I have put together three similar error types I simulated in my Test laboratory. When you are prompted with the following error when using the invoke-command, the following solutions and explanation below will help you resolve this issue.
Error 1: Below is the command run to install and reboot the TechDArchive
Invoke-Command -ComputerName TechDArchive -Script {ipmo PSWindowsUpdate; Get-WUInstall -AcceptAll -AutoReboot | Out-File C:PSWindowsUpdate.log } -Verbose
Error 2: When you also run the Enter-PSSession to initiate a connection to the remote server the following error above will also be displayed.
Enter-PSSession -ComputerName TechDArchive
Error 3: The invoke-command used to run the script locally or on remote computers. Once remoting is enabled on remote machines, we can run Invoke-Command as shown below to query the WinRM service. But WE are FACED with an ERROR.
Invoke-Command -ComputerName ServerDC -ScriptBlock {Get-Service winrm}
How do we solve this? | Solution: This error is as a result of my login method as you can see in the error message above.
– This issue was as a result of the host machine (Ansibleserver) from where I was trying to connect to. I was logged into the server as a local user with the Administrators account, whereas the remote machine to which I was trying to connect was running as a domain user.
– So, when I switched to the domain user account (Chris) on the host machine, Kerberos started working and the issue got resolved.
As you can see below, the invoke-command is working correctly to get the WinRM service.
Also the invoke-command to have windows updates installed is running executing as well.
Below are the tips to ensure you are able to use the invoke-command.
– Ensure PSRemoting is enabled on the remote device.
– Ensure WinRM is running on the remote device, To determine this, run WinRM using the following command.
– Ensure the computers (servers) are added in the TrustedHosts. Instead of adding an individual host, use the asterisk to all subsequent hosts
For a similar error where the computer account could not be found, see https://techdirectarchive.com/2020/03/25/error-message-winrm-cannot-process-the-request-the-following-error-occurred-while-using-kerberos-authentication-cannot-find-the-computer-serverdc/
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.
- Remove From My Forums
-
Question
-
I have ensured that winrm is setup on both the host machines involved. Infact with ‘Unrestricted’ access via set-ExecutionPolicy
I am trying to execute a sample snippet like below:
invoke-command -ComputerName vmmserver -ScriptBlock {get-culture}But it gives me the standard error:
[vmmserver] Connecting to remote server vmmserver failed with the following error message : WinRM cannot process the
request. The following error with errorcode 0x8009030e occurred while using Kerberos authentication: A specified logon
session does not exist. It may already have been terminated.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more
information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (vmmserver:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : 1312,PSSessionStateBrokenBoth the machines are in the same domain as well, so Kereberos should work right?
Is there a way by which the default kerberos authentication can be by-passed for the http transport? I do not want to open a session. Just execute a single cmdlet on the remote machine. Any pointers to fixing apart from the text in the error message would
help.Thanks
Answers
-
Thanks Elaine for checking back with me.
The issue was that the host machine from where I was trying to connect to was logged into as a local user, whereas the remote machine to which I was trying to connect was running as a domain user.
So, when I switched to the domain user account on the host machine, kerberos started working and the issue got resolved.
Warm regards,
Vinod
-
Marked as answer by
Tuesday, January 12, 2016 6:12 AM
-
Marked as answer by
Содержание
- Winrm cannot process the request 0x8009030e
- Причины ошибки 0x8009030E
- Если у вас SCVMM
- Мигрируем через Powershell
- Winrm cannot process the request 0x8009030e
- Asked by:
- Question
- All replies
- Winrm cannot process the request 0x8009030e
- Answered by:
- Question
- Answers
- All replies
Winrm cannot process the request 0x8009030e
Всем привет сегодня разберем, как решается ошибка 0x8009030E при миграции виртуальной машины Hyper-V в Windows Server 2012 R2. Напомню миграция — это перемещение виртуальной машины на другой хост виртуализации, и вот во время этого процесса возникает этот неприятный момент.
