Поделиться через


The CredSSP Files: Part 1 Access Denied for Local Administrator

PowerShell remoting is an extremely useful administration tool. To take full advantage of running PowerShell commands remotely against a SharePoint farm, you will need to enable CredSSP authentication. Most PowerShell commands require communicating with the backend SQL databases. A default remote PowerShell session does not allow you to pass your credentials along to another host (in this case SQL). CredSSP is required to use this double hop authentication and to run most SharePoint cmdlets. Usually configuring CredSSP and remote PowerShell is fairly straightforward, but I have come across a number of exceptions to that rule. Most of the documentation I found online related to PowerShell remoting for Exchange, which is configured differently and as a part of the installation. In this series I will document the various issues I have run into with CredSSP and remote PowerShell and the workarounds.

Part 1 Access Denied for Local Administrator

You have successfully configured Winrm and CredSSP on your server and enabled Credential delegation on your client. Your account is a local administrator on the target server. Normally you should be all set to start a new remote session. But in some cases you will see this:

How can that be? Access denied for a local admin?

In this case the next thing to check is the output of Get-PSSessionConfiguration on your target server. Normally this is what you will see (the exact output will vary slightly by OS/PowerShell version):

If instead you see this:

You have found the problem. Access has been disabled in the session configuration. This could be the result of Disable-PSSessionConfiguration or manually removing permissions. To fix it you will need to re-enable access with Set-PSSessionConfiguration. In most cases you will run it like this:

Set-PSSessionConfiguration -Name "microsoft.powershell" -ShowSecurityDescriptorUI

You will need to specify a different name if you are trying to connect to a named session you have setup. This command will bring up a new window that will allow you to add the permissions to local administrators. Select 'Y' to restart the service to make the change live.

Now running Get-PSSessionConfiguration will return the default output and you will be able to connect without seeing access denied.