What permissions are needed on the client side for RunspaceFactory.CreateRunspace?

Hi.
I am running a remote powershell command from an IIS application to an Exchange server getting the below error. Everything works fine if the IIS application pool identity is in the local administrators group on the IIS server so we can rule out issues with
firewall or anything on the Exchange server. It is a problem with lack of privileges on the local server. 
So my question is: What permissions are required on the local server for RunspaceFactory.CreateRunspace? I find good documentation on the permissions required on the server side, but nothing about the client side.
The last Win32 error code after failure is 1008.
An internal error occurred. 
at at System.Management.Automation.Remoting.Client.WSManClientSessionTransportManager.Initialize(Uri connectionUri, WSManConnectionInfo connectionInfo) 
at System.Management.Automation.Remoting.Client.WSManClientSessionTransportManager..ctor(Guid runspacePoolInstanceId, WSManConnectionInfo connectionInfo, PSRemotingCryptoHelper cryptoHelper) 
at System.Management.Automation.Remoting.ClientRemoteSessionDSHandlerImpl..ctor(ClientRemoteSession session, PSRemotingCryptoHelper cryptoHelper, RunspaceConnectionInfo connectionInfo, URIDirectionReported uriRedirectionHandler) 
at System.Management.Automation.Remoting.ClientRemoteSessionImpl..ctor(RemoteRunspacePoolInternal rsPool, URIDirectionReported uriRedirectionHandler) 
at System.Management.Automation.Internal.ClientRunspacePoolDataStructureHandler..ctor(RemoteRunspacePoolInternal clientRunspacePool, TypeTable typeTable) 
at System.Management.Automation.Runspaces.Internal.RemoteRunspacePoolInternal..ctor(Int32 minRunspaces, Int32 maxRunspaces, TypeTable typeTable, PSHost host, PSPrimitiveDictionary applicationArguments, RunspaceConnectionInfo connectionInfo) 
at System.Management.Automation.Runspaces.RunspacePool..ctor(Int32 minRunspaces, Int32 maxRunspaces, TypeTable typeTable, PSHost host, PSPrimitiveDictionary applicationArguments, RunspaceConnectionInfo connectionInfo) 
at System.Management.Automation.Runspaces.RunspaceFactory.CreateRunspacePool(Int32 minRunspaces, Int32 maxRunspaces, RunspaceConnectionInfo connectionInfo, PSHost host, TypeTable typeTable, PSPrimitiveDictionary applicationArguments) 
at System.Management.Automation.RemoteRunspace..ctor(TypeTable typeTable, RunspaceConnectionInfo connectionInfo, PSHost host, PSPrimitiveDictionary applicationArguments) 
at System.Management.Automation.Runspaces.RunspaceFactory.CreateRunspace(RunspaceConnectionInfo connectionInfo, PSHost host, TypeTable typeTable, PSPrimitiveDictionary applicationArguments) 
at System.Management.Automation.Runspaces.RunspaceFactory.CreateRunspace(RunspaceConnectionInfo connectionInfo) 

