Setting up JEA. using a jump station

II’m looking into JEA and setting it up for users to use a jump station. I run the ps command from server1 that creates a session on server2 - from here I want to be able to run commands for several servers.

the test below shows the get-service command failing. It works ok for sever 2(which i suppose ia m on.

Any ideas what I am doing wrong here.

 

[Server2]: PS> Get-Service -ComputerName Server4 -Name Dnscache
Get-Service : Cannot find any service with service name ‘Dnscache’.
At line:25 char:23

  • $scriptCmd = {& $wrappedCmd @PSBoundParameters }
  • CategoryInfo : ObjectNotFound: (Dnscache:String) [Get-Service], ServiceCommandException
  • FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetServiceCommand

Sounds like you might be using a local virtual account? I suspect you want to configure the “GroupManagedServiceAccountName” in your .pssc file.

https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/jea/security-considerations?view=powershell-6

There is a bug in Get-Service command which gives same error and it is when the computer is not available, it gives an error saying cannot find service.

Thanks, @kvprasoon for the info. Any reference for the same?

Glesga188853, you can use Get-CIMInstance instead of Get-Service in this scenario...
Get-CimInstance -ClassName CIM_Service -ComputerName Server4 | where name -eq Dnscache
 

[quote quote=184410]Sounds like you might be using a local virtual account? I suspect you want to configure the “GroupManagedServiceAccountName” in your .pssc file.

https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/jea/security-considerations?view=powershell-6

[/quote]
Hi,

 

I tried using a groupmanaged service account.

I get this error when trying to create the session

PS C:\Users\Administrator.LAB> Enter-PSSession -ComputerName Server2 -ConfigurationName Helpdesk -Credential LAB\user1

Enter-PSSession : Connecting to remote server Server2 failed with the following error message : The verification of the Managed Service
Account failed with error 5. Ensure that the account is valid. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName Server2 -ConfigurationName Helpdesk -Cr …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Server2:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed

If i run Test-ADServiceAccount JEAacct on server 2 it comes back as true.

any help appreciated. there just seems to be a lck of documentation on this JEA stuff.

 

[quote quote=184488]There is a bug in Get-Service command which gives same error and it is when the computer is not available, it gives an error saying cannot find service.

[/quote]
The server is available though

I was doing some reading in the JEA Documentation. Maybe Resource-Based Constrained Kerberos Delegation is the method to achieving this? Anyway, this doc covers various methods to overcoming the second-hop scenario. Hope this is helpful.

https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-6#resource-based-kerberos-constrained-delegation