Microsoft DNS API: CimException: Access is denied

I have certify instance running on a local network and it is able to connect to the local dns server without issue to create the validation records for a wildcard domain. However, when doing a similar validation to that same dns server, but from a certify instance on a computer on a different network (via an ipsec tunnel) I get a CimException: Access is denied when certify attempts to connect to the dns server. Any tips would be appreciated.

It’s worth mentioning that there is no domain controller here. Both the working case and the failing case are using pass-thru authentication (matching username and password on all machines)

Hmm, sounds like you’re using the Windows DNS service. I’m afraid that DNS provider is user contributed and I can’t troubleshoot that for you. The Certify service runs as Local System which will appears as WORKGROUP\MACHINENAME$ (I think) when the machine makes a remote access request, so you probably need to allow that user somehow on the remote server.

You can also script DNS updates if you need to operate something outside of the Certify internals.

The simplest option is to use a public acme-dns server and use the acme-dns DNS validation option (this uses CNAME redirection to maintain the validation TXT records instead of updating your DNS directly). I also recommend investigating this like Cloudflare DNS or Route53 because these are easily automated.

yeah I did go the custom scripting route. Powershell:

[string]$Zone="", [string]$Record="", [string]$ValidationValue="asdfasdfasfasdf" #parameter defaults are just for testing

$currentPath = (Split-Path $script:MyInvocation.MyCommand.Path -parent)
Set-Location $currentPath

"Local Params:"


#$credential = Get-credential 
#$credential | Export-Clixml -Path .\RegisterDnsTestRecordsCred.xml
$credential = Import-Clixml -Path .\RegisterDnsTestRecordsCred.xml

$recordName = $Record.replace(".$Zone","");#Record includes the zone name so we have to take it out

$session = New-PSSession -ComputerName -EnableNetworkAccess -Authentication Credssp -Credential $credential 
Invoke-Command -Session $session { 
    [parameter(Mandatory)][string]$Zone, [parameter(Mandatory)][string]$RecordName, [parameter(Mandatory)][string]$ValidationValue
"Remote Params:"

Remove-DNSServerResourceRecord -RRType "Txt" -Name $RecordName -ZoneName $Zone -Force

Add-DnsServerResourceRecord -Txt -DescriptiveText $ValidationValue -Name $RecordName -ZoneName $Zone -AllowUpdateAny  -TimeToLive 00:05:00
} -ArgumentList $Zone,$recordName,$ValidationValue 

#Enable-WSManCredSSP -Role "Client" -DelegateComputer

#set-item wsman:localhost\client\trustedhosts -value *   
#Enable-WSManCredSSP -Role Client –DelegateComputer *

#Set-Item wsman:\localhost\Client\TrustedHosts -value         

And the .bat to call it:
powershell -File C:\data\CertificateValidation\RegisterDnsTestRecords.ps1 -Zone %4 -Record %2 -ValidationValue %3

I didn’t realize until after, that there is a space for an additional delete script as well. At the moment this script clears the record before adding it again with the new value. It does error on the first run, but works fine after that.

1 Like