Thanks Daniel.
I see that the IIS server has a GPO setting 'Allow log on locally' to the local administrators group for this server. I will order add of the IIS app pool identity to this list.
I tried the process monitor comparing runs with and without the app pool identity as local administrator. The runs are identical up to the point where one does something useful and the other closes 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN'.
There are no failures.
I am not using my runspace objects for multiple threads. I dispose after use.
I will end up with the below if I change. Comments?
public static PowershellResult RunPowerShellCommandExchange2010(string exchangeServer, string command, ICollection<KeyValuePair<string, object>> parameters, string usr, string pwd) {
WindowsImpersonationContext impersonationContext = null;
try {
impersonationContext = WindowsIdentity.Impersonate(IntPtr.Zero);
GetProcessInformation();
try {
var connectionInfo = GetExchange2010ConnectionInfo(exchangeServer, usr, pwd);
using (var runspace = RunspaceFactory.CreateRunspacePool(1, 1, connectionInfo)) {
using (PowerShell powershell = PowerShell.Create()) {
var psCommand = new PSCommand();
if (parameters != null) {
psCommand.AddCommand(command);
foreach (KeyValuePair<string, object> parameter in parameters) {
if (parameter.Value == null) psCommand.AddParameter(parameter.Key);
else psCommand.AddParameter(parameter.Key, parameter.Value);
} else {
//if parameters argument is null the command will be treated as script
psCommand.AddCommand(new Command(command, true));
powershell.Commands = psCommand;
runspace.Open();
powershell.RunspacePool = runspace;
var resultPSObjects = powershell.Invoke();
var psResult = new PowershellResult {
PSObjects = resultPSObjects,
Errors = powershell.Streams.Error.ToList()
return psResult;
} catch (Exception ex) {
var windowsIdentity = WindowsIdentity.GetCurrent();
int errorCode = Marshal.GetLastWin32Error();
if (windowsIdentity != null) throw new Exception(string.Format("Failed to run Exchange powershell command '{0}' as user {1} passing executing user {2} due to: {3} at {4}. Server: {5}. Last error code: {6}", command, windowsIdentity.Name, usr, ex.Message, ex.StackTrace, exchangeServer, errorCode), ex);
throw new Exception(string.Format("Failed to run Exchange powershell command '{0}' as unknown user passing executing user {1} due to: {2} at {3}. Server: {4}. Last error code: {5}", command, usr, ex.Message, ex.StackTrace, exchangeServer, errorCode), ex);
} finally {
if (impersonationContext != null) {
impersonationContext.Undo();
Tore Olav Kristiansen

Similar Messages

  • What permissions are needed to be able to view requests?

    Hi OIM gurus,
    Let's say a user logged in and requested a resource and it was assigned and provisioned to him/her. A request id is created in OIM. Now, what permission is needed for another user (an admin) to view this request with this request id? I see that if an admin is member of "SYSTEM ADMINISTRATORS" group the admin is able to view the request details, but it is not working if the admin is member of any other user groups. I tried to add this other user group on the Resource object under Administrators, as well as Object Authorizers, and also in the Process Definition Administrators. But it doesn't seem to work.
    Could someone help me with this?
    Thanks a lot

    Thanks Martin. I kind of followed it up into the code (ofcourse using Jad) and ended up with the Stored procedure XL_SPG_GetAllowedRequests which is called to get all the allowed requests for this user. From this, it seems like the admin (or his group) has to be one of the approvers of the request and then he can view the request. If he did not approve he cannot view the request.
    There was a bug fix around 2 years back (like you mentioned) that extended the base requirement (of SYSTEM ADMINISTRATORS user group) and at that time they might have added the call to get allowed requests.
    I will leave this thread open to see if someone has any other thoughts to get around this.
    Thanks

  • What products are included in the complete package for students

    I am Looking to buy the complete adobe student bundle but was wondering which products it includes.The ones i really need are photoshop, dreamweaver and flash. can you tell me are these included in that bundle? thanks.

    what is in the entire Cloud http://www.adobe.com/creativecloud/catalog/desktop.html

  • What commands are needed to configure authentication?

    I'm running the JaasAcn Sample from a DOS prompt on a Win XP client and am getting 'authentication failed'. My Active Directory Realm is AD.COURSEWIZARD.COM and the KDC FQDN is ad.ad.coursewizard.com. It succeeds when I run the 'Sample' locally on the AD server. If I set 'isInitiator=false' in jaas.conf, it succeeds no matter what I enter for username & password. It seems that I need to configure an SPN.
    When setting an SPN, are you declaring that a particular AD user account is associated with a remote service that will be requesting authentication?
    Do I have to also use the 'ktpass' command, even though I'm using a Win client?
    If I use ktpass, but am just testing with a PC on the Inet, should I just use my IP address for domain since I don't have a FQDN?
    Do I need to move the keytab file, created by ktpass, to the client and configure it to use it?
    Does the ADS need to have a krb5.conf or krb5.init file? I don't see one under '../drivers/etc/'.
    What commands are needed in order to configure the server, and client, to authenticate successfully?
    Cheers

