Mark Minasi's Tech Forum
Register Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 191
Reply with quote  #1 

The script:
$check = (Invoke-Command -ConfigurationName Microsoft.Exchange -ConnectionUri http://SERVER1.domain.com/PowerShell/ -Command {Get-ExchangeServer | Get-MailboxDatabase | Select-Object Identity, Server -ExpandProperty ActivationPreference} | Where-Object {$_.Key -ne $_.Server -and $_.Value -eq "1"} | Select-Object Identity, @{n="MountedOn"; e={$_.Server}}, @{n="ShouldBe"; e={$_.Key}}  | Sort-Object Identity)

if ($Check -eq $null)
  {
    Write-Host "Databases are balanced."
    ${c:\myError.txt} = $Error
    exit 0
  }
  else
  {
    Write-Error "ERROR - UNBALANCED DATABASES"
    exit 1
  }

The situation:
The script is run by a service on SERVER0 with the credentials of a Managed Service Account "SERVER0_MSA$" . The script does an "invoke-command" towards SERVER1.  SERVER2 is one of the Exchange boxes.

The result is not good. The file C:\MyError.txt contains :
Processing data from remote server SERVER1.domain.com failed with the following error message:
[ClientAccessServer=SERVER2,BackEndServer=SERVER2.domain.com, [...], [FailureCategory=AuthZ-CmdletAccessDeniedException]
The operation couldn't be performed because 'DOMAIN\SERVER0_MSA$' couldn't be found.

What is wrong ?


__________________
Pieter Demeulemeester
0
Infradeploy

Avatar / Picture

Senior Member
Registered:
Posts: 166
Reply with quote  #2 
A managed account is associated with a server. That account is known and registered at the Exchange server?
__________________
Have SpaceSuit, Will Travel

0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 191
Reply with quote  #3 
Hi Ton,
No. The managed service account is registered at SERVER0 where the script runs.

Actually it is a monitoring tool that runs as a service that launches the script, among many other checks.  The other checks (PS1, CMD or built-in/compiled checks) are working fine.
The service runs with the credentials of the managed service account.

__________________
Pieter Demeulemeester
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 229
Reply with quote  #4 
Is this perhaps the only script where you use Invoke-Command? This looks like a multi-hop situation. Does it work if you execute the script using  your regular admin account? If I'm right, this should fail. More to read: https://blogs.technet.microsoft.com/heyscriptingguy/2013/04/04/enabling-multihop-remoting/
__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 191
Reply with quote  #5 
Hi Willem,

>>Is this perhaps the only script where you use Invoke-Command?
No, there is another
Code:
$RemoteServer=$args[0]
$RefWaarde=2
   
$Waarde=Invoke-Command -computername $RemoteServer -ScriptBlock {get-DPMdisk}
$Waarde = ($Waarde[0].Unallocatedspace/$Waarde[0].TotalCapacity)*100
if ($Waarde -gt $RefWaarde) { exit 0 } else { exit 1}


>> This looks like a multi-hop situation.
It is. Script runs on SERVER0, invoke-command points to SERVER1 and queries one of the Exchange servers,i.e. SERVER1.

>>Does it work if you execute the script using your regular admin account?
Yes, it works if we run the script interactively with a regular account that is member of the same groups as the Managed Service Account.  I didn't test it from the Monitoring tool (service) though.  


I'll have a look at the blog.

__________________
Pieter Demeulemeester
0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 191
Reply with quote  #6 
I did some more testing, excluding the monitoring tool.

Situation 1 : run script with regular account
Logged on to SERVER0
Elevated CMD
powershell.exe -file C:\Folder\DbsBalanceCheck.ps1
=> result is OK

Situation 2 : run script with Managed Service Account
Logged on to SERVER0
Elevated CMD
psexec.exe -u "DOMAIN\SERVER0_MSA$" cmd
powershell.exe -file C:\Folder\DbsBalanceCheck.ps1
=> error "... The operation couldn't be performed because 'DOMAIN\SERVER0_MSA$' couldn't be found..."

It looks like it doesn't work with a Managed Service Account, but it does work with a regular account.


__________________
Pieter Demeulemeester
0
shreyans710

Still Checking the Forum Out
Registered:
Posts: 1
Reply with quote  #7 
hi Pieter ,

Were you able to find solution for this issue?
I am having exactly same issue with my gmsa account and remote pssession.
Please do let me know.
0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 191
Reply with quote  #8 
We did found a solution, actually my colleague did. He change the script and used credentials that are saved in an encrypted file. Not 100% save (if someone steals that file they could use it....) but it 's good enough for us.
I will look for the script and post it here.


__________________
Pieter Demeulemeester
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 268
Reply with quote  #9 
Quote:
Originally Posted by Pieter
Not 100% save (if someone steals that file they cpould use it....

If you are using the .NET SecureString encryption (e.g. by using a PSCredential object in a PowerShell script) the file can only be decrypted by the same user who encrypted it and - if this user doesn't have a roaming profile - on the same machine where it was initially encrypted.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 191
Reply with quote  #10 

The new script looks like this now :

Code:
 $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "SERVICE_ACCOUNT1@domain.com", (Get-Content "C:\SERVER2_MSA.txt" | ConvertTo-SecureString)

$Check = $null
$check = (Invoke-Command -ConfigurationName Microsoft.Exchange -ConnectionUri http://SERVER1.domain.com/PowerShell/ -Credential $cred -Command {Get-ExchangeServer | Get-MailboxDatabase | Select-Object Identity, Server -ExpandProperty ActivationPreference} | Where-Object {$_.Key -ne $_.Server -and $_.Value -eq "1"} | Select-Object Identity, @{n="MountedOn"; e={$_.Server}}, @{n="ShouldBe"; e={$_.Key}} | Sort-Object Identity)

if ($Check -eq $null)
  {
   exit 0
  }
  else
  {
   $Check
   exit 1
  }


The file SERVER2_MSA.txt contains the credentials of a Managed Service Account SERVER2_MSA, and can be accessed with account SERVICE_ACCOUNT1, which is not a Managed Service Account.

 


__________________
Pieter Demeulemeester
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.