When I run the following PowerShell script directly on a machine
Add-Type -Path "C:\Program Files\Microsoft Visual Studio 10.0\Common7\IDE\ReferenceAssemblies\v2.0\Microsoft.TeamFoundation.VersionControl.Client.dll"
$basePath = "http://magv-dev-tfs:8080/tfs/MccCollection"
[Microsoft.TeamFoundation.Client.TeamFoundationServerFactory]::GetServer($basePath)
I get an objects, with the fields AuthenticatedUserName, AuthenticatedUserDisplayName, AuthenticatedUserIdentity set.
When I run the same script in a remote PowerShellTab from some other machine on the same machine using the sam e credentials, then these 3 fields are emply:
AuthenticatedUserName :
AuthenticatedUserDisplayName :
AuthenticatedUserIdentity :
Uri : http://my-tfs:8080/tfs/mcccollection
TimeZone : System.CurrentSystemTimeZone
InstanceId :
Name : my-tfs\MccCollection
Credentials : System.Net.SystemNetworkCredential
Culture : de-DE
SessionId : 7c76a150-f681-4b3c-9b0d-2836a3a5a908
ClientCacheDirectoryForInstance :
HasAuthenticated : False
TfsTeamProjectCollection : magv-dev-tfs\MccCollection
Edit:
At least I found a work around How to use [Microsoft.TeamFoundation.Client.TeamFoundationServerFactory]::GetServer with credential from Powershell
Add a -credential argument to the invoke-command call?
When you use Visual Studio TFS, PowerShell can access the connections that you have registered when you connected to your project. RegisteredTfsConnections provides access to the registered connections, so you don't have to bother with putting your credentials into the code.
The following snippet connects to a TFS server, and returns a WorkItem.
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.TeamFoundation.Client")
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.TeamFoundation.WorkItemTracking.Client")
$regProjCollection = [Microsoft.TeamFoundation.Client.RegisteredTfsConnections]::GetProjectCollection("tfs2010\TFS2010-MyCollection")
$tfsTeamProjCollection = [Microsoft.TeamFoundation.Client.TfsTeamProjectCollectionFactory]::GetTeamProjectCollection($regProjCollection)
$ws = $tfsTeamProjCollection.GetService([type]"Microsoft.TeamFoundation.WorkItemTracking.Client.WorkItemStore")
$ws.GetWorkItem(2525)
Related
I have a functions app written in Powershell that worked up until a month or so ago.
The function uses a module (https://www.powershellgallery.com/packages/NTware.Ufo.PowerShell.ObjectManagement/2022.2.0.1) that is only compatible with "Widows Powershell".
The module is loaded as follows:
Import-Module $PSScriptRoot\Modules\NTware.Ufo.PowerShell.ObjectManagement.dll -UseWindowsPowerShell
The module allows connection to an external Azure environment that hosts an application.
The error returned is:
2022-09-02T13:38:31Z [Warning] WARNING: Module NTware.Ufo.PowerShell.ObjectManagement is loaded in Windows PowerShell using WinPSCompatSession remoting session; please note that all input and output of commands from this module will be deserialized objects. If you want to load this module into PowerShell Core please use 'Import-Module -SkipEditionCheck' syntax.
2022-09-02T13:38:34Z [Error] ERROR: Failed to authenticate.
OriginInfo : localhost
Exception :
Type : System.Management.Automation.RemoteException
SerializedRemoteException : System.ArgumentException: Failed to authenticate. ---> Microsoft.Identity.Client.MsalServiceException: AADSTS1002016: You are using TLS version 1.0, 1.1 and/or 3DES cipher which are deprecated to improve the security posture of Azure AD
I have tried the following without success:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Import-Module $PSScriptRoot\Modules\NTware.Ufo.PowerShell.ObjectManagement.dll -UseWindowsPowerShell
I suspect the issue is that the remote Azure environment has started enforcing TLS 1.2. I have set my Azure Function App to also use TLS 1.2.
Any ideas on where the issue might be?
Modules imported with the -UseWindowsPowerShell are in fact loaded to a separate Windows PowerShell session in a separate process (see about Windows PowerShell Compatibility). Changing the [Net.ServicePointManager]::SecurityProtocol variable in the local process does not affect other processes. You need to update this variable in the remote process, here is how:
$session = Get-PSSession -Name WinPSCompatSession
Invoke-Command -Session $session -Command {
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
}
I do the following:
$url = 'https://oo.de/websites/it'
$sncred = Get-StoredCredential -Target PnPPS:SPCredentials
$Global:snPnPConn = Connect-PnPOnline -Url $url -Credentials $sncred -TransformationOnPrem -CurrentCredential -ReturnConnection
# Does run, but the next one gives 403-Error
Get-PnpList
Get-PnPList : Der Remoteserver hat einen Fehler zurückgegeben: (403) Unzulässig.
