Winrm cannot process the request the following error occurred while using kerberos

I’m setting up a Windows lab environment. It has a Win2012R2 domain controller (srv001) and I’d like to add another Win2012R2 server to the domain (srv003). Actually, all goes well. I gave the new server a static IP address in the same subnet as the DC, pointed it to the right DNS server and added the server to the domain.

However, when I add the new server to Server Manager, I get a Kerberos error: 0x80090322. I has quite a long error message that I’ll post below. I did some testing and found out that I’m actually able to setup a remote Powershell session to the server using Kerberos authentication:

$s = New-PSSession -ComputerName srv003 -Authentication Kerberos
$s | Enter-PSSession

No problems here. I ran Enable-PSRemoting on the remote server, no problems there as well.

Why doesn’t Server Manager like my new server? Especially since it’s possible to set up a remote Powershell using the same protocol Server Manager is complaining about.

The error message that belongs to error code 0x80090322:

Configuration refresh failed with the following error: The metadata failed to be retrieved from the server, due to the following error: WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. Possible causes are:

1. The user name or password specified are invalid.
2. Kerberos is used when no authentication method and no user name are specified.
3. Kerberos accepts domain user names, but not local user names.
4. The Service Principal Name (SPN) for the remote computer name and port does not exist.
5. The client and remote computers are in different domains and there is no trust between the two domains.

After checking for the above issues, try the following:

1. Check the Event Viewer for events related to authentication.
2. Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport. Note that computers in the TrustedHosts list might not be authenticated.
3. For more information about WinRM configuration, run the following command: winrm help config.

To refer back to the numbered items in the error message:

1. I use a domain admin account to do this.
2. Not sure how to change this in Server Manager so I suppose the default should do it.
3. I’m running inside the domain, starting Server Manager as a domain admin.
4. The server actually has the following SPN’s which I haven’t touched:
   1. Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/srv003.rwwilden01.local
   2. TERMSRV/SRV003
   3. TERMSRV/srv003.rwwilden01.local
   4. WSMAN/srv003
   5. WSMAN/srv003.rwwilden01.local
   6. RestrictedKrbHost/SRV003
   7. HOST/SRV003
   8. RestrictedKrbHost/srv003.rwwilden01.local
   9. HOST/srv003.rwwilden01.local
5. Both computers are in the same domain.
6. No events on the client machine.
7. It shouldn’t be necessary to do this.

В предыдущей заметке я рассматривал вопрос автоматизации перевода объектов мониторинга в режим обслуживания на SCOM. Позже пришла в голову мысль об использовании в качестве имени сервера SCOM (при вызове скрипта управления режимом обслуживания) вместо FQDN-имени какого-то отдельно взятого сервера управления SCOM, имени NLB экземпляра, у которого в бакэнде 2 сервера управления SCOM. Однако в таком режиме вызова скрипта я столкнулся с ошибкой, говорящей о том, что сервер, с которого запускается скрипт, не имеет доверия к NLB-имени и удалённая сессия PSSession не может использовать механизм аутентификации Kerberos.

New-PSSession : [KOM-AD01-SCOMCL.holding.com] Connecting to remote server KOM-AD01-SCOMCL.holding.com failed with the following error message : WinRM cannot process the request. The following error occurred while using Kerberos authentication: Cannot find the computer KOM-AD01-SCOMCL.holding.com. Verify that the computer exists on the network and that the name provided is spelled correctly. For more information, see the about_Remote_Troubleshooting Help topic.

Последнее предложение в сообщении об ошибке содержит отсылку на справочную информацию PS, почитав которую можно понять суть проблемы. Вызвать эту справочную информацию можно командой:

Get-Help about_Remote_Troubleshooting | more

Кстати, если при попытке чтения справки PowerShell вы столкнётесь с ошибкой Интернет-обновления этой самой справки при условии, что у вас используется прокси, то, возможно, вам пригодится заметка Как выполнить обновление справки PowerShell (Update-Help) при использовании прокси.

