Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Remoting using Azure Active Directory (AAD) credentials fails with "access is denied"
See original GitHub issueSummary
I’m trying to specify an AzureAD credential to connect to a PowerShell Remoting session. I can connect locally (loopback) without specifying any credentials successfully. However, when I specify the exact same account information explicitly, it fails.
https://stackoverflow.com/questions/62235382/powershell-throws-access-is-denied-exception-when-using-azure-active-directory https://www.reddit.com/r/sysadmin/comments/drkq67/remote_powershell_session_using_azuread/ https://powershell.org/forums/topic/problem-with-remote-session-using-azure-ad-credentials/ https://powershell.org/forums/topic/azure-ad-connection-credential/
Steps to reproduce
C:\Users\TrevorSullivan> etsn localhost -UseSSL -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck) -Credential azuread\trevorsullivan
PowerShell credential request
Enter your credentials.
Password for user azuread\trevorsullivan: **********
Enter-PSSession: Connecting to remote server localhost failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
C:\Users\TrevorSullivan> etsn localhost -UseSSL -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck)
[localhost]: PS C:\Users\TrevorSullivan\Documents>
Expected behavior
PowerShell uses the Azure AD credential to establish a remoting session.
Actual behavior
Access is denied.
Environment data
Name Value
---- -----
PSVersion 7.0.3
PSEdition Core
GitCommitId 7.0.3
OS Microsoft Windows 10.0.19041
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Issue Analytics
- State:
- Created 3 years ago
- Reactions:1
- Comments:26
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
This does work but I think it’s besides the point, I don’t want to rewrite my entire library of scripts to have every command authenticate with lanadmin… Unless you’ve got a clever way to wrap it in to make things run remotely under that context?
This is a response from Microsoft Support on the issue:
WinRM doesn’t support AAD authentication. It supports only Kerberos, NTLM and certificate authentication. You can find more details here: Authentication for Remote Connections - Win32 apps | Microsoft Docs - https://docs.microsoft.com/en-us/windows/win32/winrm/authentication-for-remote-connections
The AAD authentication is going to be added with next version of OS. As a conclusion you have faced with by design behavior.
Guys, do you have maybe some workaround of how to run on-demand, scripts remotely in an environment with AAD joined devices please