New 5.2. Install - Windows/IIS auth issues

I’m in the process of updating my 4.2.4 install to a new 5.2 install. Both install and hosted on windows server via IIS, however 5.2 will be on server 2022. I have noticed after setting up windows auth, domain accounts when visiting the app/dashboard on 5.2 don’t really get their role if the user is auto signing into the app. They have to log out then back in with windows creds and their roles work and then things in the app that are based on roles work properly.

Even my admin account which has 2 roles, administrator and a custom role, when I log in automatically, I don’t have any “roles”, I cannot see the admin drop down from my account in the top right, but if I sign out then back in with windows auth it’s working.

edti: I included a $roles | out-file in my app just to export my roles and on first auth with windows auth i see all my sids, but no roles listed. If i log out then back in with windows auth and check the file i see all my sids AND my custom roles.

Product: PowerShell Universal
Version: 5.2

Updated to 5.3 and the issue still persists.

edit: more troubleshooting

I did have authentication disabled on the App before but now enabled it. Remove all custom roles and assigned just Administrator to my account and assigned administrator as the role for authentication.

  • When I launch directly into the App url I get unauthorized
  • When I launch directly into the Admin portal it auto logs me in and I have all rights
  • When I hit the App from the admin portal I get unauthorized
  • When I launch into the Admin portal, log out, then log into the admin portal again with the windows logon button, I can launch the app from the admin portal or hit the app url directly.

Happy (sort-of) to find someone experiencing the same issue as we are, @PowershellBacon.

Ours is a fresh 5.3 setup in IIS running under LocalSystem, with Windows auth, confirmed using Kerberos. Followed all of the recommendations for configuring the IIS app pool and site.

Same experience:

  • Windows accounts don’t pick up their roles until a manual logout and log back in using Windows auth.
  • Launching an app directly = unauthorized.
  • Direct to admin console = admin works, but launching an app fails until logout/login again.

I just embarrassed myself in front of the team while giving a first look at our new licensed PSU installation, only to find myself fumbling to figure out (unsuccessfully) how to launch a demo app under my admin user. At the time I did not have the procedure for recovering the roles figured out.

After days of trying, I still can’t get gMSAs to work. The LocalSystem app pool user seems unable to impersonate using the gMSA. Separate issue, perhaps–but still tied up with enterprise authentication.

I can’t launch PSU to a larger enterprise IT team (let alone a more general user audience) in this state; there will be too many complaints.

@adam, I’m really hoping to get some attention to these issues. They are show-stoppers for us, and I’m sure others in enterprise teams must feel similarly. I’d be thrilled to find out it’s all just PEBKAC!

Have you submitted a bug through github repo? Issues · ironmansoftware/powershell-universal

Think that would be the best way to get visibility on this. Had an issue with a 5.x release a few weeks back and submitted through there. It was viewed within 24hrs and addressed within the next release.

I submitted bug reports a couple days ago. I generally go to the forum first to see if anyone has had similar issues which come down to a misconfiguration or misunderstanding on my part.

In fact, Adam only a few minutes ago reported that he’s isolated the gMSA issue and the fix will be included in the 5.4.4 milestone. Very happy to hear that! :tada:

1 Like