Давайте подробнее посмотрим как она выглядит, я про 0x8009030E .
Причины ошибки 0x8009030E
Первая причина у вас не включена динамическая миграция Hyper-V, проверить это можно в свойствах хоста виртуализации.
На вкладке Динамическая миграция, должна стоять галка Включить входящие и исходящие миграции.
Вторая причина у вас не включен Kerberos. Если у вас по CredSSp, не удается мигрировать выставляем тогда Kerberos, для большей безопасности, его мы еще поднастроим.
Так же если вы пытаетесь делать миграцию работающей виртуальной машины, удостоверьтесь, что у вас стоит галка в свойствах виртуалки, на вкладке Процессор (Выполнить перенос на физический компьютер с другой версией процессора). Данная галка нужна если у вас разные процессоры, так как не везде все сервера одинаковые.
Для того чтобы kerberos отработал и вы не получили 0x8009030E при миграции виртуальной машины Hyper-V в Windows Server 2012 R2, делаем следующее. Открываем оснастку Active Directory — Пользователи и компьютеры, ищем там ваши компьютеры Hyper-V и переходим в их свойства. Перехлдим на вкладку Делегирование, выставляем там Доверять компьютеру делегирование указанных служб > Использовать только Kerberos и добавляем туда две службы первая — cifs (для миграции хранилищ), вторая — Microsoft Virtual System Migration Service
Все можно теперь мигрировать спокойно.
Если у вас SCVMM
Если у вас есть scvmm, то проверьте, что в свойствах хоста
Перейдите на вкладку Доступ к узлу и проверьте, что в Учетная запись запуска от имени не пуста, если там ничег онет, то через обор добавьте.
Мигрируем через Powershell
- VMName — Имя виртуальной машины
- Hyper-V-ServerName — Имя сервера, куда вы мигрируете
- VMNameFolder — Имя папки, в которую размещается VM
Думаю было не сложно и вы победили свою ошибку 0x8009030E.
Источник
Winrm cannot process the request 0x8009030e
This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.
Asked by:
Question
Im trying to create a PSSESSION between two Windows 2016 servers, both in the same domain. PSremoting is enabled and Test-Wsman works fine, LocalAdminTokenFilterPolicy is activated.
I want to enter the remote session on target machine with a local admin-account of the target machine, provided via the -credentials parameter. But it just works if I use a domain account.
works fine,
but:
does not.Why?
The latter results in an error: Connecting to remote server xxxxxxx failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x8009030e occurred while using Kerberos authentication: There are currently no logon servers available to service the logon request.
Because the local admin account does not have permissions. Try a domain admin account or configure the remote to allow the local admin account to use WinRM.
By default the target system admin accounts all have permission to connect. If you are seeing an error you will have to troubleshoot the remote system. That is beyond the scope of this forum.
«the local admin account does not have permissions.»
and that «By default the target system admin accounts all have permission to connect. «
The official rule is that all members of the local «Adminstrators Group» have remoting permissions.
TO be sure I just tested that this is the case. If the local admin account doesn’t work you have issues on the machine or network. If IPs are configured for TrustedHosts then try by IP.
> The official rule is that all members of the local «Adminstrators Group» have remoting permissions.
Do you have maybe a Link, stating that for Server 2016?
Because in the meantime I found this: Microsoft Security Guidance Blog: Blocking. , but I am not sure what the situation is in Server 2016.
Refer to the WinRM online documents.
That article is a sub to «whats new in WinRM 2.0», 5.0 is current. But anyway, did I understand you corrrectly, that you did test this and you could enter a PSSession from a Server 2016 on another Server 2016, both joined to the same domain and you provided only credentials for the local admin account on the target machine? And that whithout any special GPO setting etc.
I am -for now- just trying to confirm that the fact that it is not working for me is an issue and not just a security feature to prevent pass-the-hash attacks.
Current WinRM is 3.0 — PS is 5.1
On a basic net install of a client the local admins can connect by default. It has not been changed.
