Remote Exchange Connections

[cpdonohue]

I'm trying to use WebJea to connect to ExchangeOnline using the new Powershell v2 cmdlets.

I keep getting an error of "Access denied." The same credentials work if run from powershell directly on the server.
Anybody have suggestions?

[markdomansky]

How are you storing the credentials so they're accessible by the IIS RunAs account?

[cpdonohue]

The credentials are in a file that the application pool user has access to. The failure isn't coming at reading the file. Its coming at the connection.
Connect-ExchangeOnline -Credential $UserCredential
fails with Access Denied. But works when run locally.

[markdomansky]

How are the credentials stored in the file? Clear text or using ConvertFrom-SecureString. ConvertFrom-SecureString generates a string that can only be decrypted by the same user on the same machine. You would have to log in as the RunAs account to do it that way. What I've done in the past is store credentials using the localmachine account.

This article has instructions how, you just replace "CurrentUser" with "LocalMachine". It's certainly not best practice, but it's worked for me.

[cpdonohue]

In the very not recommended category... the password is in plain text. The code looks like:
$Pass = get-content file.pw | convertto-securestring -asplaintext -force
$Credential = get-credential (new-object -typename System.Management.Automation.PSCredential -argumentlist "user@domain.com",$Pass)
Connect-ExchangeOnline -credential $credential
That last line returns access denied.

[markdomansky]

Sorry for the delay in getting back to you. Have you confirmed that get-content is actually reading the file? It may still be a permissions issue on the file itself.

[ksccare]

Did you get anywhere with the Exchangev2 cmdlets?

i was able to get authentication working using the Certificate based auth with a cert in my gMSA cert store using the preview cmdlets (as noted here: https://techcommunity.microsoft.com/t5/exchange-team-blog/modern-auth-and-unattended-scripts-in-exchange-online-powershell/ba-p/1497387

The connect itself works fine, but none of the cmdlets work in WebJea. I get this response.

System event notifications are not supported under the current context. Server processes, for example, may not support global system event notifications.
at <ScriptBlock>, C:\WebJEA\Scripts\Test.ps1: line 45
    + CategoryInfo          : NotSpecified: (:) [Get-EXOMailbox], InvalidOperationException

The same cmdlets work fine in a psexec session running under the gMSA account.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[markdomansky]

Marking as a bug for the moment so that stalebot doesn't kill it. I haven't had much opportunity to look into this.

[ksccare]

I haven't looked at this for a while, we did a workaround.

its not pretty, but for those who may need these cmdlets in Webjea at this time, we ended up using webjea to call a scheduled task which ran the cmdlets with the inputs and then had the site read the output back to the user. It worked for our requirements.