    Sorry, I haven't seen a nice JGSS for Windows guide yet.
    Back to your questions:
    1. When setting an SPN, are you declaring that a particular AD user account is associated with a remote service that will be requesting authentication?
    IMHO, setspn creates a service-like alias for a normal AD account, so that GSS style server program can use it as a NT_HOSTBASED_SERVICE name.
    2. Do I have to also use the 'ktpass' command, even though I'm using a Win client?
    ktpass is used at the server side, what you use at client side is unrelated.
    3. If I use ktpass, but am just testing with a PC on the Inet, should I just use my IP address for domain since I don't have a FQDN?
    Porbably not. Anyway, AD works fine with a DNS. If you haven't one, config the AD server as a DNS server.
    4. Do I need to move the keytab file, created by ktpass, to the client and configure it to use it?
    No, keytab is used at server side. The client side uses the native credentials cached in LSA after you login to Windows as an AD account.
    5. Does the ADS need to have a krb5.conf or krb5.init file? I don't see one under '../drivers/etc/'.
    Yes, Java needs the file for both client and server JGSS programs. Normally it should be inside the WINDOWS directory. Somethign weird woun happen if you uses Terminal Services or else. Add -Dsun.security.krb5.debug=true to the Java command line will show you when Java tries to look for this file.
    6. What commands are needed in order to configure the server, and client, to authenticate successfully?
    You need setspn.exe and ktpass.exe on the server to create the SPN and the keytab file. No tools are necessary on the client side, but MS's kerbtray.exe and klist.exe (attention: MS's klist, not Java's) are nice. BTW, a nice network sniffer (say, Wireshark) is also useful.
    I'm not an expert on all these questions, but I cannott resist the temptation to give an answer to each of them.

  • Open/read a txt file on the client side in a Form server architecture

    We are moving our software from client-server to Web architecture but we have problems
    with all the forms that use GET_FILE_NAME and
    TEXT_IO built-in functions.
    This commands, in fact, work on the application-server side and not on the client (browser-side) as we need.
    How can we solve this problem??????
    Thank-you for your help.
    null

    there is a way to solve this problem.
    you must use developer 6 and above.
    you will have to modify your appliaction and use developer ability to work with javabeans
    you will have to write a javabean that will do the read/write operation at the client side.
    for more details look at my answer to the following topic:
    "Read and Write Files to user from FormsServer "
    that was opened at dec 15.
    Yossi

  • Auto remove of log files on the client-side is not working

    Hi,
    I have a setup for one-to-one client/server replication database. Everything is replicated ok.
    But on the client side, I see the log.00000000xx files are not removing at all,
    while the server has only 2 last log.00000000xx files left. But if I switch the role of the client/server,
    the newly server will eventually removed the unused log.00000000xx file, and have two last log file left.
    Both client and server database environment setup has called dbenvp->log_set_config(dbenvp, DB_LOG_AUTO_REMOVE, 1).
    Is there any additional setting for the client-side to auto remove the unused log files?
    Thanks,
    Sandra

    Hi.
    First, what version are you running? We created a test to confirm that this feature is
    working as expected on both a master and a client site. What flags do you have set
    for replication? I think we need to have you run with replication verbose messages
    set on the client site and possibly other diagnostics in order to determine what is different
    about your setup. We should take that level offline. Verbose messages can generate
    a large amount of output.
    You can contact me at the typical [email protected] and we'll move it
    forward that way. Thanks.
    Sue LoVerso
    Oracle

  • ADF Faces + hardware device in the client side.( adf swing  or adf java fx)