I clearly sated above that I did test it.
Again — this is not the correct forum for break/fix issues. I recommend contacting MS Support for help tracking down the cause. There are probably more than 100 things that can cause this. The MS engineers will work with you until the issue is solved.
You issue is that the remote system is not using the correct authentication for a local account. Something is the OS is broken or misconfigured. You cannot authenticate a local account with Kerberos. The default would be to recognize the domain of the account and switch to NTLM authentication.
- Proposed as answer by Albert Ling Microsoft contingent staff Tuesday, October 24, 2017 4:35 AM
The problem with that is: I am testing this in a lab-environment, freshly installed, one DC, two member servers, all 2016. All that i did «configure», is running «enable-psremoting» on every machine.
And in this state, it runs fine with a domain account but not local admin. :/
I appreciate your answers and it is fine that you don’t wanna help further, but suggesting opening a support case with MS for hundreds of dollars for this, is absurd.
If that would be the usual way, there were no forums and MS-support had 10 times the staff.
Sorry but this forum is about scripting and not scoped for assisting with fixing OS errors. Yu need to do some troubleshooting to track down the cause. We do not have access to your systems so it is not possible for us to help you or to teach you how to troubleshoot a problem.
I am sure if anyone has had this issue and has a possible solution they will post it however, I doubt that that will happen. You will need to gather more evidence and track down the cause. Perhaps just reinstalling the broken system and testing remoting from the beginning until you find the package that has caused the issue.
You can also start by checking all of the WsMan settings by matching the configuration to a working system. There are many ways to start. Did you read the troubleshooting guide? That is also a good place to start if you are not familiar with troubleshooting WinRM.
Источник
Winrm cannot process the request 0x8009030e
This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.
Answered by:
Question
+ CategoryInfo : OpenError: (System.Manageme. RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
gTransportException
+ FullyQualifiedErrorId : -2144108212,PSSessionOpenFailed
Failed to connect to an Exchange server in the current site.
Enter the server FQDN where you want to connect.:
Answers
For your question, please open IIS management and switch to Site, right-client Exchange Back End and select Bings, then select HTTPS and click Edit to change the SSL Certificate to «Microsoft Exchange». Figure as below:
Then reopen EMS to double check.
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.
Allen Wang
TechNet Community Support
For your question, please open IIS management and switch to Site, right-client Exchange Back End and select Bings, then select HTTPS and click Edit to change the SSL Certificate to «Microsoft Exchange». Figure as below:
Then reopen EMS to double check.
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.
Allen Wang
TechNet Community Support
I try opening EMS and I get the same error. I follow your direction and still get the same error. Any ideas?
Welcome to the Exchange Management Shell!
Full list of cmdlets: Get-Command
Only Exchange cmdlets: Get-ExCommand
Cmdlets that match a specific string: Help * *
Get general help: Help
Get help for a cmdlet: Help or -?
Exchange team blog: Get-ExBlog
Show full output for a command: | Format-List
Show quick reference guide: QuickRef
VERBOSE: Connecting to Exchange2019.XXX.local.
New-PSSession : [exchange2019.xxx.local] Connecting to remote server exchange2019.xxx.local failed with the following
error message : WinRM cannot process the request. The following error with errorcode 0x8009030e occurred while using
Kerberos authentication: A specified logon session does not exist. It may already have been terminated.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more
information, see the about_Remote_Troubleshooting Help topic.
Other Possible Cause:
-The domain or computer name was not included with the specified credential, for example: DOMAINUserName or
COMPUTERUserName.
At line:1 char:1
+ New-PSSession -ConnectionURI «$connectionUri» -ConfigurationName Micr .
+
+ CategoryInfo : OpenError: (System.Manageme. RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
gTransportException
+ FullyQualifiedErrorId : 1312,PSSessionOpenFailed
VERBOSE: Connecting to Exchange2019.xxx.local.
