Quick Hits: Determine User Connected to a Delegated PowerShell Endpoint

Just a quick blurb on how you can determine who is connected to a PowerShell remoting endpoint that you have configured to use a RunAsAccount. An example of doing this can be found here. When someone connects to an endpoint that is using a RunAsAccount, it will delegate the credentials of the service account and that means if you do something like ‘whoami’ while running in the session, you will get back the service account’s username.

SNAGHTML294d3d0

Here you can see where I connected to my remote server under the ‘prox-hyperv\proxb’ credentials, but because the endpoint is running as ‘prox-hyperv\endpointsvc’, when I call ‘whoami’, it comes back as the service account. Not that useful if we need to audit connections coming in.

Fortunately, the PowerShell team added an automatic variable called $PSSenderInfo which provides this information about who is making the connection to the endpoint. This is documented in the about_automatic_variables help file (it pays to read these Smile) and as shown below, we can now locate who is making the connection.

image

This is definitely something that you should keep in mind when creating remote endpoints for your admins to use when managing systems. This should be something that you have in your startup script that writes to an event log so you have a way of tracking connections.

About Boe Prox

Microsoft Cloud and Datacenter MVP working as a SQL DBA.
This entry was posted in powershell, Tips and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s