WebJEA icon indicating copy to clipboard operation
WebJEA copied to clipboard

Published 20 hours ago verified publisher icon markdomansky

Remote Exchange Connections

Open cpdonohue opened this issue 5 years ago • 9 comments
trafficstars

I'm trying to use WebJea to connect to ExchangeOnline using the new Powershell v2 cmdlets. I keep getting an error of "Access denied." The same credentials work if run from powershell directly on the server. Anybody have suggestions?

cpdonohue avatar Jan 22 '20 22:01 cpdonohue

How are you storing the credentials so they're accessible by the IIS RunAs account?

markdomansky avatar Jan 27 '20 02:01 markdomansky

The credentials are in a file that the application pool user has access to. The failure isn't coming at reading the file. Its coming at the connection. Connect-ExchangeOnline -Credential $UserCredential fails with Access Denied. But works when run locally.

cpdonohue avatar Jan 27 '20 18:01 cpdonohue

How are the credentials stored in the file? Clear text or using ConvertFrom-SecureString. ConvertFrom-SecureString generates a string that can only be decrypted by the same user on the same machine. You would have to log in as the RunAs account to do it that way. What I've done in the past is store credentials using the localmachine account.

This article has instructions how, you just replace "CurrentUser" with "LocalMachine". It's certainly not best practice, but it's worked for me.

markdomansky avatar Jan 27 '20 19:01 markdomansky

In the very not recommended category... the password is in plain text. The code looks like: $Pass = get-content file.pw | convertto-securestring -asplaintext -force $Credential = get-credential (new-object -typename System.Management.Automation.PSCredential -argumentlist "[email protected]",$Pass) Connect-ExchangeOnline -credential $credential That last line returns access denied.

cpdonohue avatar Jan 28 '20 21:01 cpdonohue

Sorry for the delay in getting back to you. Have you confirmed that get-content is actually reading the file? It may still be a permissions issue on the file itself.

markdomansky avatar Mar 19 '20 20:03 markdomansky

Did you get anywhere with the Exchangev2 cmdlets?

i was able to get authentication working using the Certificate based auth with a cert in my gMSA cert store using the preview cmdlets (as noted here: https://techcommunity.microsoft.com/t5/exchange-team-blog/modern-auth-and-unattended-scripts-in-exchange-online-powershell/ba-p/1497387

The connect itself works fine, but none of the cmdlets work in WebJea. I get this response.

System event notifications are not supported under the current context. Server processes, for example, may not support global system event notifications.
at <ScriptBlock>, C:\WebJEA\Scripts\Test.ps1: line 45
    + CategoryInfo          : NotSpecified: (:) [Get-EXOMailbox], InvalidOperationException

The same cmdlets work fine in a psexec session running under the gMSA account.

ksccare avatar Jul 09 '20 06:07 ksccare

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Sep 07 '20 07:09 stale[bot]

Marking as a bug for the moment so that stalebot doesn't kill it. I haven't had much opportunity to look into this.

markdomansky avatar Sep 07 '20 14:09 markdomansky

I haven't looked at this for a while, we did a workaround.

its not pretty, but for those who may need these cmdlets in Webjea at this time, we ended up using webjea to call a scheduled task which ran the cmdlets with the inputs and then had the site read the output back to the user. It worked for our requirements.

ksccare avatar Sep 07 '20 22:09 ksccare