How can I debug this?
According to the Admin of my site, I do have full access rights on the Site.
I can open the site in browser.
All Help in Internet is to AzureAD(?!).
$snPnpConn:
>ConnectionType : O365
>InitializationType : Unknown
>Scopes :
>PSCredential :
>ClientId : 31359c7f-bd7e-475c-86db-fdb8c937548e
>ClientSecret :
>ApplicationInsights : PnP.PowerShell.ALC.ApplicationInsights
>Url : https://foo.de/websites/it
>TenantAdminUrl :
>Certificate :
>DeleteCertificateFromCacheOnDisconnect : False
>Context : PnP.Framework.PnPClientContext
>Tenant :
>AzureEnvironment : Production
I've run into the same problem. My solution was to Uninstall PnP.PowerShell module and install the legacy SharePointPnPPowerShell2019 module. The legacy module isn't being maintained, but the newer version doesn't support on-premise installations. There is some confusion about this, and there were attempts made to get PnP.PowerShell to work with on-prem (the -TransformationOnPrem flag). But Microsoft documentation as of May 2022 says that PnP.PowerShell doesn't support on-premise farms: PnP PowerShell.
From PowerShell, run "Uninstall-Module PnP.PowerShell". Once that completes, run "Install-Module SharePointPnPPowerShell2019" (or 2016 or 2013, depending on your version of SharePoint.
After I got the legacy module installed, I was able to successfully run commands like Get-PnPList without the 403 errors.
Been able to do it against Microsoft.PowerShell (5.1), but today I hit a known issue on 5.1 with remote Copy-Item so I installed PowerShell 7 on the remote server (checking "Enable Remoting" in the installer) and am trying to get it working.
$securePassword = ConvertTo-SecureString -AsPlainText -Force -String $Password
$credential = New-Object -TypeName system.management.automation.pscredential -ArgumentList $Username, $securePassword
$session = New-PSSession $targetMachineHostName -Credential $credential -ConfigurationName "Microsoft.PowerShell"
Enter-PSSession $session
Above works. But if I change ConfigurationName to "PowerShell.7.1.0" I get:
[myserver.com.au] Connecting to remote server myserver.com.au failed with
| the following error message : <f:WSManFault
| xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2689860592"
| Machine="myserver.com.au"><f:Message><f:ProviderFault provider="PowerShell.7.1.0"
| path="C:\Windows\system32\PowerShell\7.1.0\pwrshplugin.dll"></f:ProviderFault></f:Message></f:WSManFault> For more information, see the about_Remote_Troubleshooting Help topic.
On the remote server I've run enable ps remoting in a 7.1 powershell so if I run Get-PSSessionConfiguration it returns a bunch of configurations, including the following:
Name : PowerShell.7.1.0
PSVersion : 7.1
StartupScript :
RunAsUser :
Permission : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote
Management Users AccessAllowed
The dll the error refers to exists on the machine.
The user credentials I'm using are for a Local User on the remote machine that isn't an Administrator, but belongs to the Remote Management Users group.
Also worth noting from the remote machine itself (as a different Adminstrator local account, I can start a session to localhost).
After making the user an Administrator I was able to connect, but I'd gone to great lengths earlier to make non-Adminstrator possible on 5.1.
Out of interest, I tried giving the user Full Control to C:\Windows\system32\PowerShell\7.1.0 and then I could connect...
Still would love to know what's going on though and whether I'm doing the right thing or minimum permissions required.
It seems like the minimum security permissions to the folder are:
Read & Execute
List folder contents
Read
Write
Write is bizarre, but without it I get that error. I've assigned those permissions to the "Remote Management Users" group.
Docs here touch a little bit on v5.1 vs v7, and then link to here mentioning an install script so maybe something has fallen through the cracks.
I was getting the same error. I installed PowerShell 7 from Microsoft Store and then ran Enable-PSRemoting. I got this error so I uninstalled it and reinstalled it from WinGet which uses the MSI. That didn't work either. I tried running Enable-PSRemoting again, but nothing changed.
I ran Install-PowerShellRemoting.ps1 and it gave me two errors about things already existing and did not fix the problem. However, I was able to resolve the problem by doing the following:
Delete the PowerShell 7 plugins: Remove-Item 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\PowerShell.7','HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\PowerShell.7.1.1'.
Run Install-PowerShellRemoting.ps1 again.
I'm not sure what the difference was, but deleting and allowing the script to generate it again fixed it for me.
