%29.aspx
Try again.
http://technet.microsoft.com/en-us/library/ff793352%28v=office.14%29.aspx
http://msdn.microsoft.com/en-us/library/exchange/bb204095%28v=exchg.140%29.aspx
Try again.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
amitkulshrestha,
Thank you for the suggestions. The web site user has been added to the applicable roles on the exchange server. Again, I can do this in PS, but not in IIS. The impersonation I speak about is on the IIS server.
Also, the account is set to never expire.
thx.
Thank you for the suggestions. The web site user has been added to the applicable roles on the exchange server. Again, I can do this in PS, but not in IIS. The impersonation I speak about is on the IIS server.
Also, the account is set to never expire.
thx.
It is more IIS issue...wait if any IIS EE can help you.
ASKER
I agree. Thx for the effort.
ASKER
Just to add more information:
Even though impersonation is set in the config file, the WSMan transport still wants to use the IIS APPPOOL\Classic .NET AppPool account on the Application Pool. This is the problem in my opinion.
Even though impersonation is set in the config file, the WSMan transport still wants to use the IIS APPPOOL\Classic .NET AppPool account on the Application Pool. This is the problem in my opinion.
ASKER
Bump
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
very smart mr author!
ASKER
The reason I accepted my comment as the solution is because I was able to pin point the problem. I gave amitkulshrestha points because that got me thinking about accounts. I gave gurutc points because that got me to think about permissions.
Thanks to the Moderator for keeping this question moving forward.
Glen
Thanks to the Moderator for keeping this question moving forward.
Glen
http://technet.microsoft.com/en-us/library/dd298084%28v=exchg.141%29.aspx