Чтобы хост, с которого мы выполняем запуск скрипта доверял указанному нами имени удалённого хоста, нужно чтобы он был добавлен в пространство WSMan:localhostClientTrustedHosts

Посмотреть текущее значение этого пространства можно так:

Get-Item WSMan:localhostClientTrustedHosts

Установить новое значение (предыдущее значение будет переписано) можно так:

Set-Item WSMan:localhostClientTrustedHosts -Value "KOM-AD01-SCOMCL.holding.com"

Если установка значения будет использоваться где-то в скриптах, чтобы подавить запрос на изменение значения, можно добавить к команде ключ -Force

Чтобы полностью ослабить этот механизм проверки можно воспользоваться командой:

Set-Item WSMan:localhostClientTrustedHosts -Value "*" -Force

После этого скрипт направленный на имя хоста не имеющее привязки к Kerberos (или даже вообще при использовании IP адреса вместо имени) выполниться без вышеописанной ошибки.

I have two forests with a transitive on-way trust between them: PROD -> TEST (test trusts PROD). I had previously had kerberos authentication working with winrm from PROD to machines in TEST. I have verified the trust is healthy, I also verified users
in TEST can use WINRM with kerberos just fine. Users from PROD cannot connect via kerberos to machines in TEST with winrm.

I have verified the service has registered the appropriate SPNs. I ran dcdiag against all my PROD and TEST domain controllers and didn’t find anything that would prevent kerberos from happening. I even tried disabling the firewall entirely on my TEST dcs
but that didn’t gain me anything.

I’ve enabled kerberos logging but only see the expected errors such as it couldn’t find a PROD SPN for the machine, which it shouldn’t from what I understand, it should go to the TEST domain and find the SPN from there.

I’m really out of next steps before I call PSS and hope someone here has run into this and could provide me some next steps.

PowerShell Error:

Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.  
 Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
 After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
 Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (:) [], PSRemotingTransportException
    + FullyQualifiedErrorId : PSSessionStateBroken

winrs Error:

Winrs error:
WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.  
 Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
 After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
 Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config.

Some of ours servers (W2K8 R2) were moved to the cloud last week, once done that my powerswhell script started to fail (was working fine before), the exception is thrown on the line where the connection is trying to be established,

$ExSession = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri     "http://$g_strExchangeServer/PowerShell" `
-Credential $Credentials –Authentication Kerberos

With the following message,

[subd.staging.com] Connecting to remote server failed with the following error message : 
**WinRM cannot process the request**. The following error occured while using Kerberos authentication: There are currently no logon servers available to service the logon request.  
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help onfig. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionOpenFailed

this happens only if I try to target our testing domain, if I point the script to our production domain then it works.

The same error is displayed on all the servers that were already moved to cloud.

Notice that all the servers which have not already moved to cloud are able to run the script on both domains without any problem.

I’ve tried the following, but no luck.

//Add the destination computer to the WinRM TrustedHosts configuration setting. 
c:>WinRM set winrm/config/client @{TrustedHosts="stagingserver"} 


//Confirm that WinRM is properly configured.  
c:>Winrm quickconfig  

//Make sure that the remote server allows commands from any machine. 
PS c:>Set-item wsman:localhostclienttrustedhosts -value * 

Using Powershell v2 and WinRM v2

Any comments are welcome.

Recently I was having troubles Remoting to servers in another forest. The thing worked on certain computers but not on others. No mather what I did I was constantly getting error:

Enter-PSSession : Connecting to remote server Server01 failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: There are
currently no logon servers available to service the logon request.

The solution in my case was not to use Down-Level Logon Name (DOMAINUserName) but User principal name (UPN) format instead. UserName@domain.name

If you want to read more or if this does not help you here are some details.

This is what I have tried..

I found article which instructed me to clear DNS and Kerberos tickets cache. Unfortunately it did not solve my problem. Here is a link to article.

I also found another post. Here the solution was to disable anti-virus on remote machine. I tried it with no luck. This one might be useful to you so here is full article.

Then I started capturing and analysing traffic. Here is what I have got..

