Access denied when remotely trying with Get-NlbClusterNode

Question

Access denied when remotely trying with Get-NlbClusterNode

Trying to write a monitoring script (Powershell) for our SMTP Cluster, which has 3 nodes at times writing.

When I locally, on the SMTP Cluster run this command:

Get-NlbClusterNode

I get the output I need.

But if I try the same from a remote server (same network and domain) I get an:

[smtp-s001a]: PS C:\> Get-NlbClusterNode
Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
+ CategoryInfo          :
+ FullyQualifiedErrorId :
AccessDenied,Microsoft.NetworkLoadBalancingClusters.PowerShell.GetNlbClusterNode

Why is that? It is ONLY the "Get-NlbClusterNODE" command that gives me access is denied. "Get-NlbCluster" for an example, works just fine.

Any advice?

powershell

windows-server-2008

powershell-2.0

asked on Stack Overflow Jun 1, 2012 by

user1281991

4 Answers

I had the same issue.

Took me a while to figure out. I was running Powershell as a process from my service. The service is running under the same user account across all hosts but the password is generated randomly on each host/cluster node, that's why I got "Access Denied..." Once I change the password to the same, everything works fine.

answered on Stack Overflow Sep 30, 2012 by

Jinlin Tong • edited Oct 4, 2012 by

Jinlin Tong

I have found some workaround. Impersonate with admin credentional in remote session

function EntryPoint()
{
    ImportModule-Impersonate;

    $impersonate = new-object UserSession.Impersonate;
    try
    {
        if ($impersonate.Login("SKODA", "Administrator", "*****") -eq $false) {
            throw new Exception("Invalid credentials");
        }
        Import-Module NetworkLoadBalancingClusters
        Get-NlbClusterNode;    
    }
    finally
    {
        $impersonate.Dispose();
    }
};

function ImportModule-Impersonate {

$assem = @();

$source = @" 
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Text;

namespace UserSession
{
    public class Impersonate : IDisposable
    {
        public const int LOGON32_LOGON_INTERACTIVE = 2;
        public const int LOGON32_PROVIDER_DEFAULT = 0;

        private WindowsImpersonationContext _impersonationContext;

        [DllImport("advapi32.dll")]
        public static extern int LogonUserA(String lpszUserName,
                                            String lpszDomain,
                                            String lpszPassword,
                                            int dwLogonType,
                                            int dwLogonProvider,
                                            ref IntPtr phToken);

        [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
        public static extern int DuplicateToken(IntPtr hToken,
                                                int impersonationLevel,
                                                ref IntPtr hNewToken);

        [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
        public static extern bool RevertToSelf();

        [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
        public static extern bool CloseHandle(IntPtr handle);

        public bool Login(String domain, String userName, String password)
        {
            IntPtr token = IntPtr.Zero;
            IntPtr tokenDuplicate = IntPtr.Zero;

            if (RevertToSelf())
            {
                if (LogonUserA(userName, domain, password, LOGON32_LOGON_INTERACTIVE,
                               LOGON32_PROVIDER_DEFAULT, ref token) != 0)
                {
                    if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
                    {
                        WindowsIdentity tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
                        _impersonationContext = tempWindowsIdentity.Impersonate();

                        if (_impersonationContext != null)
                        {
                            CloseHandle(token);
                            CloseHandle(tokenDuplicate);
                            return true;
                        }
                    }
                }
            }
            if (token != IntPtr.Zero)
            {
                CloseHandle(token);
            }
            if (tokenDuplicate != IntPtr.Zero)
            {
                CloseHandle(tokenDuplicate);
            }
            return false;
        }

        public void Logout()
        {
            if (_impersonationContext != null)
            {
                _impersonationContext.Undo();
                _impersonationContext = null;
            }
        }

        public void Dispose()
        {
            Logout();
        }
    }
}
"@;

    Add-Type -ReferencedAssemblies $assem -TypeDefinition $source -Language CSharp 
}

EntryPoint;

answered on Stack Overflow Oct 24, 2012 by

ezyuzin • edited Oct 25, 2012 by

ezyuzin

Also disable UAC and reboot machine.

answered on Stack Overflow Jan 11, 2013 by

ezyuzin • edited Jan 14, 2013 by

ezyuzin

I had the exact same issue. The user who was using those credentials to access and run Get-NlbClusterNode had the correct permissions, yet for some unexplicable reason he was getting that weird error. I gave up investigating and did the following workaround:

$username = "domain\user_name"
$securePassword = "secure_hash" | ConvertTo-SecureString
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
$result = Start-Process powershell.exe -WorkingDirectory $PSHome -Credential $credential -ArgumentList ("-File $PSScriptRoot\your-script.ps1") | Out-Null

Where if in your-script.ps1 you put in the:

Invoke-Command -ComputerName "your-remote-server" -ScriptBlock {
    Get-NlbClusterNode
    #Any other commands you want here
}

it worked as expected...

answered on Stack Overflow Jan 17, 2020 by

sfitsos • edited Jan 17, 2020 by

sfitsos

User contributions licensed under CC BY-SA 3.0