New-PSSession : [exchange2019.gcs.local] Connecting to remote server exchange2019.xxx.local failed with the following
error message : WinRM cannot process the request. The following error with errorcode 0x8009030e occurred while using
Kerberos authentication: A specified logon session does not exist. It may already have been terminated.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more
information, see the about_Remote_Troubleshooting Help topic.
Other Possible Cause:
-The domain or computer name was not included with the specified credential, for example: DOMAINUserName or
COMPUTERUserName.
At line:1 char:1
+ New-PSSession -ConnectionURI «$connectionUri» -ConfigurationName Micr .
+
+ CategoryInfo : OpenError: (System.Manageme. RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
gTransportException
+ FullyQualifiedErrorId : 1312,PSSessionOpenFailed
VERBOSE: Connecting to Exchange2019.XXX.local.
New-PSSession : [exchange2019.xxx.local] Connecting to remote server exchange2019.xxx.local failed with the following
error message : WinRM cannot process the request. The following error with errorcode 0x8009030e occurred while using
Kerberos authentication: A specified logon session does not exist. It may already have been terminated.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more
information, see the about_Remote_Troubleshooting Help topic.
Other Possible Cause:
-The domain or computer name was not included with the specified credential, for example: DOMAINUserName or
COMPUTERUserName.
At line:1 char:1
+ New-PSSession -ConnectionURI «$connectionUri» -ConfigurationName Micr .
+
+ CategoryInfo : OpenError: (System.Manageme. RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
gTransportException
+ FullyQualifiedErrorId : 1312,PSSessionOpenFailed
Exception calling «FindAll» with «0» argument(s): «Unknown error (0x80005000)»
At C:Program FilesMicrosoftExchange ServerV15binConnectFunctions.ps1:253 char:2
+ $search.FindAll()
+
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : COMException
_AutoDiscoverAndConnect : No Exchange servers are available in any Active Directory sites. You can’t connect to remote
Powershell on a computer that only has the Management Tools role installed.
At C:Program FilesMicrosoftExchange ServerV15binConnectFunctions.ps1:45 char:4
+ _AutoDiscoverAndConnect $credential $Forest -useWIA:$useW .
+
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,_AutoDiscoverAndConnect
Failed to connect to an Exchange server in the current site.
Enter the server FQDN where you want to connect.:
Источник
I have a HA-Proxy, which handles the SSL encryption but cannot handle the SMTPS or IMAPS encryption.
So I have installed openssh on the Exchange server and I have written a powershell script to do the import and enable stuff.
My Problem is now, when I launch the Script via ssh from the linux machine, It gives me this Error:
root@Test-Proxy-01:~/bin# ssh administrator@exchange@192.168.70.100 powershell C:\Scripts\Working\Renew_Cert\Renew_Cert.ps1 -Path C:\Scripts\Working\Renew_Cert\Cert\testexchange.hosttech.eu.pfx
VERBOSE: Connecting to EX-01.exchange.test.
New-PSSession : [ex-01.exchange.test] Connecting to remote server ex-01.exchange.test failed with the following error
message : WinRM cannot process the request. The following error with errorcode 0x8009030e occurred while using
Kerberos authentication: A specified logon session does not exist. It may already have been terminated.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more
information, see the about_Remote_Troubleshooting Help topic.
Other Possible Cause:
-The domain or computer name was not included with the specified credential, for example: DOMAINUserName or
COMPUTERUserName.
At line:1 char:1
+ New-PSSession -ConnectionURI "$connectionUri" -ConfigurationName Micr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
gTransportException
+ FullyQualifiedErrorId : 1312,PSSessionOpenFailed
Exception calling "GetComputerSite" with "0" argument(s): "An operations error occurred.
"
At C:Program FilesMicrosoftExchange ServerV15binConnectFunctions.ps1:164 char:2
+ $localSite=[System.DirectoryServices.ActiveDirectory.ActiveDirect ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ActiveDirectoryOperationException
Failed to connect to an Exchange server in the current site.
