powershellwindows-server-2012access-deniedpowershell-remotingexchange-server-2013

"Access Is Denied" error when attempting to remote to Exchange server on localhost


I am attempting to establish a PowerShell session to run several Exchange commands against an Exchange server on the localhost. I keep getting the following error:

New-PSSession : [<HOSTNAME>] Connecting to remote server <HOSTNAME> failed with the following error message
: Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12
+ $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'h ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
   gTransportException
    + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed

My code is a copy paste from the Microsoft Technet Article. It works against remote machine, but anytime I target the machine I am running from, I get the above error.

What I've tried so far:

  1. Checked the about_remote_troubleshooting help topic. Nothing in there relating to Access Denied errors worked.
  2. Targeted remote machines using the same credentials as received the Access Denied error. (Connected without issue)
  3. Verified that my PowerShell session is running as Administrator. (It is)
  4. Verified that the Exchange Management Shell is able to launch successfully. (It is)
  5. Tried without credentials to see if that would work. (It didn't)
  6. Checked net use and net session to make sure I didn't have a weird multiple connections with the same credentials issue. (I didn't see anything to indicate that)
  7. Tried this both from the script that is causing issues and by typing the commands into a powershell console by hand. (got the same results both ways. Yay for consistency)
  8. Tried this on multiple systems. (Same result everywhere)

Some quick notes:

The specific commands I am entering are:

$cred = Get-Credential
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'http://<HOSTNAME>/Powershell' -Credential $cred

Is connecting to the localhost like this something that I should be able to do? Or is it just not supported?

I am at a complete loss at this point. Any help, even to point me in the right direction, would be greatly appreciated.

EDIT: I should add, I've attempted connecting to this localhost from a different machine, using the same commands as above, and it worked without issue. So, I don't think it is a local configuration issue.


Solution

  • So, I stumbled on the solution late last week. It seems to have something to do with the authentication being used. I had left the "-Authentication" parameter blank, intending to let the New-PSSession command sort out which method would be best.

    Apparently, this defaults to the "Negotiate" authentication method, which will select Kerberos against a remote machine, but will select NTLM otherwise (or at least, that was my observed/assumed behavior). See this Microsoft description of the authentication methods.

    Specifying a specific Authentication method (Both "Kerberos" and "Basic" worked, "Negotiate" didn't, I didn't tinker too much past this) clears the issue and allowed me to connect to the local exchange instance.

    So, rather than this:

    $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'http://<HOSTNAME>/Powershell' -Credential $cred
    

    Do this:

    $session = New-PSSession -Authentication Kerberos -ConfigurationName Microsoft.Exchange -ConnectionUri 'http://<HOSTNAME>/Powershell'  -Credential $cred
    

    Why did that work? I have no clue. I'll leave it to people who know more than me to explain it.