PowerShell Post-Request Script works on TEST but no during renewal


First off, excellent work on this application. I have found it incredibly useful and it was very intuitive to get started. Thank you!

I have a Post-Request script that does two main functions:

First in starts a transcript to log the output:
Start-Transcript -Path “$PSScriptRoot$($iso8601)_CertifyPost-DIRECTACCESS_Transcript.txt”

Then in imports the certificate into Windows Remote Access:
$Cert = Get-ChildItem -Path cert:\localmachine\my | Where-Object Thumbprint -eq $result.ManagedItem.CertificateThumbprintHash
Set-RemoteAccess -SslCertificate $Cert -Verbose

Everything works as expected when I hit the TEST button next to the script. However, when I renew the certificate, the Transcript log is created with the header, but there is no captured output. Also, the certificate is not installed in Remote Access.

The only difference that I can see (from the Transcript) is that the the script is running as the logged in user when I hit the TEST button, but it is running as SYSTEM when it runs automatically. I am guessing this is because the Service is running as the SYSTEM account. I was going to try to switch the user account for the Service but I wasn’t sure if that would have any negative effects, plus I would prefer not to.

Any thoughts?

Yes the request/renewal will run your script as the background service, which by default is local system. So for that reason you may need to esnure that Local System has access to the Cmdlets your script uses (you can runas Local System using psexec for testing).

Some users prefer to have their script just write out the data or commands they need, then have a scheduled task run as the required user later to get the latest certificate applied, that way they control both the executing user and the time when the script will be applied. Future versions will have a ‘run as’ option for powershell scripts.

I don’t recommend changing the user for the background service as Local System is very well tested and the boundaries for required permissions vary depending on what features you are exercising while using the app, certificates in particular are prone to weird/complex permission interactions when storing and encrypting private keys. You can try it but if it fails (transient key/permissions etc) you’ll need to replace your certificates to get them working again.