- Remove From My Forums
-
Question
-
PS C:Users$TADINTEG> $proxysettings = New-PSSessionOption -ProxyAccessType IEConfig PS C:Users$TADINTEG> $creds = Get-Credential cmdlet Get-Credential at command pipeline position 1 Supply values for the following parameters: PS C:Users$TADINTEG> $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Creds -Authentication Basic -AllowRedirection -SessionOption $proxysettings New-PSSession : [outlook.office365.com] Connecting to remote server outlook.office365.com failed with the following error message : The server certificate on the destination computer (outlook.office365.com:443) has the following errors: The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable. For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:12 + $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri ht ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException + FullyQualifiedErrorId : 12175,PSSessionOpenFailedI am trying to connect office 365 go the able exception need help!!!!
-
Moved by
Thursday, January 31, 2019 4:31 AM
relocate
-
Moved by
I am attempting to establish a PowerShell session to run several Exchange commands against an Exchange server on the localhost. I keep getting the following error:
New-PSSession : [<HOSTNAME>] Connecting to remote server <HOSTNAME> failed with the following error message
: Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12
+ $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'h ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
gTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed
My code is a copy paste from the Microsoft Technet Article. It works against remote machine, but anytime I target the machine I am running from, I get the above error.
What I’ve tried so far:
- Checked the
about_remote_troubleshootinghelp topic. Nothing in there relating to Access Denied errors worked. - Targeted remote machines using the same credentials as received the Access Denied error. (Connected without issue)
- Verified that my PowerShell session is running as Administrator. (It is)
- Verified that the Exchange Management Shell is able to launch successfully. (It is)
- Tried without credentials to see if that would work. (It didn’t)
- Checked
net useandnet sessionto make sure I didn’t have a weird multiple connections with the same credentials issue. (I didn’t see anything to indicate that) - Tried this both from the script that is causing issues and by typing the commands into a powershell console by hand. (got the same results both ways. Yay for consistency)
- Tried this on multiple systems. (Same result everywhere)
Some quick notes:
- This is Exchange 2013 running on Windows Server 2012. It’s a basic installation, just a test environment that has very little data and minimal configuration beyond installing and enabling remoting.
- The Credentials used were for the domain admin, which also has the necessary Exchange permissions to do whatever I need to do. I.e, so long as I target a machine that is not the one I am running from, I have no issues whatsoever, with nothing else changing about the way I am connecting. Additionally, this is a test domain where the domain admin’s access hasn’t been restricted or tweaked in any way, so it should have total and complete access to everything.
The specific commands I am entering are:
$cred = Get-Credential
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'http://<HOSTNAME>/Powershell' -Credential $cred
Is connecting to the localhost like this something that I should be able to do? Or is it just not supported?
I am at a complete loss at this point. Any help, even to point me in the right direction, would be greatly appreciated.
EDIT: I should add, I’ve attempted connecting to this localhost from a different machine, using the same commands as above, and it worked without issue. So, I don’t think it is a local configuration issue.
In a previous blog I explained how to enable MFA for Admin accounts. This is a great security solution, but unfortunately it breaks Remote PowerShell for Exchange Online.
When you try to connect to Exchange Online using the following commands:
$Cred= Get-Credential $Session= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-LiveID -Credential $Cred -Authentication Basic -AllowRedirection
It fails with the following error message:
New-PSSession : [outlook.office365.com] Connecting to remote server outlook.office365.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:11
+ $Session= New-PSSession -ConfigurationName Microsoft.Exchange -Connec …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme….RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed
As shown in the following screenshot:
To overcome this issue, Microsoft has a special Exchange Online PowerShell module that supports Multi Factor Authentication. You can download this from the Exchange Admin Center in Exchange Online by selecting hybrid in the navigation pane as shown in the following screenshot:
Click Configure followed by Open to download and start the setup application. Click Install to continue. The Exchange Online PowerShell module will be automatically installed in seconds and when finished it will automatically open a PowerShell window as shown in the following screenshot:
You can now use the Get-EXOPSSession -UserPrincipalName admin@tenant.onmicrosoft.com command to logon to Remote PowerShell. A separate windows will be opened requesting your tenant credentials, followed by the MFA option you’ve configured.
If all is entered correctly the Remote PowerShell for Exchange Online is opened with MFA enabled.
Microsoft UC Specialist
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and
privacy statement. We’ll occasionally send you account related emails.
Already on GitHub?
Sign in
to your account
Labels
Issue-Question
ideally support can be provided via other mechanisms, but sometimes folks do open an issue to get a
WG-Remoting
PSRP issues with any transport layer
Comments
Steps to reproduce
From LInux to WIn :
enter-PSSession -ConfigurationName powershell.6.1.0-preview.1
Expected behavior
Enter the pssession on the Windows box. Same error when i try to create new pesssession on the windows box.
Actual behavior
Error
New-PSSession : MI_RESULT_ACCESS_DENIED
At line:1 char:1
Enter-PSSession -ComputerName <IP> -Credential <username>
+ CategoryInfo : InvalidOperation: (:) [New-PSSession], PSInvalidOperationException
+ FullyQualifiedErrorId : InvalidOperation,Microsoft.PowerShell.Commands.NewPSSessionCommand
Environment data
WIndows server:
Name Value ---- ----- PSVersion 6.1.0-preview.1 PSEdition Core GitCommitId v6.1.0-preview.1 OS Microsoft Windows 10.0.14393 Platform Win32NT PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0
LInux Server:
Name Value ---- ----- PSVersion 6.1.0-preview.1 PSEdition Core GitCommitId v6.1.0-preview.1 OS Linux 3.10.0-514.e17.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 Platform Unix PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0
The alpha vesion of the plugin didn’t support PSCredential Object and WinRM. Does it support them now?