    We are using adf+swing in desktop app.
    We like ADF Faces but we need interations with Hardware device in the client side: scan reader, web cam, bar code reader, finger prints reader …
    How to do that’s in the adf faces web environment ( what about with sandbox security) how to obtain in the adf faces web page in the client side de video streams.
    In the future adf will be use Java FX?
    Thanks
    Juan Carlos Llanes

    Hi,
    see sample 71 http://www.oracle.com/technetwork/developer-tools/adf/learnmore/index-101235.html#CodeCornerSamples
    You can use ActiveX plugins or JavaApplet to access the client system. To reach out of the sandbox, it will require a certificate
    In the future adf will be use Java FX?
    No.

  • How do i see what applications are running in the background

    My iMac is running very slow my operating system is OS X Yosemite Version 10.10.2 with a 2.5 GHz Intel Core i5 Processor. How do I see what applications are running in the background?

    Reinstalling OS X Without Erasing the Drive
    Boot to the Recovery HD: Restart the computer and after the chime press and hold down the COMMAND and R keys until the menu screen appears. Alternatively, restart the computer and after the chime press and hold down the OPTION key until the boot manager screen appears. Select the Recovery HD and click on the downward pointing arrow button.
    Reinstalling OS X Without Erasing the Drive
    Repair the Hard Drive and Permissions: Upon startup select Disk Utility from the main menu. Repair the Hard Drive and Permissions as follows.
    When the recovery menu appears select Disk Utility and press the Continue button. After Disk Utility loads select the Macintosh HD entry from the the left side list.  Click on the First Aid tab, then click on the Repair Disk button. If Disk Utility reports any errors that have been fixed, then re-run Repair Disk until no errors are reported. If no errors are reported click on the Repair Permissions button. Wait until the operation completes, then quit Disk Utility and return to the main menu.
    Reinstall OS X: Select Reinstall OS X and click on the Continue button.
    Note: You will need an active Internet connection. I suggest using Ethernet if possible because it is three times faster than wireless.
    Alternatively, see:
    Reinstall OS X Without Erasing the Drive
    Choose the version you have installed now:
    OS X Yosemite- Reinstall OS X
    OS X Mavericks- Reinstall OS X
    OS X Mountain Lion- Reinstall OS X
    OS X Lion- Reinstall Mac OS X
         Note: You will need an active Internet connection. I suggest using Ethernet
                     if possible because it is three times faster than wireless.

  • Hi am new and need help on client side java.

    Hi I am a .net developer. Dont boo lol. I am trying to find the latest on Java. I build web apps and would like to use java on the client side.
    Is there a new form of java for client side code.
    What do I need to install?
    Where are some good sites that provide tutorials for Java newbies wishing to develop web client scripts etc.
    Thanks

    Hi I am a .net developer. Dont boo lol. I am trying
    to find the latest on Java. I build web apps and
    would like to use java on the client side.
    Is there a new form of java for client side code. Web apps usually use Java Server Pages, or JSPs, on the client side.
    What do I need to install? Tomcat is a free servlet/JSP engine:
    http://jakarta.apache.org/tomcat
    Where are some good sites that provide tutorials for
    Java newbies wishing to develop web client scripts
    etc.
    ThanksBetter buy a book. I highly recommend Hans Bergsten's JSP book for O'Reilly.
    %

  • Controlling the client-side cache

    At the current stage on my project I'm finding that I'm changing my mapping definitions fairly frequently (because the country side is just the wrong shade of egg-shell). Clearing the server side cache is fairly easy to do, provided you remember to do it, but my problem is on the client side.
    Right now, the tiles are returned with a one week time to live. So if I change the mapping definitions it might not propagate through to all the clients until up to a week later. What I'd like to do, at least for now, is turn off storing of map tiles on the client-side. The easiest way to do that would be to specify the cache-control header but I can't seem to find a configuration option for that.
    Has anyone setup MapViewer to use a different cache-control?

