Link to home
Create AccountLog in
Avatar of GRGrayban
GRGraybanFlag for United States of America

asked on

Access denied using asp.net on IIS 7.5 to access remote powershell

I am having issues making a clean connection from my IIS 7.5 Server to my Exchange 2010 Server both running on seporate servers and both running Server 2008 R2. The Powershell Log on the IIS Server shows that the initial connection is being authenticated with the website user, but then the transport is being initiated with the user of the pool. Below is a snippet of code:
--------------------------------
Imports System.Management.Automation.Runspaces
Imports System.Text
Imports System.Security
Imports System.Security.Principal
Imports System.Runtime.InteropServices
Imports System.Collections.ObjectModel

Partial Class ASP_testing_Glen_PS
    Inherits System.Web.UI.Page

    Protected Sub Page_Load(sender As Object, e As System.EventArgs) Handles Me.Load
        Dim username As String = System.Security.Principal.WindowsIdentity.GetCurrent().Name
       
        Dim securePassword As New System.Security.SecureString()
        Dim c As Char
        Dim PSPassword As String = "ourpassword"
        For Each c In PSPassword
            securePassword.AppendChar(c)
        Next
        Dim secureUser As String = "domain\user"
        Dim pCredential As PSCredential = New PSCredential(secureUser, securePassword)
        Dim pConnectionInfo As New WSManConnectionInfo(New Uri("http://myexchangefqdn/PowerShell?serializationLevel=Full"), "http://schemas.microsoft.com/powershell/Microsoft.Exchange", pCredential)
        pConnectionInfo.AuthenticationMechanism = AuthenticationMechanism.Kerberos
        pConnectionInfo.SkipCACheck = True
        pConnectionInfo.SkipCNCheck = True
        pConnectionInfo.NoEncryption = False
        pConnectionInfo.MaximumConnectionRedirectionCount = 4

        Dim pRunspace As Runspace
        pRunspace = System.Management.Automation.Runspaces.RunspaceFactory.CreateRunspace(pConnectionInfo)
        Try
            pRunspace.Open()
        Catch ex As InvalidExpressionException
            MyMailBox.text = ex.Message
        End Try

--------------------------------------------
Debug information:
 System.Management.Automation.Remoting.PSRemotingTransportException: Processing data from remote server failed with the following error message: Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.

Line 44:             pRunspace.Open()
--------------------------------------------
Powershell Log on IIS Server:
--------------------------------------------
1. PowerShell (Microsoft-Windows-PowerShell) 8193 Connect
2. PowerShell (Microsoft-Windows-PowerShell) 8194 Connect
3. PowerShell (Microsoft-Windows-PowerShell) 8195 Connect
4. PowerShell (Microsoft-Windows-PowerShell) 32784 None - Failed and shows  application pool user instead of site user.
5. PowerShell (Microsoft-Windows-PowerShell) 32784 None - Failed and shows  application pool user instead of site user.

4 and 5 are WSMan errors. Is there a way to impersonate for this web page as the transport to the remote server cannot be the local application pool user.

Please let me know if you need anymore information. Thanks for all your help.
Avatar of Amit
Amit
Flag of India image

enable remote powershell on your exchange server and try again.

http://technet.microsoft.com/en-us/library/dd298084%28v=exchg.141%29.aspx
Avatar of GRGrayban

ASKER

Just to add information, I have enabled remoting and all the other prerequisites. I can remote directly through powershell on the IIS Server and import the exchange applets and execute them on the remote Exchange server.
SOLUTION
Avatar of Amit
Amit
Flag of India image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
amitkulshrestha,

Thank you for the suggestions. The web site user has been added to the applicable roles on the exchange server. Again, I can do this in PS, but not in IIS. The impersonation I speak about is on the IIS server.

Also, the account is set to never expire.

thx.
It is more IIS issue...wait if any IIS EE can help you.
I agree. Thx for the effort.
Just to add more information:

Even though impersonation is set in the config file, the WSMan transport still wants to use the IIS APPPOOL\Classic .NET AppPool account on the Application Pool. This is the problem in my opinion.
Bump
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
very smart mr author!
The reason I accepted my comment as the solution is because I was able to pin point the problem. I gave amitkulshrestha points because that got me thinking about accounts. I gave gurutc points because that got me to think about permissions.

Thanks to the Moderator for keeping this question moving forward.

Glen