Powershell: JEA Not Working As Expected with RC1

Created on 9 Jan 2020  路  8Comments  路  Source: PowerShell/PowerShell

I am setting up JEA on a Server 2019 VM. The idea is to use JEA to enable a user to logon and do some DNS stuff. This process works with Server 2019 and WIndows PowerShell, but is not working with PowerShell 7 RC1.

Steps to reproduce

Here is how I have JEA setup so far:

# 1. Create ReskitDNSAdmins security universal group in the OU
$OURoot = 'OU=IT, DC=Reskit, DC=Org'
$NGHT  = @{
  Name        = 'RKDnsAdmins'
  Path        = $OURoot 
  GroupScope  = 'Universal'
  Description = 'RK DnsAdmins group for JEA'
}
New-ADGroup  @NGHT

# 2. Add JerryG to the ReskitAdmin's Group
Add-ADGroupMember -Identity 'RKDNSADMINS' -Members 'JerryG'

# 3. Create transcripts folder
New-Item -Path C:\Foo\JEATranscripts -ItemType Directory 

# 4. Build RC module folder
$PF = $env:Programfiles
$CP = 'WindowsPowerShell\Modules\RKDnsAdmins'
$ModPath = Join-Path -Path $PF -ChildPath $CP
New-Item -Path $ModPath -ItemType Directory | Out-Null

# 5. Create Role Capabilities file
$RCHT = @{
  Path            = 'C:\Foo\RKDnsAdmins.psrc' 
  Author          = 'Reskit Administration'
  CompanyName     = 'Reskit.Org' 
  Description     = 'Defines RKDnsAdmins role capabilities'
  AliasDefinition = @{name='gh';value='Get-Help'}
  ModulesToImport = 'Microsoft.PowerShell.Core','DnsServer'
  VisibleCmdlets  = ("Restart-Service",
                     @{ Name = "Restart-Computer"; 
                        Parameters = @{Name = "ComputerName"}
                        ValidateSet = 'DC1, DC2'},
                      'DNSSERVER\*')
  VisibleExternalCommands = ('C:\Windows\System32\whoami.exe')
  VisibleFunctions = 'Get-HW'
  FunctionDefinitions = @{
    Name = 'Get-HW'
    Scriptblock = {'Hello JEA World'}}
}
New-PSRoleCapabilityFile @RCHT

# 6. Create the Module Manifest in the Module Folder
$P = Join-Path -Path $ModPath -ChildPath 'RKDnsAdmins.psd1'
New-ModuleManifest -Path $P -RootModule 'RKDNSAdmins.psm1'

# 7. Create a Role Capabilities Folder and Copy The PSRC
#    File Into the Module
$RCF = Join-Path -Path $ModPath -ChildPath 'RoleCapabilities'
New-Item -ItemType Directory $RCF
Copy-Item -Path $RCHT.Path -Destination $RCF -Force

# 8. Create a JEA Session Configuration file
$P = 'C:\Foo\RKDnsAdmins.pssc'
$RDHT = @{
  'Reskit\RKDnsAdmins' = @{RoleCapabilities = 'RKDnsAdmins'}
}
$PSCHT= @{
  Author              = '[email protected]'
  Description         = 'Session Definition for RKDnsAdmins'
  SessionType         = 'RestrictedRemoteServer'   # ie JEA!
  Path                = $P                 # the output file
  RunAsVirtualAccount = $true
  TranscriptDirectory = 'C:\Foo\JeaTranscripts'
  RoleDefinitions     = $RDHT     # RKDnsAdmins role mapping
}
New-PSSessionConfigurationFile @PSCHT 

# 9. Test the session configuration file  NB: This is successful
Test-PSSessionConfigurationFile -Path C:\Foo\RKDnsAdmins.pssc 

# 10. Register the JEA Session Definition
$SCHT = @{
  Path  = 'C:\Foo\RKDnsAdmins.pssc'
  Name  = 'RKDnsAdmins' 
  Force =  $true 
}
Register-PSSessionConfiguration @SCHT

