I am attempting to establish a PowerShell session to run several Exchange commands against an Exchange server on the localhost. I keep getting the following error:
New-PSSession : [<HOSTNAME>] Connecting to remote server <HOSTNAME> failed with the following error message
: Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12
+ $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'h ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
   gTransportException
    + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed
My code is a copy paste from the Microsoft Technet Article. It works against remote machine, but anytime I target the machine I am running from, I get the above error.
What I've tried so far:
about_remote_troubleshooting help topic. Nothing in there relating to Access Denied errors worked.net use and net session to make sure I didn't have a weird multiple connections with the same credentials issue. (I didn't see anything to indicate that)Some quick notes:
The specific commands I am entering are:
$cred = Get-Credential
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'http://<HOSTNAME>/Powershell' -Credential $cred
Is connecting to the localhost like this something that I should be able to do? Or is it just not supported?
I am at a complete loss at this point. Any help, even to point me in the right direction, would be greatly appreciated.
EDIT: I should add, I've attempted connecting to this localhost from a different machine, using the same commands as above, and it worked without issue. So, I don't think it is a local configuration issue.
This issue occurs for one of the following reasons: You enter an incorrect user name or password. You try to sign in to the service by using an account that doesn't have access to Exchange Online. You have security defaults enabled in your tenant.
You can grant the permissions by using Active Directory Users & Computers. Simply open the properties of the group, switch to the Security tab, add the mailbox user or group, and then tick the Send As box and apply the change.
So, I stumbled on the solution late last week. It seems to have something to do with the authentication being used. I had left the "-Authentication" parameter blank, intending to let the New-PSSession command sort out which method would be best.
Apparently, this defaults to the "Negotiate" authentication method, which will select Kerberos against a remote machine, but will select NTLM otherwise (or at least, that was my observed/assumed behavior). See this Microsoft description of the authentication methods.
Specifying a specific Authentication method (Both "Kerberos" and "Basic" worked, "Negotiate" didn't, I didn't tinker too much past this) clears the issue and allowed me to connect to the local exchange instance.
So, rather than this:
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'http://<HOSTNAME>/Powershell' -Credential $cred
Do this:
$session = New-PSSession -Authentication Kerberos -ConfigurationName Microsoft.Exchange -ConnectionUri 'http://<HOSTNAME>/Powershell'  -Credential $cred
Why did that work? I have no clue. I'll leave it to people who know more than me to explain it.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With