Short story: I get the following error when trying to create a namespace on Azure Service Bus using Azure Powershell (Run as Administrator):
PS C:> New-AzureSBNamespace -Name mynewnamespace2 -Location "East US"
-CreateACSNamespace $true -Namespac New-AzureSBNamespace : Object reference not set to an instance of an object. At line:1 char:1
+ New-AzureSBNamespace -Name mynewnamespace2 -Location "East US" -CreateACSNamespace $ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-AzureSBNamespace], NullReferenceException
+ FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.ServiceBus.NewAzureSBNamespaceCommand
Long story: I created a first namespace in Azure Service Bus to use Relay in buffered mode (namespace=mynewnamespace). It works great except when you want to transfer a larger set of data. For this there is the streamed mode and I found this handy example (https://code.msdn.microsoft.com/How-to-send-a-large-c36ab70e), changed appropriate settings for namespace and credentials and ran the server part from the project and I get the error
{"The remote name could not be resolved:
'mynewnamespace-sb.accesscontrol.windows.net'"}
because, of course, this ACS namespace does not exist. So I found out that I need to create the namespace the old fashioned way using PS, installed Azure CLI and run the commands below with the following result:
For a list of all Azure cmdlets type 'get-help azure'.
For a list of Windows Azure Pack cmdlets type 'Get-Command wapack'.
PS C:> azure login
info: Executing command login
|info: To sign in, use a web
browser to open the page https://aka.ms/devicelogin. Enter the code EE226448L to
authenticate. If you're signing in as an Azure AD application, use the
--username and --password parameters.
/info: Added subscription Visual Studio Enterprise with MSDN info: Setting subscription
"Visual Studio Enterprise with MSDN" as default
info: login command OK
PS C:> New-AzureSBNamespace -Name mynewnamespace2 -Location "East US" -CreateACSNamespace $true -NamespaceType Messaging
WARNING: Microsoft Azure PowerShell collects data about how users use
PowerShell cmdlets and some pro encounter. Microsoft uses this
information to improve our PowerShell cmdlets. Participation is volu
choose to participate your device automatically sends information to
Microsoft about how you use Azure Powershell.
If you choose to participate, you can stop at any time by using Azure
PowerShell as follows:
1. Use the Disable-AzureDataCollection cmdlet to turn the feature Off. The cmdlet can be found in the AzureResourceManager module To disable
data collection: PS > Disable-AzureDataCollection
If you choose to not participate, you can enable at any time by using
Azure PowerShell as follows:
1. Use the Enable-AzureDataCollection cmdlet to turn the feature On. The cmdlet can be found in the AzureResourceManager module To enable
data collection: PS > Enable-AzureDataCollection
Select Y to enable data collection [Y/N]: WARNING: You choose not to
participate in Microsoft Azure PowerShell data collection. WARNING:
The setting profile has been saved to the following path
'C:\Users\PDube\AppData\Roaming\Windows Azure Powershell\AzureDataCollectionProfile.json'.
New-AzureSBNamespace :
Object reference not set to an instance of an object. At line:1 char:1
+ New-AzureSBNamespace -Name mynewnamespace2 -Location "East US" -CreateACSNamespace $ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-AzureSBNamespace], NullReferenceException
+ FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.ServiceBus.NewAzureSBNamespaceCommand
I tried to create the new namespace using Azure CLI on 2 different computers, thinking the first install was corrupted, but I get the exact same error.
How can I fix this error?
I have a very simple powershell script that has a different behaviour depending on if I execute the script locally or remotely through a Invoke-Command / Enter-PSSession . Other scripts work fine. I'm wondering what is different about the environment of a remote session vs. a local session that would cause this difference.
Assuming the remote endpoint is set up to use your credentials, the remote session may have a different set of modules available (or different versions), there may be a profile script configured to run for the remote session and the environment is likely to be different. Also note that remote endpoints can be configured to limit access to commands (including applications) as well as restrict the language mode. A script could also walk various variables and functions to limit their visibility as well. If you look at session state you can see some of the properties that can be tweaked when configuring a remoting endpoint e.g.:
PS> $ExecutionContext.SessionState
Drive : System.Management.Automation.DriveManagementIntrinsics
Provider : System.Management.Automation.CmdletProviderManagementIntrinsics
Path : System.Management.Automation.PathIntrinsics
PSVariable : System.Management.Automation.PSVariableIntrinsics
LanguageMode : FullLanguage
UseFullLanguageModeInDebugger : False
Scripts : {*}
Applications : {*}
Module :
InvokeProvider : System.Management.Automation.ProviderIntrinsics
InvokeCommand : System.Management.Automation.CommandInvocationIntrinsics
See this article for more info on constrained endpoints. All that said, it is likely you're using the default endpoint which is usually not constrained. Another difference could be bitness. For instance, you could be running in an x86 shell but connecting to a 64-bit endpoint or vice-versa. If you need to connect to a 32-bit endpoint try the following:
PS> $s = New-PSSession -cn localhost -ConfigurationName microsoft.powershell32
PS> icm -Session $s { [IntPtr]::Size }
4
PS> Remove-PSSession $s