I am logged in as domain administrator and to initialize the Exchange Shell, I have this on top of my script:
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 . "$PSScriptRootRemote_ConnectRemoteExchange.ps1" Connect-ExchangeServer -auto
The RemoteExchange.ps1 was slightly modifyed to remove the banner. This Worked so far, when run locally.
How can I successfully start the script?
I’ve made a app in C# that remotly updates the hosts file of the computers on our domain using powershell remoting. It works great but entry level IT Support position in our company do not have their domain accounts part of the admin group on our workstations. They can however use a local admin account. I’m trying to add a ‘Connect using a different account’ feature but quickly ran into some hurdles. I’ve fixed all of them but one:
I cannot get it to authenticate using a remote local account and all of my Googling hasn’t yielded any solutions.
Here’s the code I’m using to update the hosts file:
psInstance.AddScript("Invoke-Command -ComputerName " + computerName + " -ScriptBlock { "" +
hostsTextBox.Text.Replace(""", "`"") + "" | Out-File c:\windows\system32\drivers\etc\hosts }" +
(differentCredentialsCheckbox.Checked ? "-Credential "" + computerName + "\" -Authentication Negotiate " : ""));
When using different credentials, it fails with the following message:
[COMPUTERNAME] Connecting to remote server COMPUTERNAME failed with the following
error message : WinRM cannot process the request. The following error with error code
0x8009030e occurred while using Negotiate authentication: A specified logon session
does not exist. It may already have been terminated. This can occur if the provided
credentials are not valid on the target server, or if the server identity could not
be verified. If you trust the server identity, add the server name to the
TrustedHosts list, and then retry the request. Use winrm.cmd to view or edit the
TrustedHosts list. Note that computers in the TrustedHosts list might not be
authenticated. For more information about how to edit the TrustedHosts list, run the
following command: winrm help config. For more information, see the
about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (COMPUTERNAME:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : 1312,PSSessionStateBroken
Now if I understand correctly using a remote local account only works if:
-
The connection is made using HTTPS however that brings it own set of problems. A certificate would need to be created for each computer the tool is meant to be used and install on our 500+ workstations. Also, the process need to be started over if the technician gets a new computer (which shouldn’t happen often but has a non-zero possibility)
-
The computers trusts each other using TrustedHosts but that too has the same problems as #1.
Note: We are the local IT group working at one of the branch of a multinational company, we do not have access to GPO so we do not have any easy ways of pushing certificates to our workstations. Also, each groups within our branch are secluded on their own VLAN.
Does anyone can think of a way to achieve what I’m trying to do?
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and
privacy statement. We’ll occasionally send you account related emails.
Already on GitHub?
Sign in
to your account
Closed
LeeHolmes opened this issue
Feb 20, 2021
· 4 comments
Comments
When logged on to your machine using a Microsoft Account (something that Microsoft is pushing on very hard), WinRM generates an error when you try to use loopback remoting (i.e.: for experimentation): “Connecting to remote server localhost failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x8009030e occurred while using Negotiate authentication: A specified logon session does not exist. It may already have been terminated.”
You can work around this by “-EnableNetworkAccess” (which you shouldn’t have to do), or using a local account. This also happens with Windows PowerShell, but is for sure a regression from some point in the past.
Are you running as administrator beforehand? I know 2 or so years ago Microsoft stopped this from working with normal accounts due to a CVE that allows a limited access token to elevate to the admin token. I don’t fully agree with the CVE as UAC is not meant to be a security boundary but I doubt this will go back to the way it was before. More details are in https://devblogs.microsoft.com/powershell/windows-security-change-affecting-powershell/.
PowerShell Team
Windows Security change affecting PowerShell January 9, 2019 The recent (1/8/2019) Windows security patch CVE-2019-0543, has introduced a breaking change for a PowerShell remoting scenario. It is a narrowly scoped scenario that should have low impact for most users. The breaking change only affects local loopback remoting,
Copy link
Contributor
Author
Yep — different error messages. This is a difference between Microsoft Accounts and local accounts.
