Is there a way to use a managed service account (msDS-GroupManagedServiceAccount) to connect to Exchange via Powershell? Our scenario is as follows: We have a service component written in c# that connects to Exchange via Remote Powershell. The service component runs as a managed service account.
The call to New-PSSession is as follows:
New-PSSession -Configurationname Microsoft.Exchange -ConnectionUri "http://server/powershell" -Authentication Kerberos -AllowRedirection -ErrorAction Stop
As you can see, a credential is not specified so the credential that is sent to the Exchange server is the credential of the current user (which seems to work when looking at the returned errormesage). The result is the following error:
Processing data from remote server failed with the following error message: [ClientAccessServer=...,BackEndServer=...,RequestId=...,TimeStamp=...] [AuthZRequestId=6c727005-565b-4019-855f-657ae6b86ee7][FailureCategory=AuthZ-CmdletAccessDeniedException] The operation couldn't be performed because 'domain\account$' couldn't be found.
domain\account$ shows the correct login of the managed service account.
The eventlog of the exchangeserver also states:
Source: "MSExchange RBAC", Event ID: 16): (Process w3wp.exe, PID 8980) "RBAC authorization returns Access Denied for user domain\account$ (SID=S-...). Reason: User was not found on Domain Controller XYZ.
I currently suspect, that the RBAC "component" explicitly looks for objects of type 'user' in Active Directory but not for msDS-GroupManagedServiceAccount objects so I wonder if this is supported at all.