Found this from last year.
#5742
Does cross platform remoting work now in 6.1.0?
iSazonov
added
the
Issue-Question
ideally support can be provided via other mechanisms, but sometimes folks do open an issue to get a
label
Apr 13, 2018
@KaloferovLab remoting over WSMan is supported, but much more limited than what you get with Windows and WinRM. From Linux, you should use -Credential as unlike Windows you can’t use the current security context. Also, use -Authentication Basic.
I have tried many times establishing a new session from linux RHEL7 to windows server 2016.
Always get the same error.
I also tried , athentication Kerberos, Basic, Negotiable, etc….
Enter-PSSession : MI_RESULT_ACCESS_DENIED
At line:1 char:1
- Enter-PSSession -ComputerName WSRVPRD001 -Credential (Get-Credential) …
- CategoryInfo : InvalidArgument: (WSRVPRD001:String) [Enter-PSSession], PSInvalidOperationException
- FullyQualifiedErrorId : CreateRemoteRunspaceFailed
Did anyone manage to establish the connection?
New-PSSession -ComputerName remotehost -Credential $credential -Authentication Negotiate
Use Negotiate for authentication. I don’t recommend using basic as that would send your password in plain text over the network and you would also need to manually allow the remote host to accept basic authentication as it is not allowed by default. Specifying Negotiate results in using NTLM authentication which can be verified by checking $PSSenderInfo.UserInfo.Identity.AuthenticationType
I also facing same problem when I am accessing from ubuntu 16.04, with powershell version and details are included
Name Value
PSVersion 6.2.1
PSEdition Core
GitCommitId 6.2.1
OS Linux 4.15.0-1036-gcp #38~16.04.1-Ubuntu SMP Tue Jun 25 15:30:46 UTC 2019
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
My error output :
PowerShell credential request
Enter your credentials.
Password for user XXXXXXXXXXXX: **********
enter-pssession : MI_RESULT_ACCESS_DENIED
At line:1 char:1
- enter-pssession -credential XXXXXXXXXXXX
- CategoryInfo : InvalidArgument: (:String) [Enter-PSSession], PSInvalidOperationException
- FullyQualifiedErrorId : CreateRemoteRunspaceFailed
I also face this Issue on Centos 7 and Server 2012r2 / 2016
Same issue on Centos 7 and WinServer 2019
Invoke-Command gives the same error.
So it appears this issue has been open for a while. I recently ran into this issue via #10764. Any plans to get this resolved in future releases? This holding up some progress to port some Windows automation over to Linux based environment.
Experiencing this ongoing issue as well.
Linux > Windows 2012 R2
Enter-PSSession -Credential $creds -ConfigurationName microsoft.exchange -ConnectionUri http://x.x.x.x/powershell -Authentication Negotiate -Verbose
Enter-PSSession : Connecting to remote server x.x.x.x failed with the following error message : MI_RESULT_ACCESS_DENIED For more information, see the about_Remote_Troubleshooting Help topic.
Linux to Exchange 2013
Enter-PSSession -Credential $creds -ComputerName x.x.x.x -Authentication Negotiate -Verbose
Enter-PSSession : Connecting to remote server x.x.x.x failed with the following error message : MI_RESULT_ACCESS_DENIED For more information, see the about_Remote_Troubleshooting Help topic.
When remoting from Linux, you will likely need to explicitly use Basic auth. Negotiate requires additional libraries and configuration.
When remoting from Linux, you will likely need to explicitly use Basic auth. Negotiate requires additional libraries and configuration.
Are the extra libraries required on the Windows or Linux side. Or both?
Windows already has the necessary libs built into the OS. Here’s an example where the docker image was updated with a lib to support NTLM on Linux: PowerShell/PowerShell-Docker#124. This issue seems to indicate Kerberos can work on Linux.
Windows already has the necessary libs built into the OS. Here’s an example where the docker image was updated with a lib to support NTLM on Linux: PowerShell/PowerShell-Docker#124. This issue seems to indicate Kerberos can work on Linux.
Hmm. Checked to verify that the package is installed in the Docker image and still get the same issue as above.
PS /> apt show gss-ntlmssp
Package: gss-ntlmssp
Version: 0.7.0-4build3
Status: install ok installed
PS /> Enter-PSSession -Credential $cred -ComputerName xxxxx -Authentication Negotiate -Verbose
Enter-PSSession : Connecting to remote server xxxxx failed with the following error message : MI_RESULT_FAILED For more information, see the about_Remote_Troubleshooting Help topic
Hey @arnydo,
All officially supported Docker images have gss-ntlmssp installed on them, except for Alpine and openSUSE. So as long as you are using one of the others, you should be good.
Hey @arnydo,
All officially supported Docker images havegss-ntlmsspinstalled on them, except forAlpineandopenSUSE. So as long as you are using one of the others, you should be good.
I am using the latest Docker image for Powershell with no luck.
@arnydo Did you check whether
/etc/serviceswas the issue? See #7342 (comment).
Hey, what does /etc/services have to do with this particular issue? That isn’t sarcastic…
haha, yes, that’s a fair question! There is an issue with the native OMI library PowerShell uses on Linux that only crops up with NTLM authentication when /etc/services is missing, as it is in some Docker images (like the official PowerShell images, IIRC). See microsoft/omi#623.
