"Access Is Denied" error when attempting to remote to Exchange server on localhost

Asked 27/5, 2015 at 20:10 Answered 1/6, 2015 at 14:40

Solved powershell windows-server-2012 access-denied powershell-remoting exchange-server-2013

I am attempting to establish a PowerShell session to run several Exchange commands against an Exchange server on the localhost. I keep getting the following error:

New-PSSession : [<HOSTNAME>] Connecting to remote server <HOSTNAME> failed with the following error message
: Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12
+ $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'h ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
   gTransportException
    + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed

My code is a copy paste from the Microsoft Technet Article. It works against remote machine, but anytime I target the machine I am running from, I get the above error.

What I've tried so far:

Checked the about_remote_troubleshooting help topic. Nothing in there relating to Access Denied errors worked.
Targeted remote machines using the same credentials as received the Access Denied error. (Connected without issue)
Verified that my PowerShell session is running as Administrator. (It is)
Verified that the Exchange Management Shell is able to launch successfully. (It is)
Tried without credentials to see if that would work. (It didn't)
Checked net use and net session to make sure I didn't have a weird multiple connections with the same credentials issue. (I didn't see anything to indicate that)
Tried this both from the script that is causing issues and by typing the commands into a powershell console by hand. (got the same results both ways. Yay for consistency)
Tried this on multiple systems. (Same result everywhere)

Some quick notes:

This is Exchange 2013 running on Windows Server 2012. It's a basic installation, just a test environment that has very little data and minimal configuration beyond installing and enabling remoting.
The Credentials used were for the domain admin, which also has the necessary Exchange permissions to do whatever I need to do. I.e, so long as I target a machine that is not the one I am running from, I have no issues whatsoever, with nothing else changing about the way I am connecting. Additionally, this is a test domain where the domain admin's access hasn't been restricted or tweaked in any way, so it should have total and complete access to everything.

The specific commands I am entering are:

$cred = Get-Credential
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'http://<HOSTNAME>/Powershell' -Credential $cred

Is connecting to the localhost like this something that I should be able to do? Or is it just not supported?

I am at a complete loss at this point. Any help, even to point me in the right direction, would be greatly appreciated.

EDIT: I should add, I've attempted connecting to this localhost from a different machine, using the same commands as above, and it worked without issue. So, I don't think it is a local configuration issue.

Gujarati answered 27/5, 2015 at 20:10 Comment(5)

You have verified that your domain admin can access the server? the reason I ask is that I believe that they need a special permission to remote to exchange, and I think you can only do that from within exchange. – Obfuscate 27/5, 2015 at 20:17

@Obfuscate Yes. I am logged into the server with my domain admin credentials. Additionally, from a different computer, I am able to remotely access this computer using those domain creds. Aka, computer A has exchange installed. I am logged into computer A (localhost in above example) with domain creds, cannot powershell remote to exchange from A. However, from Computer B (on the same domain) I am able to remote into Exchange on computer A with those same creds. Additionally, if I attempt to remote from computer A to computer C (which also has exchange installed) with my admin creds it works – Gujarati 27/5, 2015 at 20:24

okay so it only doesn't work from A to A...is the firewall on? although the way you explained this that might not be the issue... – Obfuscate 27/5, 2015 at 21:33

@Gujarati Run Set-Item -force WSMan:\localhost\Client\TrustedHosts –Value * on computer A – Asphaltite 27/5, 2015 at 23:10

simple guessing, do you set password on ur login account? – Booster 28/7, 2017 at 7:16

So, I stumbled on the solution late last week. It seems to have something to do with the authentication being used. I had left the "-Authentication" parameter blank, intending to let the New-PSSession command sort out which method would be best.

Apparently, this defaults to the "Negotiate" authentication method, which will select Kerberos against a remote machine, but will select NTLM otherwise (or at least, that was my observed/assumed behavior). See this Microsoft description of the authentication methods.

Specifying a specific Authentication method (Both "Kerberos" and "Basic" worked, "Negotiate" didn't, I didn't tinker too much past this) clears the issue and allowed me to connect to the local exchange instance.

So, rather than this:

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'http://<HOSTNAME>/Powershell' -Credential $cred

Do this:

$session = New-PSSession -Authentication Kerberos -ConfigurationName Microsoft.Exchange -ConnectionUri 'http://<HOSTNAME>/Powershell'  -Credential $cred

Why did that work? I have no clue. I'll leave it to people who know more than me to explain it.

Gujarati answered 1/6, 2015 at 14:40 Comment(0)

If you are just trying to create a session on the same computer as your current session omit the URI.

$cred = Get-Credential
$session = New-PSSession -ConfigurationName Microsoft.Exchange -Credential $cred

This will create a new session on the localhost that you can connect to and utilize as needed.

Hungarian answered 28/5, 2015 at 2:18 Comment(3)

Tried this, got me closer. The session was created, but for some reason it didn't have the commands in it I need to run. I'm not entirely sure why, as I thought the configuration name was what was making those commands available. I think I may need to just detect that I am targetting my localhost somehow and just load the snapin (microsoft.blah.blah.blah.Powershell.E2010) and get access to the commands that way. – Gujarati 28/5, 2015 at 14:19

I think you may be over thinking this, and missing the point of that article that you linked. That whole thing is to access the Exchange cmdlets if you don't have the Exchange PowerShell Tools installed on your local computer, which you do. For local use you should have a shortcut to the Exchange Management Console or something similar that will create a powershell session with the Exchange cmdlets already loaded and available. – Hungarian 29/5, 2015 at 0:44

I may not have explained my intended use properly. I'm writing a script to automatically run a collection of commands against a given exchange server. It's going to be run from an external application and I don't want a console to appear. So... As far as I can tell I need to create a pssession against the local machine. However, I found a solution late last week, I'll be posting it here as an answer shortly. – Gujarati 1/6, 2015 at 14:29

Recommended topics

Hot tags