Web Front End for PS script - issues with PS remoting

Hi, I am evaluating Web Front End solution for backend PowerShell scripts - every single time backend PowerShell script fails here:

$session = New-PSSession -ComputerName dcName -ConfigurationName DomainAdmins

Invoke-Command -Session $session -ScriptBlock {…}

Error: Cannot validate argument on parameter ‘Session’. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again. [dcName] An error has occurred which PowerShell cannot handle. A remote session might have ended.

Service Account Web App Pool is running under has permissions on DomainAdmins JEA endpoint. Outside of Web Front End, New-PSSession command above works without issues under Service Account credential.

This is major showstopper since I prefer using JEA concept whenever possible. Any help would be appreciated.

I dont have an answer to your ? (other than the fact that $Session is null, hence the error), however, this sounds like a bad idea to me from a security perspective.

This is from a google search:

Yes, running an IIS application pool as "Domain Admins" is generally considered a very bad idea because it grants the application pool excessive privileges, posing a significant security risk; it's best practice to create a dedicated, least-privileged service account for each application pool instead

It is not Domain Admin account - it has minimum permissions required to do the job on DomainAdmins JEA endpoint.

You’ll have to inspect the $session variable.

$session | Get-Member

Invoke-Command reported it as null so my guess would be the session isn’t being established.

It hasn’t been established for some reason hence my post here :slight_smile:. I have also checked outbound traffic to tcp/5985 and nothing captured with Wireshark.

Unfortunately, we won’t be able to debug this for you. Are you not seeing an error on this line?

New-PSSession -ComputerName dcName -ConfigurationName DomainAdmins

You should get some sort of feedback if it’s unable to create a session.

Only what I posted initially - very generic.

Had session been established for a split second I would have seen something in Wireshark.

Never done the PS behind ISS thing … just wondering what happens if you try:

Invoke-Command -ComputerName dcname -ScriptBlock {…}

Same will happen. Odd thing is that WebJEA free solution does not have any issues executing PS script with remoting inside (Web App on top of IIS).

Same thing as in same error? Can you share the error?