@danports I built a new image based on the latest Ubuntu 18.04 Powershell Dockerfile but with the addition of the RUN echo 'http 80/tcp www www-http' > /etc/services.
Same result…
Hmm, perhaps you’re experiencing a different problem then. You might want to try enabling OMI logging inside the container — reviewing the OMI logs is what eventually helped me to diagnose my issue.
Doesn’t look like omi is present at all in the Powershell images…is that even used in this case?
What do you mean by not present? You’ll probably need to create the OMI log and configuration directories to enable logging — I don’t think they are there by default.
@SteveL-MSFT, This is all well and good:
When remoting from Linux, you will likely need to explicitly use Basic auth. Negotiate requires additional libraries and configuration.
Except, it’s not supported:
> Enter-PSSession -Credential $creds -ComputerName <HOSTNAME> -Authentication Basic -Verbose
Enter-PSSession : Basic authentication is not supported over HTTP on Unix.
At line:1 char:1
....
You’d think that such a useful feature, with multiple bug reports, would have been implemented and/or documented properly a year and a half later after the issue was first reported…
Which version of the Power shell
Just bumped against this too, using a rhel7.7 azure devops agent that needs to remote into a windows 2016 vm
I am also facing the same issue with the latest version of PowerShell (7.0.1).
Trying to connect to Windows 2012 from CentOS Linux 7.
As suggested by @BitDesert above, it works for me after installing gss-ntlmssp and with -Authentication Negotiate.
But there is a huge latency. Authentication itself takes around 20 seconds. Both the Linux and Windows machines are in the same subnet.
Any suggestion on how to reduce the latency?
Having the same issue here on Arch Linux with Powershell Core 7.0.0. Installing the gss-ntlmssp AUR package and using -Authentication Negotiate did not solve the problem. Still get:
PS /home/jon> Enter-PSSession -Credential $credentials -Authentication Negotiate -ComputerName 192.168.1.203
Enter-PSSession: Connecting to remote server 192.168.1.203 failed with the following error message : acquiring creds with username only failed Unspecified GSS failure. Minor code may provide more information SPNEGO cannot find mechanisms to negotiate For more information, see the about_Remote_Troubleshooting Help topic.
Hey guys, op of PowerShell/PowerShell-Docker#124 here.
You can literally just use the docker://mcr.microsoft.com/powershell:centos-7 container w/ podman/docker/rkt/whatev to get it to work. Just run the container w/ interactivity and a tty and it kicks you into pwsh. If it doesn’t work, then check that the server you’re trying to connect to is configured properly because tokens aren’t exchanged across both platforms. Not all platforms support gssapi/ntlm, and I don’t think they’re any tests..but because of @RDIL’s work, it’s super straightforward regardless.
Downloading sha256:d06345b12b6 [=============================] 106 MB / 106 MB
Downloading sha256:524b0c1e57f [=============================] 75.9 MB / 75.9 MB
PowerShell 7.0.3
Copyright (c) Microsoft Corporation. All rights reserved.
https://aka.ms/powershell
Type 'help' to get help.
PS /> enter-pssession -computername 10.7.17.218 -Credential $u -Authentication negotiate
PowerShell credential request
Enter your credentials.
User: root
Password for user root: ************************************************
[10.7.17.218]: PS C:UsersrootDocuments> exit
This is literally what containers are for, so you don’t have to fight with crazy deps to get a simple task handled.
If you’re trying to get kerberos to work with it (instead of ntlm), I don’t think the containers will work (despite gssapi supporting it) because you’ll need to get your tgt with kinit and then get the gssapi library to see it. You can probably do some clever mounting to get its library to see your tgt w/ the container though.
I’d like to add that Linux Mint 20 has the same issue as Ubuntu 20.04.
I installed the package with snap and manually installed gss-ntlmssp via apt but I still get the error:
New-PSSession: [SERVER] Connecting to remote server SERVER failed with the following error message : acquiring creds with username only failed Unspecified GSS failure. Minor code may provide more information SPNEGO cannot find mechanisms to negotiate For more information, see the about_Remote_Troubleshooting Help topic.
I found the problem. Just install inetutils-ping and it will solve. Probably it is depending ping to resolve OP or something.
apt-get install inetutils-ping
🖖
I found the problem. Just install
inetutils-pingand it will solve. Probably it is dependingpingto resolve OP or something.apt-get install inetutils-ping
On ubuntu I have iputils-ping — but it does not work with either one of them installed.
I get the same error on Ubuntu 20.04 (running in WSL2), even though inetutils-ping and gss-ntlmssp is installed.
Enter-PSSession: This parameter set requires WSMan, and no supported WSMan client library was found. WSMan is either not installed or unavailable for this system.
unfortunately it seems this kind of situations are terribly poorly documented by Microsoft.