When running
Enter-PSSession NW-Remote01 -Credential northwindtradersUserName

DNS Query looked like this:
Standard query SRV _kerberos._tcp.Site-N._sites.dc._msdcs.northwindtraders.contoso.com
No such Name

Standard query SRV _kerberos._tcp.Site-N._sites.dc._msdcs.northwindtraders.northwindtraders.com
No such Name

Standard query SRV _kerberos._tcp.dc._msdcs.northwindtraders.com.contoso.com
No such Name

Standard query SRV _kerberos._tcp.dc._msdcs.northwindtraders.northwindtraders.com
No such Name

Obviously this will not work. But how to persuade client to ask DNS differently. You can say pleassse, but this will not help.. OR:

You can run:
Enter-PSSession NW-Remote01 -Credential UserName@northwindtraders.com
or
Enter-PSSession NW-Remote01 -Credential northwindtraders.comUserName

The DNS Query looked like this:
Standard query SRV _kerberos._tcp.Site-N._sites.dc._msdcs.northwindtraders.com
No such Name

Standard query SRV _kerberos._tcp.dc._msdcs.northwindtraders.com
Standard query response SRV 0 100 88 NW-DC02.northwindtraders.com SRV NW-DC01.northwindtraders.com

Standard query A NW-DC02.northwindtraders.com
Standard query response A 10.20.1.11

Standard query A NW-Remote01.contoso.com
No such name

Standard query 0xba0c  A NW-Remote01.northwindtraders.com
Standard query response A 10.20.1.21

Conclusion

If you are having problems with PS Remote:
1.) Check if remoting is enabled
test-wsman -computername server01 -authentication default

2.) Check Firewall

3.) Check Trusted hosts
Get-Item wsman:localhostclienttrustedhosts

4.) Use UPN name instead of Down-Level Logon Name

5.) Clear caches on both servers:
To clear DNS name cache you type in: IPConfig /FlushDNS
To clear NetBIOS name cache you type in: NBTStat –R
To clear Kerberos tickets will need KList.exe: KList purge

6.) Turn off anti-virus software on both sides to test if anti-virus is blocking  communication

Hope this helps You
Jure

I’m setting up a Windows lab environment. It has a Win2012R2 domain controller (srv001) and I’d like to add another Win2012R2 server to the domain (srv003). Actually, all goes well. I gave the new server a static IP address in the same subnet as the DC, pointed it to the right DNS server and added the server to the domain.

However, when I add the new server to Server Manager, I get a Kerberos error: 0x80090322. I has quite a long error message that I’ll post below. I did some testing and found out that I’m actually able to setup a remote Powershell session to the server using Kerberos authentication:

$s = New-PSSession -ComputerName srv003 -Authentication Kerberos
$s | Enter-PSSession

No problems here. I ran Enable-PSRemoting on the remote server, no problems there as well.

Why doesn’t Server Manager like my new server? Especially since it’s possible to set up a remote Powershell using the same protocol Server Manager is complaining about.

The error message that belongs to error code 0x80090322:

Configuration refresh failed with the following error: The metadata failed to be retrieved from the server, due to the following error: WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. Possible causes are:

1. The user name or password specified are invalid.
2. Kerberos is used when no authentication method and no user name are specified.
3. Kerberos accepts domain user names, but not local user names.
4. The Service Principal Name (SPN) for the remote computer name and port does not exist.
5. The client and remote computers are in different domains and there is no trust between the two domains.

After checking for the above issues, try the following:

1. Check the Event Viewer for events related to authentication.
2. Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport. Note that computers in the TrustedHosts list might not be authenticated.
3. For more information about WinRM configuration, run the following command: winrm help config.

To refer back to the numbered items in the error message:

1. I use a domain admin account to do this.
2. Not sure how to change this in Server Manager so I suppose the default should do it.
3. I’m running inside the domain, starting Server Manager as a domain admin.
4. The server actually has the following SPN’s which I haven’t touched:
   1. Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/srv003.rwwilden01.local
   2. TERMSRV/SRV003
   3. TERMSRV/srv003.rwwilden01.local
   4. WSMAN/srv003
   5. WSMAN/srv003.rwwilden01.local
   6. RestrictedKrbHost/SRV003
   7. HOST/SRV003
   8. RestrictedKrbHost/srv003.rwwilden01.local
   9. HOST/srv003.rwwilden01.local
5. Both computers are in the same domain.
6. No events on the client machine.
7. It shouldn’t be necessary to do this.