Ah my apologies, I wonder if it also affects a
non-loop back scenario, I.e from another windows host with the Microsoft account credentials. I know that NTLM has special behaviour when it comes to authenticating the implicit credentials over localhost so knowing whether it’s just the loop back scenario would help track that down.
Ultimately I don’t think the issue is with PowerShell itself as the logon process is all handled by the WinRM service and that’s where the error message is coming from. PowerShell could try and bypass it by automatically adding the -EnableNetworkAccess in this situation.
The authentication and logon is handled by WinRM and not directly by PowerShell. This would have to be taken up by the owners of WinRM.
Our Exchange 2013 Management Shell stopped working. We’ve got two VMs named dc.domain.local and exchange.domain.local running on Windows Server 2012. Starting the EMS on exchange produces the following:
New-PSSession : [exchange.domain.local] Connecting to remote server exchange.domain.local failed with the following
error message : WinRM cannot process the request. The following error with error code 0x8009030e occurred while using Negotiate authentication: A specified logon session does not exist.
(…)
+ New-PSSession -ConnectionURI «$connectionUri» -ConfigurationName Microsoft.Excha …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme….RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : 1312,PSSessionOpenFailed
(in fact, the message is in German. Here’s the entire original message:)
New-PSSession : [exchange.domain.local] Beim Verbinden mit dem Remoteserver «exchange.domain.local» ist folgender Fehler aufgetreten: Die Anforderung kann von WinRM nicht verarbeitet werden. Bei Verwendung der Kerberos-Authentifizierung ist der folgende Fehler mit Fehlercode 0x8009030e aufgetreten: Eine angegebene Anmeldesitzung ist nicht vorhanden. Sie wurde gegebenenfalls bereits beendet.
. Mögliche Ursachen:
— Der angegebene Benutzername oder das angegebene Kennwort ist ungültig.
— Kerberos wird verwendet, wenn keine Authentifizierungsmethode und kein Benutzername angegeben werden.
— Kerberos akzeptiert Domänenbenutzernamen, aber keine lokale Benutzernamen.
— Der Dienstprinzipalname (Service Principal Name, SPN) für den Remotecomputernamen und -port ist nicht vorhanden.
— Der Clientcomputer und der Remotecomputer befinden sich in unterschiedlichen Domänen, zwischen denen keine Vertrauensbeziehung besteht.
Wenn Sie die oben genannten Ursachen überprüft haben, probieren Sie folgende Aktionen aus:
— Suchen Sie in der Ereignisanzeige nach Ereignissen im Zusammenhang mit der Authentifizierung.
— Ändern Sie die Authentifizierungsmethode; fügen Sie den Zielcomputer der Konfigurationseinstellung «TrustedHosts» für WinRM hinzu, oder verwenden Sie den HTTPS-Transport. Beachten Sie, dass Computer in der TrustedHosts-Liste möglicherweise nicht authentifiziert sind.
— Führen Sie den folgenden Befehl aus, um weitere Informationen zur WinRM-Konfiguration zu erhalten: «winrm help config». Weitere Informationen finden Sie im Hilfethema «about_Remote_Troubleshooting».
In Zeile:1 Zeichen:1
+ New-PSSession -ConnectionURI «$connectionUri» -ConfigurationName Microsoft.Excha …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme….RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : 1312,PSSessionOpenFailed
Interestingly, my exchange server doesn’t seem to be amont the Trusted Hosts any longer:
[PS] C:Windowssystem32>ls WSMan:localhostClientTrustedHosts
WSManConfig: Microsoft.WSMan.ManagementWSMan::localhostClient
Type Name SourceOfValue Value
---- ---- ------------- -----
System.String TrustedHosts
[PS] C:Windowssystem32>
Open in new window
What happened? I remember we replaced an expired SSL certificate lately, but it was updated in all bindings in IIS.
Did we miss anything? Do we need to re-insert exchange into the TrustedHosts list? (Probably.) How?