Adding vCO Powershell Host with account other than the default domain administrator account (SKKB1005)

In this post we will take a look how we can we add a vCO powershell host with account other than the default domain administrator account. Also we will take a look how to generally configure which accounts and user groups can remotely execute powershell commands in Windows.

This post assumes that you have already configured vCO and the domain for Kerberos authentication and configured WinRM. If you haven’t you can find the steps necessary to do it in the Using CredSSP with the vCO Powershell Plugin post.

If you want to know how to build a vRO PowerShell Host (PSHost) for high availability, visit How to build vRO PowerShell Host (PSHost) for high availability (HA)
If you want to know how to add PowerShell hosts from multiple domains, visit How to add PowerShell hosts from multiple domains with Kerberos authentication to the same vRO

Overview:

Lab Environment

The following environment has been used in all of the examples below:

  • Active Directory Domain called vmware.com
  • Windows Server 2012 R2 (with FQDN lan1dc1.vmware.com)
    • Domain Controller
    • DNS Server.
    • PowerShell v4 Host.
    • .NET 4 Framework installed (4.0.30319)
  • Windows Server 2008 R2 SP1 (with FQDN lan1dm1.vmware.com)
    • Domain Member
    • PowerShell v3 Host.
    • .NET 4 Framework installed (4.0.30319)
  • vCO 5.5.1.0 Virtual Appliance (with FQDN vco-a-01.vmware.com)
    • vCO PowerShell Plugin installed (version 1.0.4.1736639)

Goal/Issue

This blog post will resolve the following goals/issues:

  • vCO: When you try to add a powershell host with an account that is not the default domain administrator account, the operation fails with error: Unauthorized Access. Authentication mechanism requested by the client may not be supported by the server. (Dynamic Script Module name : addPowerShellHost#16
  • vCO: When you try to add a powershell host with an account that is not the default domain administrator account, the operation fails with error:<f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="5" Machine="lan1dc1.vmware.com"> <f:Message>Access is denied.</f:Message>
  • vCO: You want to use custom user account (other than the default domain administrator account) under which the vCO will execute powershell commands and this is the account with which the Powershell host will be added.
  • PS: You want to grant custom user accounts or security groups the permissions to be able to remotely execute powershell commands on a windows machine.

Background

The Enable-PSRemoting cmdlet configures the computer to receive Windows PowerShell remote commands that are sent by using the WS-Management technology. The Enable-PSRemoting (or winrm quickconfig) cmdlet performs the following operations:

Runs the Set-WSManQuickConfig cmdlet, which performs the following tasks:

  • Starts the WinRM service.
  • Sets the startup type on the WinRM service to Automatic.
  • Creates a listener to accept requests on any IP address.
  • Enables a firewall exception for WS-Management communications.
  • Registers the Microsoft.PowerShell and Microsoft.PowerShell.Workflow session configurations, if it they are not already registered.
  • Registers the Microsoft.PowerShell32 session configuration on 64-bit computers, if it is not already registered.
  • Enables all session configurations.
  • Changes the security descriptor of all session configurations to allow remote access.
  • Restarts the WinRM service to make the preceding changes effective.

To run this cmdlet, start Windows PowerShell with the "Run as administrator" option.

When you turn PSRemoting a default PSSessionConfiguration called Microsoft.PowerShell gets created with a SDDL which only allows user accounts with administrative rights to execute remote commands on that machine. You can see that by the following command:
[PS C:\Users\Administrator> Get-PSSessionConfiguration |fl *]

PS C:\Users\Administrator> Get-PSSessionConfiguration |fl *

Architecture : 64
Filename : %windir%\system32\pwrshplugin.dll
ResourceUri : http://schemas.microsoft.com/powershell/microsoft.powershell
MaxConcurrentCommandsPerShell : 1000
Capability : {Shell}
xmlns : http://schemas.microsoft.com/wbem/wsman/1/config/PluginConfiguration
MaxConcurrentUsers : 5
Name : microsoft.powershell
SupportsOptions : true
ProcessIdleTimeoutSec : 0
ExactMatch : False
RunAsUser :
IdleTimeoutms : 7200000
OutputBufferingMode : Block
PSVersion : 4.0
SecurityDescriptorSddl : O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxShellsPerUser : 25
AutoRestart : false
MaxShells : 25
MaxIdleTimeoutms : 2147483647
Uri : http://schemas.microsoft.com/powershell/microsoft.powershell
SDKVersion : 2
XmlRenderingType : text
RunAsPassword :
MaxProcessesPerShell : 15
ParentResourceUri : http://schemas.microsoft.com/powershell/microsoft.powershell
Enabled : true
UseSharedProcess : false
MaxMemoryPerShellMB : 1024
lang : en-US
Permission : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed

