"Access Is Denied" error when attempting to remote to Exchange server on localhost

Jgraum picture Jgraum · May 27, 2015 · Viewed 54k times · Source

I am attempting to establish a PowerShell session to run several Exchange commands against an Exchange server on the localhost. I keep getting the following error:

New-PSSession : [<HOSTNAME>] Connecting to remote server <HOSTNAME> failed with the following error message
: Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12
+ $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'h ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
   gTransportException
    + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed

My code is a copy paste from the Microsoft Technet Article. It works against remote machine, but anytime I target the machine I am running from, I get the above error.

What I've tried so far:

  1. Checked the about_remote_troubleshooting help topic. Nothing in there relating to Access Denied errors worked.
  2. Targeted remote machines using the same credentials as received the Access Denied error. (Connected without issue)
  3. Verified that my PowerShell session is running as Administrator. (It is)
  4. Verified that the Exchange Management Shell is able to launch successfully. (It is)
  5. Tried without credentials to see if that would work. (It didn't)
  6. Checked net use and net session to make sure I didn't have a weird multiple connections with the same credentials issue. (I didn't see anything to indicate that)
  7. Tried this both from the script that is causing issues and by typing the commands into a powershell console by hand. (got the same results both ways. Yay for consistency)
  8. Tried this on multiple systems. (Same result everywhere)

Some quick notes:

  • This is Exchange 2013 running on Windows Server 2012. It's a basic installation, just a test environment that has very little data and minimal configuration beyond installing and enabling remoting.
  • The Credentials used were for the domain admin, which also has the necessary Exchange permissions to do whatever I need to do. I.e, so long as I target a machine that is not the one I am running from, I have no issues whatsoever, with nothing else changing about the way I am connecting. Additionally, this is a test domain where the domain admin's access hasn't been restricted or tweaked in any way, so it should have total and complete access to everything.

The specific commands I am entering are:

$cred = Get-Credential
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'http://<HOSTNAME>/Powershell' -Credential $cred

Is connecting to the localhost like this something that I should be able to do? Or is it just not supported?

I am at a complete loss at this point. Any help, even to point me in the right direction, would be greatly appreciated.

EDIT: I should add, I've attempted connecting to this localhost from a different machine, using the same commands as above, and it worked without issue. So, I don't think it is a local configuration issue.

Answer

Jgraum picture Jgraum · Jun 1, 2015

So, I stumbled on the solution late last week. It seems to have something to do with the authentication being used. I had left the "-Authentication" parameter blank, intending to let the New-PSSession command sort out which method would be best.

Apparently, this defaults to the "Negotiate" authentication method, which will select Kerberos against a remote machine, but will select NTLM otherwise (or at least, that was my observed/assumed behavior). See this Microsoft description of the authentication methods.

Specifying a specific Authentication method (Both "Kerberos" and "Basic" worked, "Negotiate" didn't, I didn't tinker too much past this) clears the issue and allowed me to connect to the local exchange instance.

So, rather than this:

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'http://<HOSTNAME>/Powershell' -Credential $cred

Do this:

$session = New-PSSession -Authentication Kerberos -ConfigurationName Microsoft.Exchange -ConnectionUri 'http://<HOSTNAME>/Powershell'  -Credential $cred

Why did that work? I have no clue. I'll leave it to people who know more than me to explain it.