Constrained endpoints with proxy functions

I have created a constrained endpoint on an admin tools server that can only run certain modules, scripts, and proxy function. One script in particular installs a shared network printer to the print server and adds a cname record in dns utilizing Add-Printer and Add-DnsServerRecsourceRecordCNAME pointing to the and . If I run the script on a localhost with a elevated powershell, the scripts run correctly. However, if I attempt to run the script as the constrained endpoint using Enter-PsSession using the configuration file, the scripts fails to connect to the dns server or print server.

Can this be done using Enter-PsSession? or is there an alternative method to connect to a dns and print server.

Thank you in advance for your help.

You’re very likely hitting the double-hop authentication problem, because you’re having the endpoint reach out to another machine. See https://powershell.org/kb/the-double-hop-authentication-problem/.

Don,

If I understand correctly, after enabling CredSSP on the client and server machines, we should be able to use the delegated computer to extend those credentials? Or would we need to explicitly enter credentials to use CredSSP correctly?

Once CredSSP is set up you ought to be fine.

I have adding the dns record working properly with CredSSP. When i attempt to create the printer on the print server. I get the following error.

add-Printer : The specified server does not exist, or the server or printer name is invalid. Names may not contain
‘,’ or '' characters.
+ CategoryInfo : NotSpecified: (MSFT_Printer:ROOT/StandardCimv2/MSFT_Printer) [Add-Printer], CimException
+ FullyQualifiedErrorId : HRESULT 0x80070709,Add-Printer

If I login into the admin tools server using RDP. I can run that command just fine. The syntax I’m using is:

Add-Printer -ComputerName printserver -Name name -ShareName name -Shared -PortName name -DriverName name

There are no “,” or "" in the print name.

So, the difficulty with printers and Remoting is that printers always live within a user profile. When you RDP in, you’re adding the printer to your user profile. But Remoting doesn’t load a full user profile. So that’s one possibility.

But from the error message, I’m guessing that’s not it. And I’m guessing that’s not the actual syntax you’re using, either :wink: because it would definitely not work with the extra dashes you’ve put in. I’m assuming you’re just giving me an idea of what you’re running, which is fine.

On the whole, it would definitely appear as if the machine hosting the endpoint is having trouble resolving the server name. From within that endpoint, can you ping by name? Have you done some basic troubleshooting at that level?

Troubleshooting from within an RDP session is interesting, but it isn’t solid troubleshooting technique, because you’re comparing apples and Volkswagens. The Remoting endpoint can be significantly more constrained, lacks a full user profile, etc. So you’ll need to go down to basics within the endpoint, and troubleshoot there.

Ok. Makes sense. So I narrowed it down to the -ComputerName parameter. If I remove the parameter, the command will run. But, if I try to specify the print server I want to add the printer to, it throws that error. Is it possible that the OS version is causing the issue? The print server is 2008 R2.

No, it should just be using normal name resolution. As I said, I’d probably make sure I could ping the server, using the same server name, from within the endpoint. Or at least use Nslookup from within the endpoint to make sure the server can resolve the name correctly. Basic TCP/IP.

Yes, I have done all the basic troubleshooting. I cannot use the get-printer -computername command on any server or client. I have made sure I’ve enabled CredSSP on both servers and clients. Maybe this cannot be done in a remote session.

Thanks for your help.

It’s possible. As I noted earlier, printers tend to get tied to a user profile, and a Remote endpoint doesn’t technically have a full user profile.