I got the following to work:
- Setup FreeIPA for DNS and Kerberos (on Linux)
- register the window host in FreeIPA (add host — type machine name and IP address — save)
- setup the proper ciphers for Kerberos (GPO/regedit, everything but DES)
- Setup windows to authenticate with Kerberos, with something like:
ksetup /setdomain IPA.YOURDOMAIN.COM
ksetup /addkdc IPA.YOURDOMAIN.COM idm.ipa.yourdomain.com
ksetup /addkpasswd IPA.YOURDOMAIN.COM idm.ipa.yourdomain.com
ksetup /setcomputerpassword SecretMachinePassword
ksetup /mapuser * *
- Login to the FreeIPA host and generate the keytab:
ipa-getkeytab -s ipa.yourdomain.com -p host/windows-hostname.ipa.yourdomain.com -e arcfour-hmac -k krb5.keytab.windows-hostname -P - now install a Linux host you will use to connect with Powershell — then register it with the FreeIPA Kerberos server and install powershell and the gssntlmssp package
- on that same host you should be able to connect now:
start powershell (pwsh / powershell in bash) then :
$credential = get-credential user@IPA.YOURDOMAIN.COM
Enter-PSSession -ComputerName windows-hostname.ipa.yourdomain.com -Authentication Negotiate -Credential $credential
A few other notes :
- user needs to exist in FreeIPA, password is the password of the user in FreeIPA. The user also needs to exist as a local user on the Windows machine
- while this worked from Linux, from Windows to Windows I only got it to work with Administrator accounts, then the format for the user is windows-hostnameAdministrator
- the Windows machines are showing the Kerberos Realm as a Workgroup, so they are not in a Domain like with an AD server
- winrm service needs to run on host, setup and network has to be private (not public)
winrm quickconfig
Enable-PSRemoting
Set-NetConnectionProfile -NetworkCategory Private
Finally, the output on CentOS 7 to connect looks like :
pwsh
PowerShell 7.1.3
Copyright (c) Microsoft Corporation.
https://aka.ms/powershell
Type 'help' to get help.
PS /home/user> $credential = get-credential user@IPA.YOURDOMAIN.COM
PowerShell credential request
Enter your credentials.
Password for user user@IPA.YOURDOMAIN.COM: ****************
PS /home/user> Enter-PSSession -ComputerName windows-hostname.ipa.yourdomain.com -Authentication Negotiate -Credential $credential
[windows-hostname.ipa.yourdomain.com]: PS C:Usersuser.WINDOWS-HOSTNAMEDocuments>
All this was put together by pulling information from all over the net.
This does not contain all details but should give you enough info to get it to work.
I have not tried Basic authentication and I think it is not safe.
The better approach is to use SSH to manage Windows, because Microsoft seems to be unwilling to deliver proper cross platform authentication support (NTLM does not work and Kerberos not the same as in a domain setting).
There are tickets for that that have been open for months, I haven’t checked those for a while, but feel free to try and get those done. Nobody wants to need a Windows server to manage other Windows servers ( or manage any windows server at all for that matter, but that’s beyond the scope of the answer 
).
I still have this issue, on Ubuntu 20.04
Powershell installed today with snap.
I’m trying toEnter-PSSession -Authenthication Negotiateusing my $creds.~> snap list powershell Name Version Rev Tracking Publisher Notes powershell 7.0.1 129 latest/stable microsoft-powershell✓ classic~> apt info gss-ntlmssp Package: gss-ntlmssp Version: 0.7.0-4build3 ... APT-Manual-Installed: yesThe error message is:
Enter-PSSession: Connecting to remote server 172.18.42.64 failed with the following error message : acquiring creds with username only failed Unspecified GSS failure. Minor code may provide more information SPNEGO cannot find mechanisms to negotiate For more information, see the about_Remote_Troubleshooting Help topic.
you are not posting your whole command line. Make sure to use hostname and not IP and set up credentials as shown in my post above. it seems you only supply a user. Just google that error and look at examples otherwise. Make sure to post full info if you have the same issue, thanks
yum install gssntlmssp ...
PS > $sesopt = New-PSSessionOption -SkipCACheck -SkipCNCheck PS > Enter-PSSession -ComputerName 192.168.10.85 -Credential $cred -Authentication Negotiate -UseSSL -SessionOption $sesopt Enter-PSSession: Connecting to remote server 192.168.10.85 failed with the following error message : Authorization failed For more information, see the about_Remote_Troubleshooting Help topic.
The Windows eventlog shows Error code 0xC000035B. That might be a version problem. Powershell on Linux seems to use NTLMv1. Windows Server needs a newer version.
Client: CentOS 7, Powershell 7.1.3
Server: Windows Server 2019
In order to get the remote work, I have installed the following dependencies on ubuntu 20.4 (without Kerberos).
Install pwsh 7.1.3
Install OpenSSL
Install PSWSman : sudo pwsh -Command ‘Install-Module -Name PSWSMan’
Install gss-ntlmssp : sudo apt-get install -y gss-ntlmssp
While I am trying to setup on RHEL with Kerberos, got the error of «acquiring creds with username only failed Unspecified GSS failure. Minor code may provide more information SPNEGO cannot find mechanisms to negotiate» from Invoke-Command, and «Authorization failed Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database For more information» from New-PSSession and Enter-PSSession command
This might be a Kerberos configure issue or still missing some other dependencies required on RHEL.
you need to have your Linux machine authenticate with Kerberos first. Depending if you use AD or Linux, you need to make sure that it works. As I wrote, it works with both the Windows and Linux host using a Linux Kerberos server.
So login on the machine with Kerberos and type klist, you should see a valid ticket there.
As far as I know, it will not work without that, correct me if I’m wrong.
@VGerris Thank you for your comment, I am able to create/enter PSSession from Linux to windows server run after turn off FIPS on Linux. Tracing down to md5 hash error and find that gss-ntlmssp is not compatible with FIPS.
Now need find a FIPS compatible gss-ntlmssp package.
I am experiencing similar issues with my setup — I simply cannot make Ubuntu 18.04 or 20.04 to connect to Windows Server 2019 using NTLM. Does anyone have any suggestions?
Looks like Ubuntu and Windows Server 2019 cannot negotiate the correct NTLM.
The same command opens a valid PSSession when it is executed on Windows 10 Client (standalone client, not joined to doimain).
