Words: 448
Time to read: ~ 2 minutes
A while ago, I was asked about Automation and told a story about my friend James.
In that story I talked about Constrained Endpoints and how, by using them, I could do a take the best bits of automation & delegation and not have to worry about unlocking James anymore.
Well, I was wrong
A while after I created that Constrained Endpoint, I was greeted one day by James saying he was receiving a weird error when he tried to unlock his account.
Connecting to remote server ‘server_name’ failed with the following error message : The creation of a new
Shell failed. Verify that the RunAsPassword value is correctly configured and that the Group Policy setting “Disallow
WinRM from storing RunAs credentials” is Disabled or Not Configured. To enable WinRM to store RunAs credentials,
change this Group Policy setting to Disabled. For more information, see the about_Remote_Troubleshooting Help topic.CategoryInfo : OpenError: (‘server_name’:String) [], PSRemotingTransportException
Unlock James has turned into Error James.
FullyQualifiedErrorId : CannotConnectRunAsFailed,PSSessionStateBroken
The fact that this occurrence came the day after I had reset my password, and the fact that the error message contained the words “[v]erify that the RunAsPassword value is correctly configured” was not something that was lost on me.
Luckily, PowerShell is fabulously easy to explore with it’s Get-Help command so it was a simple case to look for commands around Session Configurations – Get-Command -Name *Session*Configuration* – and look at the help contents of the Set-PSSessionConfiguration cmdlet.
Make sure you include proper help in your functions, it’ll help you immensely when you come back to it after some time.
Get-Help -Name Set-PSSessionConfiguration -Detailed
help Set-PSSessionConfiguration -Parameter RunAsCredentialThe Fix this Time
The evidence pointed to me needing to update the RunAsCredential of the endpoint and that was the overall fix for this issue.
Set-PSSessionConfiguration -Name UnlockJamesEndpoint -RunAsCredential (Get-Credential)
I threw in my username and my new password, did a quick test to see if the endpoint was available for me ( it was ), asked James to test that it was available for him ( it was ), and I closed off the ticket.
Aesop Out
Constrained Endpoints are not a technology that I am familiar with yet. It’s nice to know that I can take a look at the error messages, use some troubleshooting processes – check out the book “How to Find a Wolf in Siberia” by Don Jones ( blog | twitter ) – and figure it out.
Then again, the technology world is filled with new technologies and if you have a job where you know everything about your technology stack then congratulations to you.
For everyone else, get used to not knowing. Network, Search, Learn. You’ll be obliviously proficient in no time!