    Hi Mark,
    You can specify the cache control statements for the page itself.
    If this does not help, try to set expires header for the images. ex for Apache see mod_expires for a directory/location setting
    regards, michael

  • Fetching a partial range of selected result rows from the client side

    It has been a while since I started trying to solve this Oracle puzzle.
    Basically, what I need it is a way to fetch from the client side a run-time
    defined range of result rows of a arbitrary SELECT query.
    In low-end databases like MySQL I can do it simply by appending the LIMIT
    argument to the end of the SELECT query statment passing the number of
    the first row that I want to be returned from the server from the total
    result rows available in the result set and the maximum number of rows
    that it may return if available.
    In higher end databases I am supposed to use server side cursors to skip
    any initial rows before the first that I want to retrieve and fetch only
    the rows I want up to the given limit.
    I am able to achieve this with PostgreSQL and Microsoft SQL server, but I
    am having a hard time with Oracle. The main problem is how do I fetch
    result rows from a server side cursor and have their data returned to a
    client side in a result set like in a straight SELECT query?
    I was able to create a cursor and fecth a row into a server side record
    variable with the following PL/SQL code.
    DECLARE
    CURSOR c IS SELECT * FROM my_table;
    my_row c%ROWTYPE;
    BEGIN
    OPEN c;
    FETCH c INTO my_row;
    CLOSE c;
    END;
    I want to do this from PHP, so I don't have client side ESQL variables to
    store the result set data structure. Anyway, if I can do it just with
    SQLPlus I should be able to do it in PHP.
    If I do straight SELECT I can get the result set, but in a PL/SQL script
    like the one above I don't seem to be able to select the data in the
    fetched row record to have returned to the client. Does a straight SELECT
    query sends the result rows to a default client side variable?
    If anybody can help, I would appreciate if you could mail me at
    [email protected] because I am not able to access this forum all the time in
    the Web. BTW, is it possible to access this forum by e-mail?
    Thanks in advance,
    Manuel Lemos
    null

    Hello Jason,
    On 03-Feb-00 05:34:14, you wrote:
    I'm not sure I totally understand your problem, but I think you might be able
    to solve it by using the ROWNUM variable. ROWNUM returns the sequenc number
    in which a row was returned when first selected from a table. The first row
    has ROWNUM = 1, the second has ROWNUM = 2, etc. Just remember that the
    ROWNUM is assigned as soon as it's selected, even before an order by. So if
    you have an order by clause, it'll mess it up. Here's an example. I hope
    that helps.I though of that before but it doesn't help because if you use ORDER BY the
    first result row might not have ROWNUM=1 and so on. Another issue is that
    I want to be able to skip a given number of result rows before returning
    anything to the client.
    The only way I see to do it is to get the rows with server side cursor.
    But how do I return them to the client? Where does a normal select returns
    the rows? Isn't there a way to specify that the fetch or something else
    return the rows there?
    Regards,
    Manuel Lemos
    Web Programming Components using PHP Classes.
    Look at: http://phpclasses.UpperDesign.com/?user=[email protected]
    E-mail: [email protected]
    URL: http://www.mlemos.e-na.net/
    PGP key: http://www.mlemos.e-na.net/ManuelLemos.pgp
    null

  • How can we avoid installing java3d runtime envoirnment on the client side

    Hi All, my applet uses java3d api. To see this applet in the browser on the client side we need to install java3d runtime envoirnment. Is it neccassary or can we avoid it. If we can avoid installing java3d runtime env , how can we do that.. Can Java WebStart help in this.
    your suggestion will be valuable..
    Thanks
    Akhil

    Yes, of course we can avoid it. Just as we can avoid asking the user to download the JRE if they want to run java.
    The only slight pay off we make for that is that the program won't run at all on their computer.
    As long as this is not an issue, there should be no problem.
    Seriously, my understanding is that Web-Start can hide the fact that we are installing Java 3D on their machine or at least make the installation very simple. There is no way to run Java3D applications without Java3D.