# 11. Check what the user can do:   #  NB THis produces the list as expected
Get-PSSessionCapability -ConfigurationName RkDnsAdmins -Username 'Reskit\Jerryg' |
  Sort-Object Module

Having done that, I get odd results when trying to use it:

# 12. Create Credentials for user JerryG
$U    = '[email protected]'
$P    = ConvertTo-SecureString 'Pa$$w0rd' -AsPlainText -Force 
$Cred = New-Object System.Management.Automation.PSCredential $U,$P

# 13. Define Three Script Blocks and an Invocation Splatting Hash Table
$SB1   = {Get-Command}
$SB2   = {Get-HW}
$SB3   = {Get-Command -Name  '*-DNSSERVER*'}
$ICMHT = @{
  ComputerName      = 'DC1.Reskit.Org'
  Credential        = $Cred
  ConfigurationName = 'RKDnsAdmins'
}

# 14. How many Commands are available within the JEA session
Invoke-Command -ScriptBlock $SB1 @ICMHT

CommandType     Name                                               Version    Source                            PSComputerName
-----------     ----                                               -------    ------                            --------------
Function        Clear-Host                                                                                      DC1.Reskit.Org
Function        Exit-PSSession                                                                                  DC1.Reskit.Org
Function        Get-Command                                                                                     DC1.Reskit.Org
Function        Get-FormatData                                                                                  DC1.Reskit.Org
Function        Get-Help                                                                                        DC1.Reskit.Org
Function        Measure-Object                                                                                  DC1.Reskit.Org
Function        Out-Default                                                                                     DC1.Reskit.Org
Function        Select-Object                                                                                   DC1.Reskit.Org

The set of commands available are not the same as shown after Step 11 above. Running Step 11, for example, shows the Get-HW.

If I try to run that command:

PS C:\Foo> Invoke-Command -ScriptBlock $SB2 @ICMHT

ObjectNotFound: The term 'Get-HW' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

Also, none of the DNS commands work in the JEA session either.

Expected behaviour

I expected running $SB1 to show the same commands as offered from Step 11.
I expected running $SB2 to return a string (as per the function definition in Step 5), "Hello JEA World.
I expected to be able to use the DNS commands.

Actual behaviour

Environment data

PS C:\Foo> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.0.0-rc.1
PSEdition                      Core
GitCommitId                    7.0.0-rc.1
OS                             Microsoft Windows 10.0.17763    # Server 2019
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0, 5.0, 5.1.10032.0, 6.0.0, 6.1.0, 6.2.0, 7.0.0-rc.1}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0
Issue-Bug WG-Remoting
Source
picture doctordns

All 8 comments

cc @PaulHigin

SteveL-MSFT picture SteveL-MSFT on 9 Jan 2020
👍1

I've been able to reproduce this. But I won't be able to investigate further until Monday.

PaulHigin picture PaulHigin on 10 Jan 2020

Thanks @PaulHigin - Glad someone else can reproduce this. I am hoping this is a) not intended behaviour and b) if so, a fix can be added to RC2 or RTM???

doctordns picture doctordns on 10 Jan 2020

Yes, I think this will be a 'must fix' for the next release. But I'll know more after I investigate.

PaulHigin picture PaulHigin on 10 Jan 2020
👍1

Not sure if it's possible - but can JEA handling be added to the test matrix??

doctordns picture doctordns on 10 Jan 2020

Update:
I have found the problem and it is a failure of the WinRM layer to report the user token to the host JEA session, with the result that the user is not validated for the specified role.

This seems to happen only on preview builds and I am working on contacting the WinRM team to determine why this is broken for this case.

PaulHigin picture PaulHigin on 16 Jan 2020
1

The fix has been merged. Thanks for reporting this!

PaulHigin picture PaulHigin on 24 Jan 2020

Thanks - I downloaded the daily build and it works as designed

THanks

doctordns picture doctordns on 25 Jan 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

aragula12 picture aragula12  路  3Comments
manofspirit picture manofspirit  路  3Comments
ajensenwaud picture ajensenwaud  路  3Comments
Michal-Ziemba picture Michal-Ziemba  路  3Comments
mklement0 picture mklement0  路  3Comments