Setup:
- Enabled WinRM on Windows Server 2019. Windows Server is joined to an Azure Active Directory Domain Services domain
- Installed Powershell 7.1.3 on Ubunbtu 18.04 following official Microsoft article
- Installed gss-ntlmssp on Ubuntu 18.04 to enable NTML authentication as per Including support for NTLM for the microsoft/docker container PowerShell-Docker#124
- Install PSWSMAN 2.2.0 (I tested it without it — the same issue occur)
Commands executed on Ubuntu server:
$PSSessionParameters = @{ Authentication = 'Negotiate' Credential = [pscredential]::new('user@domaintest.onmicrosoft.com', ('Obfuscated' | ConvertTo-SecureString -AsPlainText)) UseSSL = $true Port = 5986 ConfigurationName = 'PowerShell.7' SessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck } New-PSSession -ComputerName '10.0.104.201' @PSSessionParameters
Error received on Ubuntu:
New-PSSession: [10.0.104.201] Connecting to remote server 10.0.104.201 failed with the following error message : Authorization failed For more information, see the about_Remote_Troubleshooting Help topic.
Error in Windows Server Security log:
Event 4625
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: user@domaintest.onmicrosoft.com
Account Domain:
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000035B
Sub Status: 0x0
NTLM audit log on Windows Server:
NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked
Calling process PID: 3136
Calling process name: C:WindowsSystem32svchost.exe
Calling process LUID: 0x3E4
Calling process user identity: vm-gs-alt001$
Calling process domain identity: DOMAINTEST
Mechanism OID: 1.3.6.1.4.1.311.2.2.10
Audit NTLM authentication requests to this server that would be blocked if the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic is set to Deny all accounts or Deny all domain accounts.
If you want this server to allow NTLM authentication, set the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic to Allow all.
Please take a look into this threat — jborean93/omi#29
Looks like the limitation comes from the libraries which ship with different version of Windows. The workaround is to set the CbtHardeningLevel to None so Windows doesn’t try to validate the value at all.
New-PSSession -ComputerName remotehost -Credential $credential -Authentication Negotiate
Use Negotiate for authentication. I don’t recommend using basic as that would send your password in plain text over the network and you would also need to manually allow the remote host to accept basic authentication as it is not allowed by default. Specifying Negotiate results in using NTLM authentication which can be verified by checking $PSSenderInfo.UserInfo.Identity.AuthenticationType
Thanks!
Obviously something is wrong with the PowerShell for Linux.
A very interesting blog that can shed the light , especially the topic where the PRs were rejected.
For my Ubuntu18.04 connecting to Win10 Pro over winrm (http port, not joined in AD) , the following worked:
sudo apt install gss-ntlmssp powershell
pwsh -Command 'Install-Module -Name PSWSMan'
sudo pwsh -Command 'Install-WSMan'
Validation:
$cred=Get-Credential
Enter-PSSession -ComputerName vmhostname.vmdomain -Credential $cred -Authentication Negotiate
File copy :
$pw = convertto-securestring -AsPlainText -Force -String PASS
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist "USER",$pw
$session = New-PSSession -ComputerName win10pro.localdomain -Credential $cred -Authentication Negotiate
Copy-Item -Path 'C:UsersUSERDesktopsomefile.txt' -Destination /tmp/ -FromSession $session
Obviously something is wrong with the PowerShell for Linux. A very interesting blog that can shed the light , especially the topic where the PRs were rejected.
For the record, the blog is definitely titled as being related to Linux..but if you look at the PRs microsoft/omi#669, microsoft/omi#670, and the blog, those are all related to building the library on MacOS (which is unsupported).
The troubleshooting of GSSAPI and everything else from the blog is definitely on-topic, though, and is probably useful for people who need help troubleshooting more details of how pwsh on linux interacts with GSSAPI. Still, though, it’s super cool that the author is actively maintaining OMI for all of the platforms (including MacOS)…because honestly, it needs it.
This comment was marked as off-topic.
Obviously something is wrong with the PowerShell for Linux. A very interesting blog that can shed the light , especially the topic where the PRs were rejected.
For my Ubuntu18.04 connecting to Win10 Pro over winrm (http port, not joined in AD) , the following worked:
sudo apt install gss-ntlmssp powershell pwsh -Command 'Install-Module -Name PSWSMan' sudo pwsh -Command 'Install-WSMan'Validation:
$cred=Get-Credential Enter-PSSession -ComputerName vmhostname.vmdomain -Credential $cred -Authentication NegotiateFile copy :
$pw = convertto-securestring -AsPlainText -Force -String PASS $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist "USER",$pw $session = New-PSSession -ComputerName win10pro.localdomain -Credential $cred -Authentication Negotiate Copy-Item -Path 'C:UsersUSERDesktopsomefile.txt' -Destination /tmp/ -FromSession $session
Thanks!
Works for me on Manjaro with PS 7.2.1.
This comment was marked as off-topic.
@hunter86bg not to police this thread, but that might be off-topic since we’re in an issue tracker for keeping track of bugs and the thread could get closed or locked if it wanders too far from the original issue. this specific issue is with regards to entering/creating a PSsession and not necessarily performance issues encountered therein.
please create another issue describing your problem so that maybe the devers could look into it.