  • How do I port my Windows Word, Excel, and Powerpoint files to the MAC?  What software is needed on the MAC to use them?  Thanks.

    How do I port my Windows Word, Excel, and Powerpoint files to the MAC?  What software is needed on the MAC to use them?  Thanks.

    You can certainly use iWork, though I hesitate to recommend it to a seasoned Windows user simply because it would add another level of the unfamiliar with which you would have to gain familiarity. The iWork applications are certainly very competent and in most respects both easy to use and surprisingly powerful. They are not 100% compatible however, though that typically manifests itself in document formatting issues rather than anything more significant.
    I have never attempted to import emails from a Windows system into MacOS - other than in Outlook connected to an Exchange server, thus not really an issue at all. I doubt that the Mail app in MacOS can import directly, but of course you could always set the account(s) up on the Mac and then forward emails you want to keep from the PC. Not elegant, but it works. Virtually any Windows document or file, whichever application created it, can be opened or converted for use on a Mac, and using both systems on my desk each day I rarely see any issues switching stuff from one machine to the other. You may stumble over one or two issues, but likely not significant.
    In switching platforms there will be some inevitable issues, not so much with being able to import your stuff because there's usually a workaround or a utility that can help, but just with getting familiar with the platform and the differences between Windows and MacOS that can obscure their similarities. From time to time the support community here hears from a user who has found the migration very problematic and regrets it, but for the most part the phrase 'I should have done this years ago...' is rather more prevalent!

  • Opening a Java Window from a jsp page on the client side

    Hi all,
    Thanks in advance to all who could help me for this problem.
    I've written some jsp pages. In one of them, I open a new Java Window,
    which is a simple Java Frame. If I test this directly on the Tomcat
    server, everything works well.
    But when I call the jsp page through a web browser of a distant client
    (normal use), and when I want to see the java window, no window pops
    up. It appears that the Java Window pops up on the server, and not on
    the client side, which is what I wanted.
    Could someone tell me how to make the Java frames appear on the client
    side ? (Is it linked to the code or to the configuration of Tomcat ?)
    Thanks in advance,
    Alexis.

    JSP always run on the server. On the client you only see the results.
    But you can use applets on the client side: http://java.sun.com/docs/books/tutorial/uiswing/components/applet.html

  • How do I determine what xtras are needed?

    From the searching I have done it appears that xtras equired are mostly trial-and-error.
    Is there an efficient way to determine what xtras are needed for each lindividual movie?
    My programs are divided into a series of sequential movies.  At the end of each movie
    there is a goto statement to launch the next movie.  Does that require me to determine
    xtras for each separate movie? 
    In a perfect world there would be a way for Director to search a  folder for and present an aggregate list of all xtras required for that set of movies.
    If no such method exists, what is the recommended hunt and peck system?

    Thanks for the response, rduane.  But I refer to the procedures as a bit random for the reasons you mentioned in your explanation.  For example, you stated that, "Director will normally add all of the Xtras that you need to each movie as you build it".  And, yes, I know that it does add some automatically.  But, if Director really does "add all of the xtras that you need to each movie as it is built", how could I ever jump to one that is missing a needed xtra?  If it needs it, why wasn't it added when it was built?
    So, that's the reason I mentioned "trial and error", and "hunt and peck".  The system is not reliable in its handling of xtras, or which ones are needed where.  I am familiar with workarounds such as going to each movie and selecting Modify>Movies>Xtras to see which ones Director has added,  But that is all it tells you.  It does not tell you if it has added all the xtras "needed".  And when the error message comes up, it does name the missing xtra, but not which movie needs it.  So, one has to go find the named xtra and copy it over to the Xtras folder. 
    At least, that's what I do to fix it.  But I asked the question because I wanted to know if Xtras handling itself is unreliable, or if I'm doing something incorrectly.
    Dewey-+

Maybe you are looking for