wsmprovhost.exe requires write permissions on "RemotePowerShellConfig.txt", this blocks delegated users from logging on remotely #20180
Description
Prerequisites
- Write a descriptive title.
- Make sure you are able to repro it on the latest released version
- Search the existing issues.
- Refer to the FAQ.
- Refer to Differences between Windows PowerShell 5.1 and PowerShell.
Steps to reproduce
With delegated permissions for a user or group, this user is unable to connect to the remote system and receives this error:
Enter-PSSession: Connecting to remote server lab-dc01.water.lan failed with the following error message : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2689860592" Machine="lab-dc01.water.lan"><f:Message><f:ProviderFault provider="PowerShell.7" path="C:\Windows\system32\PowerShell\7.3.6\pwrshplugin.dll"></f:ProviderFault></f:Message></f:WSManFault> For more information, see the about_Remote_Troubleshooting Help topic.
Command used:
enter-PSSession -ComputerName "lab-dc01.water.lan" -ConfigurationName "PowerShell.7"
Delegated permissions on server with this command:
Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI
Using Process Explorer I could see that wsmprovhost.exe requires generic read/write and share mode read / write on the file, "C:\Windows\System32\PowerShell\7.3.6\RemotePowerShellConfig.txt". It tries to do so with the user that's trying to logon.
Workaround was to set an ACE with write access for the user on the file, "C:\Windows\System32\PowerShell\7.3.6\RemotePowerShellConfig.txt"
Expected behavior
When delegation is setup, a user can logon without the error message and not needing the write permissions on the "C:\Windows\System32\PowerShell\7.3.6\RemotePowerShellConfig.txt" file.Actual behavior
The user can not logon and receives this error message:
Enter-PSSession: Connecting to remote server lab-dc01.water.lan failed with the following error message : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2689860592" Machine="lab-dc01.water.lan"><f:Message><f:ProviderFault provider="PowerShell.7" path="C:\Windows\system32\PowerShell\7.3.6\pwrshplugin.dll"></f:ProviderFault></f:Message></f:WSManFault> For more information, see the about_Remote_Troubleshooting Help topic.Error details
Exception :
Type : System.Management.Automation.Remoting.PSRemotingTransportException
ErrorCode : -1605106704
ErrorRecord :
Exception :
Type : System.Management.Automation.ParentContainsErrorRecordException
Message : Connecting to remote server lab-dc01.water.lan failed with the following error message : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault"
Code="2689860592" Machine="lab-dc01.water.lan"><f:Message><f:ProviderFault provider="PowerShell.7"
path="C:\Windows\system32\PowerShell\7.3.6\pwrshplugin.dll"></f:ProviderFault></f:Message></f:WSManFault> For more information, see the about_Remote_Troubleshooting Help topic.
HResult : -2146233087
CategoryInfo : ResourceUnavailable: (:) [], ParentContainsErrorRecordException
FullyQualifiedErrorId : System.Management.Automation.Remoting.PSRemotingDataStructureException
TargetSite :
Name : EndInvoke
DeclaringType : System.Management.Automation.Runspaces.AsyncResult, System.Management.Automation, Version=7.3.6.500, Culture=neutral, PublicKeyToken=31bf3856ad364e35
MemberType : Method
Module : System.Management.Automation.dll
Message : Connecting to remote server lab-dc01.water.lan failed with the following error message : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault"
Code="2689860592" Machine="lab-dc01.water.lan"><f:Message><f:ProviderFault provider="PowerShell.7"
path="C:\Windows\system32\PowerShell\7.3.6\pwrshplugin.dll"></f:ProviderFault></f:Message></f:WSManFault> For more information, see the about_Remote_Troubleshooting Help topic.
Source : System.Management.Automation
HResult : -2146233087
StackTrace :
at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
at System.Management.Automation.RemoteRunspace.Open()
at Microsoft.PowerShell.Commands.EnterPSSessionCommand.CreateTemporaryRemoteRunspace(PSHost host, WSManConnectionInfo connectionInfo)
at Microsoft.PowerShell.Commands.EnterPSSessionCommand.CreateRunspaceWhenComputerNameParameterSpecified()
TargetObject : lab-dc01.water.lan
CategoryInfo : InvalidArgument: (lab-dc01.water.lan:String) [Enter-PSSession], PSRemotingTransportException
FullyQualifiedErrorId : CreateRemoteRunspaceFailed
InvocationInfo :
MyCommand : Enter-PSSession
ScriptLineNumber : 1
OffsetInLine : 1
HistoryId : 5
Line : enter-PSSession -ComputerName "lab-dc01.water.lan" -ConfigurationName "PowerShell.7"
PositionMessage : At line:1 char:1
+ enter-PSSession -ComputerName "lab-dc01.water.lan" -ConfigurationName …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
InvocationName : enter-PSSession
CommandOrigin : Internal
ScriptStackTrace : at <ScriptBlock>, <No file>: line 1
PipelineIterationInfo :Environment data
Windows 11 Client
Name Value
---- -----
PSVersion 7.3.6
PSEdition Core
GitCommitId 7.3.6
OS Microsoft Windows 10.0.22621
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Windows Server 2022
Name Value
---- -----
PSVersion 7.3.6
PSEdition Core
GitCommitId 7.3.6
OS Microsoft Windows 10.0.20348
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