I spent days trying to figure out why the code below wasn’t working on Amazon Linux 2 (CentOS 7):
$serviceUserName = '<username>@my.company.domain'
$secStringPassword = '<password>'
$secStringPassword = ConvertTo-SecureString $servicePassword -AsPlainText -Force
$credObject = New-Object System.Management.Automation.PSCredential ($serviceUserName, $secStringPassword)
$ExSession = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri ‘http://<hostname>.<domain>/PowerShell/?SerializationLevel=Full’ -Credential $credObject -Authentication Kerberos
Error message:
Enter-PSSession : Connecting to remote server hostname failed with the following error message : Kerberos verify cred with password failed No credentials were supplied, or the credentials were unavailable or inaccessible For more information, see the about_Remote_Troubleshooting Help topic.
Turns out the domain name in the username simply needed to be capitalized like so: <username>@MY.COMPANY.DOMAIN
Sorry if this is obvious, but hoping it helps someone else like me.
Installing
gss-ntlmsspas stated in #11374 solved this issue for me.
I’m using-Authentication Negotiate.It’s solution…..
This worked for me on Centos 7 with Powershell 7.1.3
Installing
gss-ntlmsspas stated in #11374 solved this issue for me.
I’m using-Authentication Negotiate.It’s solution…..
This worked for me on Centos 7 with Powershell 7.1.3
It’s a Debian package and not available in CentOS 7. There is gssntlmssp package but it is installed here and it’s still not working.
Labels
Issue-Question
ideally support can be provided via other mechanisms, but sometimes folks do open an issue to get a
WG-Remoting
PSRP issues with any transport layer
В предыдущей заметке я рассматривал вопрос автоматизации перевода объектов мониторинга в режим обслуживания на SCOM. Позже пришла в голову мысль об использовании в качестве имени сервера SCOM (при вызове скрипта управления режимом обслуживания) вместо FQDN-имени какого-то отдельно взятого сервера управления SCOM, имени NLB экземпляра, у которого в бакэнде 2 сервера управления SCOM. Однако в таком режиме вызова скрипта я столкнулся с ошибкой, говорящей о том, что сервер, с которого запускается скрипт, не имеет доверия к NLB-имени и удалённая сессия PSSession не может использовать механизм аутентификации Kerberos.
New-PSSession : [KOM-AD01-SCOMCL.holding.com] Connecting to remote server KOM-AD01-SCOMCL.holding.com failed with the following error message : WinRM cannot process the request. The following error occurred while using Kerberos authentication: Cannot find the computer KOM-AD01-SCOMCL.holding.com. Verify that the computer exists on the network and that the name provided is spelled correctly. For more information, see the about_Remote_Troubleshooting Help topic.
Последнее предложение в сообщении об ошибке содержит отсылку на справочную информацию PS, почитав которую можно понять суть проблемы. Вызвать эту справочную информацию можно командой:
Get-Help about_Remote_Troubleshooting | more
Кстати, если при попытке чтения справки PowerShell вы столкнётесь с ошибкой Интернет-обновления этой самой справки при условии, что у вас используется прокси, то, возможно, вам пригодится заметка Как выполнить обновление справки PowerShell (Update-Help) при использовании прокси.
Чтобы хост, с которого мы выполняем запуск скрипта доверял указанному нами имени удалённого хоста, нужно чтобы он был добавлен в пространство WSMan:localhostClientTrustedHosts
Посмотреть текущее значение этого пространства можно так:
Get-Item WSMan:localhostClientTrustedHosts
Установить новое значение (предыдущее значение будет переписано) можно так:
Set-Item WSMan:localhostClientTrustedHosts -Value "KOM-AD01-SCOMCL.holding.com"
Если установка значения будет использоваться где-то в скриптах, чтобы подавить запрос на изменение значения, можно добавить к команде ключ -Force
Чтобы полностью ослабить этот механизм проверки можно воспользоваться командой:
Set-Item WSMan:localhostClientTrustedHosts -Value "*" -Force
После этого скрипт направленный на имя хоста не имеющее привязки к Kerberos (или даже вообще при использовании IP адреса вместо имени) выполниться без вышеописанной ошибки.
I was working on some cert errors with my exchange servers. Everything was fine until I had to reboot one of the servers. Now my email is down and when I get a blank white screen when i try to log into the Exchange Administrative Center. I also get the following red text when I open up the Exchange management shell:
I still have the same certs bound to port 443 in IIS. I am scratching my head on this one.