Architecture : 64
Filename : %windir%\system32\pwrshplugin.dll
PSSessionConfigurationTypeName : Microsoft.PowerShell.Workflow.PSWorkflowSessionConfiguration
MaxProcessesPerShell : 15
MaxConcurrentCommandsPerShell : 1000
PersistencePath : C:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\WF\PS
Capability : {Shell}
AllowedActivity : {PSDefaultActivities}
xmlns : http://schemas.microsoft.com/wbem/wsman/1/config/PluginConfiguration
PersistWithEncryption : False
MaxConcurrentUsers : 5
RemoteNodeSessionIdleTimeoutSec : 60
Name : microsoft.powershell.workflow
OutOfProcessActivity : {InlineScript}
SessionConfigurationData : <SessionConfigurationData>
<Param Name="ModulesToImport"
Value="%windir%\system32\windowspowershell\v1.0\Modules\PSWorkflow"/>
<Param Name="PrivateData">
<PrivateData> <Param Name="enablevalidation"
Value="true" /> </PrivateData>
</Param> </SessionConfigurationData>
MaxSessionsPerWorkflow : 5
SupportsOptions : true
ProcessIdleTimeoutSec : 1209600
ExactMatch : False
RunAsUser :
IdleTimeoutms : 7200000
SessionThrottleLimit : 100
OutputBufferingMode : Block
MaxActivityProcesses : 5
ResourceUri : http://schemas.microsoft.com/powershell/microsoft.powershell.workflow
ActivityProcessIdleTimeoutSec : 60
MaxPersistenceStoreSizeGB : 10
SecurityDescriptorSddl : O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxShellsPerUser : 25
ModulesToImport : %windir%\system32\windowspowershell\v1.0\Modules\PSWorkflow
AutoRestart : false
MaxShells : 25
MaxConnectedSessions : 100
MaxMemoryPerShellMB : 1024
MaxIdleTimeoutms : 2147483647
Uri : http://schemas.microsoft.com/powershell/microsoft.powershell.workflow
SDKVersion : 2
XmlRenderingType : text
RunAsPassword :
PSVersion : 4.0
ParentResourceUri : http://schemas.microsoft.com/powershell/microsoft.powershell.workflow
MaxRunningWorkflows : 30
WorkflowShutdownTimeoutMSec : 500
EnableValidation : true
Enabled : true
UseSharedProcess : true
MaxSessionsPerRemoteNode : 5
MaxDisconnectedSessions : 1000
AssemblyName : Microsoft.PowerShell.Workflow.ServiceCore, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL
lang : en-US
Permission : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed

Architecture : 32
Filename : %windir%\system32\pwrshplugin.dll
ResourceUri : http://schemas.microsoft.com/powershell/microsoft.powershell32
MaxConcurrentCommandsPerShell : 1000
Capability : {Shell}
xmlns : http://schemas.microsoft.com/wbem/wsman/1/config/PluginConfiguration
MaxConcurrentUsers : 5
Name : microsoft.powershell32
SupportsOptions : true
ProcessIdleTimeoutSec : 0
ExactMatch : False
RunAsUser :
IdleTimeoutms : 7200000
OutputBufferingMode : Block
PSVersion : 4.0
SecurityDescriptorSddl : O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxShellsPerUser : 25
AutoRestart : false
MaxShells : 25
MaxIdleTimeoutms : 2147483647
Uri : http://schemas.microsoft.com/powershell/microsoft.powershell32
SDKVersion : 2
XmlRenderingType : text
RunAsPassword :
MaxProcessesPerShell : 15
ParentResourceUri : http://schemas.microsoft.com/powershell/microsoft.powershell32
Enabled : true
UseSharedProcess : false
MaxMemoryPerShellMB : 1024
lang : en-US
Permission : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed

Architecture : 64
Filename : C:\Windows\system32\pwrshplugin.dll
PSSessionConfigurationTypeName : Microsoft.Windows.ServerManager.Common.Workflow.WorkflowSessionConfiguration
MaxProcessesPerShell : 45
MaxConcurrentCommandsPerShell : 5000
Capability : {Shell}
allowedactivity : *
xmlns : http://schemas.microsoft.com/wbem/wsman/1/config/PluginConfiguration
MaxConcurrentUsers : 5
Name : microsoft.windows.servermanagerworkflows
outofprocessactivity :
SessionConfigurationData : <SessionConfigurationData>
<Param Name="ModulesToImport" Value="C:\Windows\\system32\\ServerMa
agerInternal,C:\Windows\\system32\\windowspowershell\\v1.0\\Modules\\PSWorkflow" />
<Param Name="PrivateData">
<PrivateData>
<Param Name="allowedactivity" Value="*" />
<Param Name="outofprocessactivity" Value="" />
</PrivateData> </Param>
</SessionConfigurationData>
SupportsOptions : true
ProcessIdleTimeoutSec : 0
ExactMatch : False
RunAsUser :
IdleTimeoutms : 180000
OutputBufferingMode : Block
ResourceUri : http://schemas.microsoft.com/powershell/microsoft.windows.servermanagerworkflows
SecurityDescriptorSddl : O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxShellsPerUser : 25
ModulesToImport : C:\Windows\\system32\\ServerManagerInternal,C:\Windows\\system32\\windowspowershell\\
1.0\\Modules\\PSWorkflow
AutoRestart : false
MaxShells : 100
MaxMemoryPerShellMB : 2000
MaxIdleTimeoutms : 180000
Uri : http://schemas.microsoft.com/powershell/microsoft.windows.servermanagerworkflows
SDKVersion : 2
XmlRenderingType : text
RunAsPassword :
PSVersion : 3.0
ParentResourceUri : http://schemas.microsoft.com/powershell/microsoft.windows.servermanagerworkflows
Enabled : true
UseSharedProcess : true
AssemblyName : Microsoft.Windows.ServerManager.Common, Version=6.3.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL
lang : en-US
Permission : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed

