27

I am trying to use PowerShell Remoting to check some disk sizes from a Server in a remote domain, but the commands I am running are failing to work.

The situation is like this:

  • Source Server is in Domain A
  • Destination Server is in Domain B
  • There is no trust in place between these domains

The Server in Domain B is running Exchange 2010, and I can run Exchange 2010 Specific commands against it from Server A using this command:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange –ConnectionUri $ConnectionURI -Credential $Credentials -Authentication Basic
Import-PSSession $Session

The problem is that I can't run any non Exchange commands against this server using this session, if I try then it says that it can't understand the commands. I've checked and running Get-Command with Invoke-Command and the -Session variable set to my established session only returns Exchange commands.

So I thought i'd try to use Invoke-Command and the relevant ComputerName, Authentication type and Credentials, but this is failing:

Invoke-Command -ScriptBlock {Get-Service} -ComputerName "Servername.destination.com" -Credential $Credentials -Authentication "Basic"

This is the error:

[servername.destination.com] Connecting to remote server failed with the following error message : The WinRM client can
not process the request. The authentication mechanism requested by the client is not supported by the server or unencry
pted traffic is disabled in the service configuration. Verify the unencrypted traffic setting in the service configurat
ion or specify one of the authentication mechanisms supported by the server.  To use Kerberos, specify the computer nam
e as the remote destination. Also verify that the client computer and the destination computer are joined to a domain.
To use Basic, specify the computer name as the remote destination, specify Basic authentication and provide user name a
nd password. Possible authentication mechanisms reported by server:     Negotiate Kerberos For more information, see th
e about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (:) [], PSRemotingTransportException
    + FullyQualifiedErrorId : PSSessionStateBroken

So I go into the WSMAN config on the Target server and set the relevant settings for allowing Basic Auth and an unencrypted connection:

cd WSMan:\localhost\Service
Set-Item AllowUnencrypted $True
cd .\Auth
Set-Item Basic $True

I also have added the Destination server into the Trusted Hosts of the Source domain server:

cd WSMan:\localhost\Client
Set-Item TrustedHosts servername.destination.com

After doing so, the error changes, but it's not very helpful:

PS WSMan:\localhost\Client> Invoke-Command -ScriptBlock {Get-Service} -ComputerName "servername.destination.com" -Creden
tial $Credentials -Authentication "Basic"
[servername.destination.com] Connecting to remote server failed with the following error message : Access is denied. Fo
r more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo          : OpenError: (:) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionStateBroken

I have also tried using Domain Admin credentials, via -Credential (Get-Credential), but this is failing with the same problem.

The user I am trying to use is a member of the local Admins users on the server in question, so the permissions should already be set on the PSSessionConfiguration containers.

I would love any further pointers with this! I would just use WMI but it's not enabled through the firewalls at the moment.

HungryHippos
  • 1,303
  • 5
  • 15
  • 24
  • You could try enter-PSsession with the computerName parameter set, which takes a PScredential. Dunno that it'll work any better, but maybe you get a helpfully different error. – noam Jan 03 '13 at 06:11
  • Enter-PSSession was giving me the same error yesterday when I tried it. Wonder if there is any logging or anything I can check for more details? – HungryHippos Jan 03 '13 at 09:21
  • FWIW, remoting worked for me across untrusted domains from a 2003 Server to a 2008R2 target. On the target, ran enable-psRemoting and for some reason had to click A for All when Y for yes kept throwing the same prompt. On the source, ran enter-psSession -comp target.domain.tld -credential (get-credential) ...and entered creds in domain\username format when prompted. JIC it helps. – noam Jan 03 '13 at 23:25
  • Well strange as it sounds, it worked fine after I dropped the -Authentication switch totally, it didn't like Basic at all, but just letting it do it's own thing works for me. – HungryHippos Jan 07 '13 at 13:55

2 Answers2

24

Had similar problems recently. Would suggest you carefully check if the user you're connecting with has proper authorizations on the remote machine.

You can review permissions using the following command.

Set-PSSessionConfiguration -ShowSecurityDescriptorUI -Name Microsoft.PowerShell

Found this tip here (updated link, thanks "unbob"):

https://devblogs.microsoft.com/scripting/configure-remote-security-settings-for-windows-powershell/

It fixed it for me.

Olivier Boudry
  • 735
  • 5
  • 14
3

Running the command prompt or Powershell ISE as an administrator fixed this for me.

Cirem
  • 770
  • 1
  • 8
  • 13
  • 1
    This fixed my issues when I was running Invoke-Command and referring to localhost. Was quite amused. Thanks! – James Ruskin Nov 10 '14 at 12:19
  • 3
    I resolved that by adding user to Remote Management Users group. – Der_Meister Mar 24 '17 at 11:34
  • *Der_Meister* Thanks it worked. Perhaps only built-in `Administrator` account can bypass UAC barrier by default Security Policy setting. Other `Administrators` accounts are forced to acquire [Restricted Token](https://docs.microsoft.com/en-us/windows/win32/secauthz/restricted-tokens) (having `Users` instead of `Administrators`). Their accounts are just normal `Users` until privilege elevation occurred. Therefore we need to put their normal `Users` account into `Remote Management Users` group at first. – kenjiuno Jun 01 '20 at 02:39