Powershell
VERBOSE: Connecting to mailserver1.pct.local. New-PSSession : [mailserver1.pct.local] Connecting to remote server mailserver1.pct.local failed with the following error message : [ClientAccessServer=mailserver1,BackEndServer=mailserver1.pct.local,RequestId=607786b4-5f45-4de8-a914-b3a97954b562,Ti meStamp=3/6/2018 11:46:26 PM] [FailureCategory=Cafe-SendFailure] For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:1 + New-PSSession -ConnectionURI "$connectionUri" -ConfigurationName Microsoft.Excha ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin gTransportException + FullyQualifiedErrorId : -2144108477,PSSessionOpenFailed VERBOSE: Connecting to mailserver2.pct.local. New-PSSession : [mailserver2.pct.local] Connecting to remote server mailserver2.pct.local failed with the following error message : [ClientAccessServer=mailserver2,BackEndServer=mailserver2.pct.local,RequestId=216eed17-1089-4776-8cbb-1 23efae7c593,TimeStamp=3/6/2018 11:46:32 PM] [FailureCategory=Cafe-SendFailure] For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:1 + New-PSSession -ConnectionURI "$connectionUri" -ConfigurationName Microsoft.Excha ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin gTransportException + FullyQualifiedErrorId : -2144108477,PSSessionOpenFailed VERBOSE: Connecting to mailserver1.pct.local. New-PSSession : [mailserver1.pct.local] Connecting to remote server mailserver1.pct.local failed with the following error message : [ClientAccessServer=mailserver1,BackEndServer=mailserver1.pct.local,RequestId=4aa3ad76-1712-463a-9ec0-2995196fc68b,Ti meStamp=3/6/2018 11:46:37 PM] [FailureCategory=Cafe-SendFailure] For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:1 + New-PSSession -ConnectionURI "$connectionUri" -ConfigurationName Microsoft.Excha ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin gTransportException + FullyQualifiedErrorId : -2144108477,PSSessionOpenFailed VERBOSE: Connecting to casserver.pct.local. New-PSSession : [casserver.pct.local] Connecting to remote server casserver.pct.local failed with the following error message : [ClientAccessServer=casserver,BackEndServer=mailserver1.pct.local,RequestId=4f3a7037-b926-43b6-b4cd-75ba1ab4f9c5,Tim eStamp=3/6/2018 11:46:34 PM] [FailureCategory=Cafe-SendFailure] For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:1 + New-PSSession -ConnectionURI "$connectionUri" -ConfigurationName Microsoft.Excha ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin gTransportException + FullyQualifiedErrorId : -2144108477,PSSessionOpenFailed VERBOSE: Connecting to mailserver2.pct.local. New-PSSession : [mailserver2.pct.local] Connecting to remote server mailserver2.pct.local failed with the following error message : [ClientAccessServer=mailserver2,BackEndServer=mailserver2.pct.local,RequestId=c47803e4-5ddf-4082-9162-f 84085fb3d73,TimeStamp=3/6/2018 11:46:47 PM] [FailureCategory=Cafe-SendFailure] For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:1 + New-PSSession -ConnectionURI "$connectionUri" -ConfigurationName Microsoft.Excha ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin gTransportException + FullyQualifiedErrorId : -2144108477,PSSessionOpenFailed VERBOSE: Connecting to mailserver1.pct.local. New-PSSession : [mailserver1.pct.local] Connecting to remote server mailserver1.pct.local failed with the following error message : [ClientAccessServer=mailserver1,BackEndServer=mailserver1.pct.local,RequestId=ad7b2438-166c-40e3-8418-353c1667be0d,Ti meStamp=3/6/2018 11:46:52 PM] [FailureCategory=Cafe-SendFailure] For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:1 + New-PSSession -ConnectionURI "$connectionUri" -ConfigurationName Microsoft.Excha ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin gTransportException + FullyQualifiedErrorId : -2144108477,PSSessionOpenFailed WARNING: No Exchange servers are available in the Active Directory site Texas. Connecting to an Exchange server in another Active Directory site. WARNING: No Exchange servers are available in the Active Directory site Texas. Connecting to an Exchange server in another Active Directory site. VERBOSE: Connecting to mailserver2.pct.local. New-PSSession : [mailserver2.pct.local] Connecting to remote server mailserver2.pct.local failed with the following error message : [ClientAccessServer=mailserver2,BackEndServer=mailserver2.pct.local,RequestId=3dd82b58-0086-4dda-a762-a c8d42d40210,TimeStamp=3/6/2018 11:46:58 PM] [FailureCategory=Cafe-SendFailure] For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:1 + New-PSSession -ConnectionURI "$connectionUri" -ConfigurationName Microsoft.Excha ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin gTransportException + FullyQualifiedErrorId : -2144108477,PSSessionOpenFailed VERBOSE: Connecting to mailserver1.pct.local. New-PSSession : [mailserver1.pct.local] Connecting to remote server mailserver1.pct.local failed with the following error message : [ClientAccessServer=mailserver1,BackEndServer=mailserver1.pct.local,RequestId=30bf6c09-5acd-497e-8a83-bfbd4e45cdd7,Ti meStamp=3/6/2018 11:47:03 PM] [FailureCategory=Cafe-SendFailure] For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:1 + New-PSSession -ConnectionURI "$connectionUri" -ConfigurationName Microsoft.Excha ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin gTransportException + FullyQualifiedErrorId : -2144108477,PSSessionOpenFailed VERBOSE: Connecting to casserver.pct.local. New-PSSession : [casserver.pct.local] Connecting to remote server casserver.pct.local failed with the following error message : [ClientAccessServer=casserver,BackEndServer=mailserver2.pct.local,RequestId=5ad8814f-03d8-48d1-870c-92e0001af272 ,TimeStamp=3/6/2018 11:47:00 PM] [FailureCategory=Cafe-SendFailure] For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:1 + New-PSSession -ConnectionURI "$connectionUri" -ConfigurationName Microsoft.Excha ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin gTransportException + FullyQualifiedErrorId : -2144108477,PSSessionOpenFailed VERBOSE: Connecting to mailserver2.pct.local. New-PSSession : [mailserver2.pct.local] Connecting to remote server mailserver2.pct.local failed with the following error message : [ClientAccessServer=mailserver2,BackEndServer=mailserver2.pct.local,RequestId=c81c43d6-544a-4f9f-8df3-8 c2e58ef4139,TimeStamp=3/6/2018 11:47:13 PM] [FailureCategory=Cafe-SendFailure] For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:1 + New-PSSession -ConnectionURI "$connectionUri" -ConfigurationName Microsoft.Excha ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin gTransportException + FullyQualifiedErrorId : -2144108477,PSSessionOpenFailed VERBOSE: Connecting to mailserver1.pct.local. New-PSSession : [mailserver1.pct.local] Connecting to remote server mailserver1.pct.local failed with the following error message : [ClientAccessServer=mailserver1,BackEndServer=mailserver1.pct.local,RequestId=beed9f66-61c2-4f65-9b63-772ef2c4dcc7,Ti meStamp=3/6/2018 11:47:18 PM] [FailureCategory=Cafe-SendFailure] For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:1 + New-PSSession -ConnectionURI "$connectionUri" -ConfigurationName Microsoft.Excha ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin gTransportException + FullyQualifiedErrorId : -2144108477,PSSessionOpenFailed Failed to connect to an Exchange server in the current site. Enter the server FQDN where you want to connect.: VERBOSE: Connecting to . New-PSSession : Cannot bind parameter 'ConnectionUri'. Cannot convert value "http:///powershell?serializationLevel=Full;ExchClientVer=15.0.1210.3;clientApplication=ManagementShell;TargetServer=" to type "System.Uri". Error: "Invalid URI: The hostname could not be parsed." At line:1 char:30 + New-PSSession -ConnectionURI "$connectionUri" -ConfigurationName Microsoft.Excha ... + ~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (:) [New-PSSession], ParameterBindingException + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerShell.Commands.NewPSSessionCommand
Read these next…
Snap! — No-Password Logins, Solar Powered Water Filter, Glitch in the Matrix?
