This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"could not connect to host" from powershell script in OO, manually in PS ISE works

Hi All,

our OO studio version: 2019.11 b43

Goal:

Run a PS1 Script with loaded PSM module via RAS. 

Problem:

new Flow --> Powershell Script Element --> Input script --> Use Constant 

Here I add my script and normally it works. 
But if there are too much rows the limit of the Constant Value Box is reached??
More than 222 lines I can't add into the box.

Next Try:
installed PSM on RAS and testet my script locally on the RAS --> works, the system knows the cmdlets
then added in the Constant field just the few rows for the connect.

$servername = "servername.fqdn"
$username = "domain\serviceuser"
$password = "password"

$dsmPort = "8080"
$dsmProtocol = "http"

$credentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username, (ConvertTo-SecureString $password -AsPlainText -Force)
$global:swv_webservice = $proxy = New-WebServiceProxy -Uri ${dsmProtocol}://$($servername):${dsmPort}/blsAdministration/AdministrationService.asmx -Credential $credentials

$Result = Connect-DSM7Web -WebServer $servername -Port 8080 -UseDefaultCredential

if($Result){
 return 0
}else{
 return 1
}

from Client to DSM Server via PS1 --> works
from RAS to DSM Server via PS1 --> works
from OO Studio via debug local Connection --> error

{exception=dotNETWebActions_PowerShell.PowerShellExceptions.SessionException: Could not connect to host. ---> System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server localhost failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
   --- End of inner exception stack trace ---
   at PowerShellV2.PSRunspaceV2.NewRemoteSession(String host, PSCredential credential, AuthenticationMechanism authentication)
   at PowerShellV2.PSRunspaceV2.CreateRunspace(String host, PSCredential credential, AuthenticationMechanism authentication)
   at PowerShellV2.PSRunspaceV2.CreateNewRunspace()
   at PowerShellV2.PSRunspaceV2..ctor(PSAuthenticationInfo authInfo)
   at PowerShellV2.PowerShellFactoryV2.CreateRemoteRunspace(PSAuthenticationInfo psAuth, Boolean keepSessionAlive, Boolean enablePiping)
   at PowerShellCommon.PowerShellFactory.CreateRunspace(PSAuthenticationInfo authInfo, Boolean keepSessionAlive, Boolean enablePiping)
   at dotNETWebActions_PowerShell.IActions.PowerShellBaseAction.GetPSRunspace(ActionRequest req)
   at dotNETWebActions_PowerShell.IActions.PowerShellBaseAction.ExecutePowerShell(ActionRequest req, ISession s, IActionRegistry reg);returnCode=1;returnResult=Could not connect to host.;sessionId=new session;isSessionOn=False;Result=1;}

Where is my failure?

Where does the Access Deny comes from? RAS or DSM Server? 


kind regards

Tob

Parents
  • 0  

    OO RAS and OO Studio are different machines? If yes, the problem might be that the OO Studio machine requires some PSRemoting enablement.

    I suggest to check the description of the Powershell folder while in OO Studio.

    Did you solve it till now?

  • 0 in reply to   

    OO RAS and OO Studio was not the same machine.

    I didn't solve the remote issue.

    As an alternative I installed the PS module on the RAS and tried the connection to the deployment server.

    But now I get the following behaviour

    1)
    - login to the RAS with a service account for the deployment server
    - run the PS script in the ISE

    Connect to Deployment Server works!

    2)
    - run the flow, which contains the same script logic
    - used the correct credentials in the Powershell Element in the Flow

    Connect to Deployment Server fails with "The request failed with HTTP status 401: Unauthorized."!

  • 0 in reply to 

    hiho,

    this seems to be related to the so called "double-hop problem"

    The double-hop problem describes a scenario in PowerShell where remoting is used to connect to a host and the remote host tries to connect to another resource. In this scenario, the second connection, the second hop, fails because authentication cannot be implicitly passed.

    https://blogs.technet.microsoft.com/ashleymcglone/2016/08/30/powershell-remoting-kerberos-double-hop-solved-securely/

    I guess your RAS service runs (by default) as SYSTEM and you are doing some kind of impersonation. This will be the first "hop". When you now try to connect by doing another impersonation and not using your already existing session you will obtain your second hop. 

    You can verify this by login remote to the RAS using the service account for the deployment server and than runing your script.

    In most cases the operations do not use simple impersonation by using WIN32 API but powershell remoting on localhost.

    Greetz Rene

Reply
  • 0 in reply to 

    hiho,

    this seems to be related to the so called "double-hop problem"

    The double-hop problem describes a scenario in PowerShell where remoting is used to connect to a host and the remote host tries to connect to another resource. In this scenario, the second connection, the second hop, fails because authentication cannot be implicitly passed.

    https://blogs.technet.microsoft.com/ashleymcglone/2016/08/30/powershell-remoting-kerberos-double-hop-solved-securely/

    I guess your RAS service runs (by default) as SYSTEM and you are doing some kind of impersonation. This will be the first "hop". When you now try to connect by doing another impersonation and not using your already existing session you will obtain your second hop. 

    You can verify this by login remote to the RAS using the service account for the deployment server and than runing your script.

    In most cases the operations do not use simple impersonation by using WIN32 API but powershell remoting on localhost.

    Greetz Rene

Children
  • 0 in reply to 

    Hi Rene,

    sry for the late answer.

    Status:

    - "-UseDefaultCredential" was the problem in the first post -->  explicitly replaced with the serviceaccount solved the problem
    - running the script as your hint  from the last post also works fine


    - Remote Debugging --> works now

    Greetz
    Tob