Resolving "Access is Denied" Errors in Assets Discovery Tool with PowerShell patterns

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community


Platform Notice: Cloud and Data Center - This article applies equally to both cloud and data center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Before applying the steps outlined, we strongly recommend consulting with a Windows Administrator. For safety, test these configurations in a non-production environment first to avoid unintended impacts on your system. This guidance is outside Atlassian's support scope; proceed cautiously and seek professional advice.

Summary

Users encounter access denial errors when attempting to scan Target Windows hosts using the Assets Discovery tool with the "Use PowerShell" option enabled and PowerShell patterns selected.




Diagnosis

Users attempting to utilize the "Use PowerShell" option for scanning Target Windows hosts in the Assets Discovery tool encounter multiple error messages that indicate issues with access denial, unencrypted traffic being disabled, and failures in the WinRM client's process of requests due to authentication errors or server identity verification failures.

6/30/2024 10:44:46 PM: [Normal] Connecting to remote server ip-10-224-x-x.ec2.internal failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
6/30/2024 10:44:46 [Normal] Connecting to remote server ip-10-224-x-x.ec2.internal failed with the following error message : The WinRM client cannot process the request. Unencrypted traffic is currently disabled in the client configuration. Change the client configuration and try the request again. For more information, see the about_Remote_Troubleshooting Help topic.
6/30/2024 10:44:47 PM: [Normal] Connecting to remote server ip-10-224-x-x.ec2.internal failed with the following error message : WinRM cannot process the request. The following error with error code 0x8009030e occurred while using Negotiate authentication: A specified logon session does not exist. It may already have been terminated.
 This can occur if the provided credentials are not valid on the target server, or if the server identity could not be verified.  If you trust the server identity, add the server name to the TrustedHosts list, and then retry the request. Use winrm.cmd to view or edit the TrustedHosts list. Note that computers in the TrustedHosts list might not be authenticated. For more information about how to edit the TrustedHosts list, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.



Cause

The root cause of these issues can be attributed to a combination of factors including:

  1. PowerShell Remoting (PS Remoting) Not Enabled: PS Remoting is essential for remote management and execution of PowerShell commands. If not enabled on both the client and server, it prevents the Assets Discovery tool from connecting and executing the patterns.

  2. Lack of Trust Between Client and Server: The errors suggest a lack of trust establishment between the client machine and the server hosting the assets. This is often due to the TrustedHosts list not including the target server or being misconfigured.

  3. Unencrypted Traffic Being Disabled: The WinRM client's default configuration to reject unencrypted traffic can cause connectivity issues, as indicated by the error messages.

  4. Authentication Configuration Issues: The use of incorrect authentication methods (e.g., Negotiate when Kerberos is unavailable and Basic Authentication not enabled) leads to failure in establishing a secure connection.

  5. Credentials Format Misuse: Using a username without specifying the domain can fail in contexts where domain information is crucial for authentication.


For additional troubleshooting verify the official documentation from Microsoft:  about_Remote_Troubleshooting


Solution


To address the issues encountered, the following steps are recommended. Make sure to execute this on both the Client and Server:

  1. Enable PowerShell Remoting: To ensure that PS Remoting is enabled, execute the following command in PowerShell on both the client and server.

    Enable-PSRemoting -Force

  2. Configure TrustedHosts: Add the domain or specific target hosts to the TrustedHosts list to establish trust between the client and server: 

    Set-Item WSMan:\localhost\Client\TrustedHosts -value *

    Recommendation

    For a security-focused approach, specify actual hostnames or IPs instead of using *.

  3. Enable Unencrypted Traffic: Allow unencrypted traffic:

    Set-Item -force WSMan:\localhost\Client\AllowUnencrypted $true
Set-Item -force WSMan:\localhost\Service\AllowUnencrypted $true

  4. Enable Digest Authorization: Enable Digest Authorization on both client and server: 

    Set-Item -force WSMan:\localhost\Client\Auth\Digest $true

  5. Enable Basic Authorization: Enable Basic Authorization on the server to allow for simple authentication: 

    Set-Item -force WSMan:\localhost\Service\Auth\Basic $true

Use Correct Credentials Format:

  • Ensure credentials are provided in the format DOMAIN\username to mitigate authentication issues.




Last modified on Jul 25, 2024

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.