Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Exchange PowerShell remoting unable to reconnect in certain offices.

Posted on 2014-09-17
4
328 Views
Last Modified: 2014-09-18
So I am kind of at a loss on this one and thought I'd reach out.  I have a couple IT administrators in an international location who can't connect to Exchange to do remoting from their workstations, but they CAN from RDP sessions to machines that are in our headquarters.  When using the simplified below code to connect to Exchange:

$server = '<serverName>'
$s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "http://$server/PowerShell/" -Authentication Kerberos
Import-PSSession $s

Open in new window


It connects fine and allows them to execute a few Exchange commands and then the PSSession breaks and when it goes to reconnect they get this error:

New-PSSession : [<serverName] Connecting to remote server <serverName> failed with the following error message : Access is denied.  For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:6
+ $s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http:// ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo                  : OpenError: (System.Manageme....RemoteRunspace) [New-PSSession], PSRemotingTransportException
      + FullyQualifiedErrorId      : AccessDenied,PSSessionOpenFailed

What's interesting is that the initial session with the Exchange servers (version 2010 and 2013 report this..so PSv2 and v3) works just fine and it's only after the PSSession is broken is when this becomes an issue, so it's not a case where the user has rights.

The issues doesn't appear to be account specific since I can RDP into a computer in this office and experience the same problem even though from my normal workstation either across a VPN or even through a server in the central office it works just fine.

So I'm stuck on this one.  This issue is effecting all of the IT folks in this international office who need to run Exchange cmdlets via remoting so it seems to be tied to the office (which makes me think it's a networking thing, but it only happens with Exchange remoting and only when the session is broken and the re-connection code is called).

Any ideas?
0
Comment
Question by:evetsleep
  • 2
  • 2
4 Comments
 
LVL 37

Accepted Solution

by:
Jamie McKillop earned 500 total points
ID: 40330081
Hello,

Do you have any WAN optimizers in place? I've seen a similar issue where a WAN optimizer was the cause. It was related to Kerberos authentication. My network guys had to make some exclusions on the optimizers.

-JJ
0
 
LVL 1

Author Comment

by:evetsleep
ID: 40330777
Yeah...I'm looking into that.  I fired up some network monitors on the client and the server and I see the client sending an HTTP POST containing the Kerberos data and the server responds with a 200 OK and then the client sends a follow up POST that is a Kerberos encrypted session that never makes it to the server, but the funny thing is the client gets a 401 response from the server (which I never see on the server side network monitor).
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 40330785
The 401 is probably coming from the optimizer.

-JJ
0
 
LVL 1

Author Closing Comment

by:evetsleep
ID: 40331354
Jamie you were right.  I had the network folks put in an exclusion for the test host I was using where I could reproduce this 100% of the time after they told me there was a WAN optimizer in place.  After they did that the problem went away.  Now I just need to work with them to find out what kind of large scale solution we can put into place so that Kerberos authorization can work over HTTP with PowerShell.  Thanks!
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
Windows 10 came with  a lot of built in applications, Some organisations leave them there, some will control them using GPO's. This Article is useful for those who do not want to have any applications in their image (example:me).
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question