.ps1 AuthorizationManager check failed


#1

Hello, I’m trying to execute a powershell script (NTP time offset check) that is located on a network file server. However, I’m getting the error provided in the subject line when I initiate the NRPE check from Nagios monitoring server. The call is made to the windows 2008R2sp1 server I’m monitoring that has NSclient++ 0.5.0061. Windows server has a check defined inside nslient.ini that is calling PS1 script located on UNC share. Here is a complete error message:

$/usr/lib/nagios/plugins/check_nrpe -H 10.202.15.101 -n -c check_time -a 10.202.3.13 1 5 "\\10.202.26.100\nagios\lotp_check_time.ps1" : AuthorizationManager check failed. At line:1 char:1

  • \\10.202.26.100\nagios\lotp_check_time.ps1; exit($LastExitCode)
  •   + CategoryInfo          : SecurityError: (:) [], PSSecurityException
      + FullyQualifiedErrorId : UnauthorizedAccess
    
    

I have both 32-bit and 64-bit powershell version 5 scopes set to either ‘unrestricted’ or ‘bypass’ to eliminate any script blocking:

Get-ExecutionPolicy -list

    Scope ExecutionPolicy
    ----- ---------------

MachinePolicy Unrestricted UserPolicy Unrestricted Process Bypass CurrentUser Bypass LocalMachine Bypass

Get-Variable PSHOME

Name Value


PSHOME C:\Windows\System32\WindowsPowerShell\v1.0

get-host

Name : ConsoleHost Version : 5.0.10586.117 InstanceId : 29b15343-141d-403d-9cf9-f1fbd6bd4b17 UI : System.Management.Automation.Internal.Host.InternalHostUserInterface CurrentCulture : en-US CurrentUICulture : en-US PrivateData : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy DebuggerEnabled : True IsRunspacePushed : False Runspace : System.Management.Automation.Runspaces.LocalRunspace

Here is the 32-bit PS environment details:

Get-ExecutionPolicy -list

    Scope ExecutionPolicy
    ----- ---------------

MachinePolicy Unrestricted UserPolicy Unrestricted Process Bypass CurrentUser Bypass LocalMachine Bypass

Get-Variable PSHOME

Name Value


PSHOME C:\Windows\SysWOW64\WindowsPowerShell\v1.0

PS C:\Windows\system32> get-host

Name : ConsoleHost Version : 5.0.10586.117

Here is my nsclient.ini script section definition: … [/settings/external scripts/scripts] check_time = cmd /c echo \\10.202.26.100\nagios\lotp_check_time.ps1; exit($LastExitCode) | powershell.exe -command -

I tried to re-define the command passing ‘bypass’ execution policy on the same line like this without any luck: [/settings/external scripts/scripts] check_time = cmd /c echo \\10.202.26.100\nagios\lotp_check_time.ps1; exit($LastExitCode) | powershell.exe -NonInteractive -InputFormat None -ExecutionPolicy Bypass -command -

What else can I try to get this to work?

Thank you! —R


#2

UPDATE - When running NSCP in “TEST” mode I can call the script just fine:

C:\Program Files\NSClient++>nscp service --stop Stopping service.

C:\Program Files\NSClient++>nscp test L client Module: CommandClient L client Command: L client Extra Query: L client Mode: 3 L client Boot: 1 L client Load All: 0 L client Warning module and boot specified only THAT module will be loaded L client Arguments: D core NSClient++ 0.5.0.61 2016-09-08 x64 Loading settings and logger… D core Settings not ready so we cant lookup: base-path D core Settings not ready so we cant lookup: exe-path D settings Boot.ini found in: C:\Program Files\NSClient++/boot.ini D core Settings not ready so we cant lookup: shared-path D settings Activating: ini://${shared-path}/nsclient.ini D settings Creating instance for: ini://${shared-path}/nsclient.ini D core Settings not ready so we cant lookup: shared-path D settings Loading: C:\Program Files\NSClient++/nsclient.ini D core NSClient++ 0.5.0.61 2016-09-08 x64 booting… D core Booted settings subsystem… D core On crash: restart: NSCP D core Archiving crash dumps in: C:\Program Files\NSClient++/crash-dumps D core booting::loading plugins D core Found: CheckDisk D core Found: CheckEventLog D core Found: CheckExternalScripts D core Found: CheckHelpers D core Found: CheckNSCP D core Found: CheckSystem D core Found: NRPEServer D core Found: NSCAClient D core Found: NSClientServer D core C:\Program Files\NSClient++/modules\CheckDisk.dll.dll D core adding C:\Program Files\NSClient++/modules\CheckDisk.dll D core C:\Program Files\NSClient++/modules\CheckEventLog.dll.dll D core adding C:\Program Files\NSClient++/modules\CheckEventLog.dll D core C:\Program Files\NSClient++/modules\CheckExternalScripts.dll.dll D core adding C:\Program Files\NSClient++/modules\CheckExternalScripts.dll

