Endpoint Access Denied when using RunAsCredential

Using the step-by-step instructions in Don Jones’ Secrets of Powershell Remoting ebook, I create a new Endpoint, named TestEndPoint. Connecting to the new TestEndPoint as a domain admin works.

However, when I set the endpoint to run as a different user (using the RunAsCredential), Enter-PSSession returns an error “Access is denied.” The RunAsCredential user is a domain admin account.

The PowerShell Operational Log reports, “WSMan reported an error with error code: 5” and “Error message: Connecting to remote server localhost failed with the following error message : Access is denied” with an EventID of 32784.

Any ideas on what to try to troubleshoot the issue? I’m sure is a security lockdown in our environment, because it works in vanilla test systems.

It’s possible that the RunAs account doesn’t have the needed privileges (not the same as permissions) to log on as a background process, which is what Wsmprovhost.exe needs for it. It’s also possible that the ACL on the endpoint, which determines who can connect, wasn’t set correctly.

It is now working! Thanks Don for the point in the right direction. I knew it was a lockdown somewhere but couldn’t find it, going all through the Local Security Policy as well as group policy related settings and analyzing all the privileges.

I thought it had the correct privileges, but could not find a definitive list anywhere to verify. None of the logs (e.g., PowerShell, System, Security, etc.) had any errors.

For the record (and hopefully to help the next guy out):

  • The ACL on the endpoint was correctly set.
  • The WSMProvHost.exe process was starting and not generating any error or warning entries in any log.

But Don’s post got the thinking and I used SysInternals ProcMon to check up on WSMProvHost.exe. It turns out it was a registry permission issue. Specifically, Network Service needed Write (I gave it Full Control) to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\AutoRestartList. It created an entry called TestEndpoint (the name of my new PowerShell endpoint) of type REG_DWORD with a value of 0. As soon as that permission change was made, it started working.