Spiceworks Originals
Your daily dose of tech news, in brief.
Welcome to the Snap!
Flashback: February 9, 1996: Introduction of the Bandai Pippin (Read more HERE.)
Bonus Flashback: February 9, 1990: Galileo Probe does a Venus Flyby (Read more HERE.)
You nee…
Roku TV being used as Wallboard Issues
Hardware
Helping someone out at their shop. They have 4 large Roku screens and 2 laptops with dual HDMI ports for video. They are viewing static website business dashboards and PowerPoint. At first all 4 screens connected to wireless, worked for a while but with a…
Charging for SSO
Security
We have SSO set up with around 5 or 6 solution providers via our M365. Not one of them charges for this, they just sent us the documentation.I identified another online service in use by one of our departments which would benefit from using SSO for staff …
Spark! Pro series — 9th February 2023
Spiceworks Originals
Today in History: America meets the Beatles on “The Ed Sullivan Show”
At approximately 8:12 p.m. Eastern time, Sunday, February 9, 1964, The Ed Sullivan Show returned from a commercial (for Anacin pain reliever), and there was Ed Sullivan standing …
Green Brand Rep Wrap-Up: January 2023
Spiceworks Originals
Source Opens a new window Opens a new windowHi, y’all — Chad here. A while back, we used to feature the top posts from our brand reps (aka “Green Gals/Guys/et. al.) in a weekly or monthly wrap-up post. I can’t specifically recall which, as that was ap…
I am trying to connect PowerShell remotely to an Exchange server. This is to a separate AD Domain. (Connecting domainA to domainB) I can connect from domainA to servers on other domains just fine. I receive the following error:
PS Y:Personalscripts> $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://server1.domainB.tld/PowerShell/ -Authentication Kerberos -Credential $cred
New-PSSession : [server1.domainB.tld] Connecting to remote server server1.domainB.tld failed with the following error message : The user name or password is incorrect. For more
information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12
+ $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri ht ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : LogonFailure,PSSessionOpenFailed
This isn’t specific to this server, I get the same results to two other servers in the same domain.
My username is in UPN format me@domainB.tld If I use domainBme I get the following error:
PS Y:Personalscripts> $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://server1.domainB.tld/PowerShell/ -Authentication Kerberos -Credential $cred
New-PSSession : [server1.domainB.tld] Connecting to remote server server1.domainB.tld failed with the following error message : WinRM cannot process the request. The following
error with errorcode 0x80090311 occurred while using Kerberos authentication: There are currently no logon servers available to service the logon request.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12
+ $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri ht ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : AuthenticationFailed,PSSessionOpenFailed
I’ve also tried connecting to domainB from other domains and receive the same results. I assume there is a permission somewhere that needs to be set, but I’m not sure what.
wsman:localhostclienttrustedhosts is set to the correct values
I can RDP in with the same credentials no problem, so I know my credentials are valid. I’m also a domain admin. Servers are Windows 2012 R2.
PSRemoting is enabled
[PS] D:>Enable-PSRemoting -Force
WinRM is already set up to receive requests on this computer.
WinRM is already set up for remote management on this computer.
PSSessionConfiguration
Name : microsoft.powershell
PSVersion : 4.0
StartupScript :
RunAsUser :
Permission : BUILTINAdministrators AccessAllowed, BUILTINRemote Management Users AccessAllowed
Name : microsoft.powershell.workflow
PSVersion : 4.0
StartupScript :
RunAsUser :
Permission : BUILTINAdministrators AccessAllowed, BUILTINRemote Management Users AccessAllowed
Name : microsoft.powershell32
PSVersion : 4.0
StartupScript :
RunAsUser :
Permission : BUILTINAdministrators AccessAllowed, BUILTINRemote Management Users AccessAllowed
Name : microsoft.windows.servermanagerworkflows
PSVersion : 3.0
StartupScript :
RunAsUser :
Permission : NT AUTHORITYINTERACTIVE AccessAllowed, BUILTINAdministrators AccessAllowed
In addition, I tried remoting from a server in domainB to server1.domainB and it works fine. So it has something to do with connecting from outside of the domain.
Test auth in IIS works fine
Removing -Authentication Kerberos or using Negotiate also results in errors
wsman trustedhosts — Added FQDN of client to server. Added FQDN and IP of server to client. No change.
What do I need to fix to be able to remote in here?