D core C:\Program Files\NSClient++/modules\CheckHelpers.dll.dll D core adding C:\Program Files\NSClient++/modules\CheckHelpers.dll D core C:\Program Files\NSClient++/modules\CheckNSCP.dll.dll D core adding C:\Program Files\NSClient++/modules\CheckNSCP.dll D core C:\Program Files\NSClient++/modules\CheckSystem.dll.dll D core adding C:\Program Files\NSClient++/modules\CheckSystem.dll D core C:\Program Files\NSClient++/modules\NRPEServer.dll.dll D core adding C:\Program Files\NSClient++/modules\NRPEServer.dll D core C:\Program Files\NSClient++/modules\NSCAClient.dll.dll D core adding C:\Program Files\NSClient++/modules\NSCAClient.dll D core C:\Program Files\NSClient++/modules\NSClientServer.dll.dll D core adding C:\Program Files\NSClient++/modules\NSClientServer.dll D core Loading plugin: CheckDisk D core Loading plugin: CheckEventLog D core Loading plugin: CheckExternalScripts E ext-script Path was not found: C:\Program Files\NSClient++"C:\Program Files\N SClient++ c:\source\master\modules\CheckExternalScripts\CheckExternalS cripts.cpp:60 D core Loading plugin: CheckHelpers D core Loading plugin: CheckNSCP D check_nscp Crash folder is: C:\Program Files\NSClient++/crash-dumps D core Loading plugin: CheckSystem D core Loading plugin: NRPEServer D nrpe Allowed hosts definition: 10.10.22.100(255.255.255.255), 10.203.5.1 43(255.255.255.255), 10.203.3.36(255.255.255.255), 10.201.3.0(255.255.255.0) D nrpe Server config: address: :5666, ssl disabled D w32system Loading counter: disk_queue_length_0 C: = \CEAPP01-STG-DR\Physical Disk(0 C:)% Disk Time D w32system Loading counter: disk_queue_length_1 Y: = \CEAPP01-STG-DR\Physical Disk(1 Y:)% Disk Time D w32system Loading counter: disk_queue_length__Total = \CEAPP01-STG-DR\Physic alDisk(_Total)% Disk Time D nrpe Binding to: [::]:5666(ipv6) D nrpe Attempting to bind to: [::]:5666(ipv6) D nrpe Binding to: 0.0.0.0:5666(ipv4), reopen: true, reuse: true D nrpe Attempting to bind to: 0.0.0.0:5666(ipv4) D core Loading plugin: NSCAClient D core Loading plugin: NSClientServer D check_nt Allowed hosts definition: 10.10.22.100(255.255.255.255), 10.203.5.1 43(255.255.255.255), 10.203.3.36(255.255.255.255), 10.201.3.0(255.255.255.0) D check_nt Binding to: [::]:12489(ipv6) D check_nt Attempting to bind to: [::]:12489(ipv6) D check_nt Binding to: 0.0.0.0:12489(ipv4), reopen: true, reuse: true D check_nt Attempting to bind to: 0.0.0.0:12489(ipv4) D core NSClient++ - 0.5.0.61 2016-09-08 Started! D core C:\Program Files\NSClient++/modules\CommandClient.dll.dll D core adding C:\Program Files\NSClient++/modules\CommandClient.dll D core Loading plugin: CommandClient… D cli Enter command to execute, help for help or exit to exit…

D nrpe Accepting connection from: 10.201.3.17, count=1 D ext-script Command line: cmd /c echo \\10.202.26.100\nagios\lotp_check_tim e.ps1; exit($LastExitCode) | powershell.exe -NonInteractive -InputFormat None -E xecutionPolicy Bypass -command - L cli Ctrl+c is not exit… D core Attempting to stop all plugins D core Stopping all plugins D core Unloading plugin: CheckDisk… D core Unloading plugin: CheckEventLog… D core Unloading plugin: CheckExternalScripts… D core Unloading plugin: CheckHelpers… D core Unloading plugin: CheckNSCP… D core Unloading plugin: CheckSystem… D core Unloading plugin: NRPEServer… D core Unloading plugin: NSCAClient… D core Unloading plugin: NSClientServer… D core Unloading plugin: CommandClient… D core Stopping: COM helper D core Stopping: Settings instance Done

C:\Program Files\NSClient++>

On Nagios monitoring server: [[email protected] objects]$/usr/lib/nagios/plugins/check_nrpe -H 10.202.15.101 -n -c check_time -a 10.202.3.13 1 5 OK:+00.0207788s - checked against DC02-DR.enservioprod.local|‘offset’=0.02077s;1;5

Once I stop test mode and start up NSCP as a service (‘Log on’/loaded via Local System account) getting same “UnauthorizedAccess” error: [[email protected] objects]$/usr/lib/nagios/plugins/check_nrpe -H 10.202.15.101 -n -c check_time -a 10.202.3.13 1 5 \\10.202.26.100\nagios\lotp_check_time.ps1 : AuthorizationManager check failed. At line:1 char:1

  • \\10.202.26.100\nagios\lotp_check_time.ps1; exit($LastExitCode)
  •   + CategoryInfo          : SecurityError: (:) [], PSSecurityException
      + FullyQualifiedErrorId : UnauthorizedAccess 
    
    

The permissions on the “\\10.202.26.100\nagios\” share is - Everyone = Full control. Changing ‘Log on’ for NSCP service to use a non ‘local system’ domain account does not work either (even granted the test domain user membership in the ‘Domain Admins’ group w/o luck). Not working in non-test still - PLEASE HELP!

Thanks, —Roman