The [Get-PSSessionConfiguration ] cmdlet gets the session configurations that have been registered on the local computer. This is an advanced cmdlet that is designed to be used by system administrators to manage customized session configurations for their users.

Beginning in Windows PowerShell 3.0, you can define the properties of a session configuration by using a session configuration (.pssc) file. This feature lets you create customized and restricted sessions without writing a computer program. For more information about session configuration files, see about_Session_Configuration_Files (http://go.microsoft.com/fwlink/?LinkID=236023).

Solution

As you can see by default (on this Windows Server 2012 powershell host) only BUILDIN\Administrators security group and the BUILDIN\Remote Management Users have access to execute remote commands. If you want to be able to add a vCO Powershell Host with an account different than the Domain Administrator account than add the account to the BUILDIN\Administrators security group, because WinRM , which is used by vCO to execute remote powershell commands, requires local administrator privileges on the host. In other cases you might add the user to the BUILDIN\Remote Management Users security group.

Alternatively you might run [Set-PSSessionConfiguration] to change the permisssions over few schema elements

PS C:\Users\Administrator> Get-PSSessionConfiguration | fl Name

Name : microsoft.powershell
Name : microsoft.powershell.workflow
Name : microsoft.powershell32
Name : microsoft.windows.servermanagerworkflows

This will not help in this vCO case dur to the reason mentioned above but it is good to know. Generally speaking if you want to add other groups or users you can run the [Set-PSSessionConfiguration -Name Microsoft.PowerShell –showSecurityDescriptorUI] cmdlet command:


If you do not added it to appropriate groups you might receive error like this in vCO:

Unnauthorized Access. Authentication mechanism requested by the client may not be supported by the server. (Dynamic Script Module name : addPowerShellHost#16

In the case of adding a vCO PowerShell Host, If you have added the user account only to the BUILDIN\Remote Management Users , and not the BUILDIN\Administrators users group, than you will receive this error:

Cannot find [XPath: //w:Selector[@Name=’ShellId’]] in <?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:e="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xml:lang="en-US">
<s:Header>
<a:Action>http://schemas.dmtf.org/wbem/wsman/1/wsman/fault</a:Action>
<a:MessageID>uuid:901FA16C-5BB9-4CC4-B6D7-AC863CCE1DFD</a:MessageID>
<a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To>
<a:RelatesTo>uuid:101E1D4D-5627-4CFF-93BA-4095A5C0C63F</a:RelatesTo>
</s:Header>
<s:Body>
<s:Fault>
<s:Code>
<s:Value>s:Sender</s:Value>
<s:Subcode>
<s:Value>w:AccessDenied</s:Value>
</s:Subcode>
</s:Code>
<s:Reason>
<s:Text xml:lang="en-US">Access is denied.</s:Text>
</s:Reason>
<s:Detail>
<f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="5" Machine="lan1dc1.vmware.com">
<f:Message>Access is denied.</f:Message>
</f:WSManFault>
</s:Detail>
</s:Fault>
</s:Body>
</s:Envelope>
(Dynamic Script Module name : addPowerShellHost#16)

This happens because winrm commands require to be executed under local admin accounts..

DISCLAIMER; This is a personal blog. Any views or opinions represented in this blog are personal and belong solely to the blog owner and do not represent those of people, institutions or organizations that the owner may or may not be associated with in professional or personal capacity, unless explicitly stated. Any views or opinions are not intended to malign any religion, ethnic group, club, organization, company, or individual.
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.
Photos
Unless stated, all photos are the work of the blog owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. If used with watermark, no need to credit to the blog owner. For any edit to photos, including cropping, please contact me first.
Recipes
Unless stated, all recipes are the work of the blog owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. Please credit all recipes to the blog owner and link back to the original blog post.
Downloadable Files
Any downloadable file, including but not limited to pdfs, docs, jpegs, pngs, is provided at the user’s own risk. The owner will not be liable for any losses, injuries, or damages resulting from a corrupted or damaged file.
Comments
Comments are welcome. However, the blog owner reserves the right to edit or delete any comments submitted to this blog without notice due to
– Comments deemed to be spam or questionable spam
– Comments including profanity
– Comments containing language or concepts that could be deemed offensive
– Comments containing hate speech, credible threats, or direct attacks on an individual or group
The blog owner is not responsible for the content in comments.
This policy is subject to change at anytime.

Leave a Reply

Your email address will not be published. Required fields are marked *