I know this is a bit basic, but I'll be eternally grateful if someone could set me straight on this.
- I have a bunch of Windows 2012 R2 servers running Hyper-V.
- An XML-RPC web service runs on these servers. There is some hosted Powershell behind this. It works perfectly.
- The hosted Powershell code runs via impersonation. Again, works great.
- Even though these machines have always been in a domain, XML-RPC authentication has worked like this:
I have used a period (".") for domain. I have used the username "Administrator". I have used a distinct password per 'local' administrator account.
I have recently added clustering functionality to my application, this is just in the form of some of wrappers for Microsoft's Powershell cmdlets, plus my own stuff. If I read the dcos correctly, clustering can only be administered with domain credentials. I want my web service to run under a single set of credentials (to simplify the details the calling application needs to store).
I assumed I would wiggle the authentication model like this:
- Have a domain user for each Hyper-V host.
- Ensure that this user was a member of the local admin and hyper-v administrator groups.
- Add these users to a 'clustered hyper-v hosts' group, give this group "clustering permissions' through the clustering administration tools.
My problems:
- When running the tweaked model my code has exploded and no longer works, lots of authentication errors, I can sit and see things hitting the registry and being denied.
- If I pick a host at random, log on to it with this new domain user (which - to be clear- is a member of the local admin group) and run my code without the xml-rpc wrapper, I seen lots of authentication error. It is as if this user is not running with administrative credentials, even though it has these permissions.
- These users also seem to have restricted clustering permissions, even though they should have full access.
- If I run the 'test-cluster' command, it will tell me I do not have permissions on the host I am running it on.
I am willing to admit I have an broken directory, or genuine access problems here, but perhaps I have an inherent misunderstanding of how this is supposed to work. I am a Linux engineer and programmer, I know a bit of Windows. I am a little confused as how UAC is working in this context, in a domain environment, when I am not logged on as the true administrator account... If I right click a Powershell window and 'run as' administrator, my code all appears to work, even the clustering stuff (which I am lead to believe, through docs, should not run as a local admin).
Am I hitting some kind of elevation issue here? If a domain user has 'effective permissions' (hopefully that term is not confusing things) to do some stuff, does it still have to be elevated in some way?
Thanks very much.
I faced similar issue with runing powershell from imperosnated C# application. I used PowerShell Community Extensions https://pscx.codeplex.com/ to list active privileges inside PowerShell script.
Add this snipet to your PS script:
Let it run with working and non-working credentials, compare those lists of privileges. If you find some privileges disabled (but not missing), try to enable them in such way: