Devolutions ForumDevolutions Forum

Error starting gRPC call on certain roles

Error starting gRPC call on certain roles

avatar
dj

We have roles setup for different user bases that are just setup to look if they are members of groups in Entra since we use SSO. For one of our groups/roles (BadRole), when they go to a page that they are allowed to go to, they get the following error:

One or more errors occurred
Status(StatusCode="Internal", Detail="Error starting gRPC call. HttpRequestException: Requesting HTTP version 2.0 with version policy RequestVersionExact while unable to establish HTTP/2 connection.", DebugException="System.Net.Http.HttpRequestException: Requesting HTTP version 2.0 with version policy RequestVersionExact while unable to establish HTTP/2 connection.")


When I go to the page as my administrator role, it works fine:



It's a simple form that doesn't checking of roles or do any permission specific lookups:

New-UDGrid -Item -ExtraSmallSize 3 -Content {
$Session:RNOutput = 'None'
New-UDForm -SubmitText "View Info" -ButtonVariant contained -Content {
New-UDTextbox -Id "RNLocID" -Placeholder "LocID" -Label "LocID"
New-UDSelect -Label "Select a Page" -Id "TableSelect" -Option {
New-UDSelectOption -Name "SiteMain" -Value "SiteMain"
New-UDSelectOption -Name "Location" -Value "Location"
New-UDSelectOption -Name "Equipment" -Value "Equipment"
New-UDSelectOption -Name "Circuits" -Value "Circuits"
New-UDSelectOption -Name "Phone Lines" -Value "Phones"
New-UDSelectOption -Name "Work Orders" -Value "WorkOrders"
New-UDSelectOption -Name "Employees" -Value "Employees"
New-UDSelectOption -Name "AV" -Value "AV"
} -DefaultValue "SiteMain"
} -OnValidate {
$FormContent = $EventData

if ($FormContent.RNLocID -eq $null -or $FormContent.RNLocID -eq '')
{
New-UDFormValidationResult -ValidationError "The LocID is required"
}
Else
{
New-UDFormValidationResult -Valid
}
} -OnSubmit {
Invoke-UDRedirect -Url "/OurSite/$($EventData.RNLocID)/$($EventData.TableSelect)"
}
}

The UDPage has this at the top:

New-UDPage -Url "/OurSite" -Name "OurSite" -Role @('Administrator', 'BadRole') -Content { ...

There is nothing the PSU logs at the time of loading the page, we do not use a proxy internally and we do have our site behind a load balancer. We did however, test going directly to the PSU servers (we have 2) and not thru the load balancer and the issue still remained. We are currently on version 2026.1.6 and tested it on 2026.2 in our QA environment with the same issue. Any ideas?

1f1d6766-b3dd-47f2-8f47-761ad80b64b6.png

7c0de680-78a8-4454-abc1-cfeb3c68e3d4.png

All Comments (1)

avatar
rubentapia
We have roles setup for different user bases that are just setup to look if they are members of groups in Entra since we use SSO. For one of our groups/roles (BadRole), when they go to a page that they are allowed to go to, they get the following error:

One or more errors occurred
Status(StatusCode="Internal", Detail="Error starting gRPC call. HttpRequestException: Requesting HTTP version 2.0 with version policy RequestVersionExact while unable to establish HTTP/2 connection.", DebugException="System.Net.Http.HttpRequestException: Requesting HTTP version 2.0 with version policy RequestVersionExact while unable to establish HTTP/2 connection.")

7c0de680-78a8-4454-abc1-cfeb3c68e3d4
When I go to the page as my administrator role, it works fine:

1f1d6766-b3dd-47f2-8f47-761ad80b64b6

It's a simple form that doesn't checking of roles or do any permission specific lookups:

New-UDGrid -Item -ExtraSmallSize 3 -Content {
$Session:RNOutput = 'None'
New-UDForm -SubmitText "View Info" -ButtonVariant contained -Content {
New-UDTextbox -Id "RNLocID" -Placeholder "LocID" -Label "LocID"
New-UDSelect -Label "Select a Page" -Id "TableSelect" -Option {
New-UDSelectOption -Name "SiteMain" -Value "SiteMain"
New-UDSelectOption -Name "Location" -Value "Location"
New-UDSelectOption -Name "Equipment" -Value "Equipment"
New-UDSelectOption -Name "Circuits" -Value "Circuits"
New-UDSelectOption -Name "Phone Lines" -Value "Phones"
New-UDSelectOption -Name "Work Orders" -Value "WorkOrders"
New-UDSelectOption -Name "Employees" -Value "Employees"
New-UDSelectOption -Name "AV" -Value "AV"
} -DefaultValue "SiteMain"
} -OnValidate {
$FormContent = $EventData

if ($FormContent.RNLocID -eq $null -or $FormContent.RNLocID -eq '')
{
New-UDFormValidationResult -ValidationError "The LocID is required"
}
Else
{
New-UDFormValidationResult -Valid
}
} -OnSubmit {
Invoke-UDRedirect -Url "/OurSite/$($EventData.RNLocID)/$($EventData.TableSelect)"
}
}

The UDPage has this at the top:

New-UDPage -Url "/OurSite" -Name "OurSite" -Role @('Administrator', 'BadRole') -Content { ...

There is nothing the PSU logs at the time of loading the page, we do not use a proxy internally and we do have our site behind a load balancer. We did however, test going directly to the PSU servers (we have 2) and not thru the load balancer and the issue still remained. We are currently on version 2026.1.6 and tested it on 2026.2 in our QA environment with the same issue. Any ideas?


@dj

Hi DJ,

Thanks for the detailed information and the screenshots.

Based on the error, I would first separate the page/form logic from the internal PSU connectivity path. The page code itself does not immediately point to a role-specific issue, but the gRPC error indicates PSU is trying to make an HTTP/2 call and cannot establish the HTTP/2 connection.

A few things I would check first:

1. Please confirm how PSU is hosted in this environment: Windows Service, IIS, Docker, or another hosting model.

2. Please review the `Api.Url` value in `appsettings.json` on both PSU nodes. Even if you browse directly to a node, PSU may still use this value internally when it needs to call back into the server. In HA or reverse proxy scenarios, this should point to a stable URL that the PSU host itself can reach.

3. Please check whether the Kestrel `Protocols` configuration has been changed. PSU normally listens on HTTP1 and HTTP2, but if the listener is restricted to HTTP1, gRPC calls can fail with this type of message.

4. Since this appears role-specific, please test with a temporary role such as `BadRoleTest` using a simple policy that returns `$true`, then assign that role to the same page and test with the affected user. If that works, the next focus would be the original role policy or Entra group claims. If it fails the same way, the focus would move back to the app/runtime/gRPC path rather than the role logic itself.

5. If possible, please share a sanitized copy of the `BadRole` and `Administrator` role definitions, the relevant sanitized `appsettings.json` values from both nodes, and whether the affected user belongs only to `BadRole` or to multiple PSU roles.

References:
https://docs.powershelluniversal.com/config/settings
https://docs.powershelluniversal.com/config/hosting
https://docs.powershelluniversal.com/config/hosting/high-availability
https://docs.powershelluniversal.com/config/hosting/reverse-proxy

Best regards,

Ruben Tapia