Author Posts

October 2, 2015 at 1:11 am

When trying to connect to "server1" I receive the error below. The, for me, strange part: connecting to "server2" works without issue.
Both servers have PowerShell 5 installed, and I ran Enable-PSRemoting.
The only difference I am aware of: server1 is Windows Server 2012, and server2 is Windows Server 2012 R2

Checked the SPNs (results below, same between servers)
Checked the results of "WinRM get winrm/config/client" (result below, same between servers)
Checked if there could be an firewall issue (results below, same between servers)
Ran Test-WSMan, for server1 that resulted in an error. (results below)

So the big question: What would it take to get PSRemoting working on server1? Prefferable without CredSSP.

PS U:\> Enter-PSSession : Connecting to remote server server1 failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An
unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession 'server1' -Credential:'mydomain\me'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (server1:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed

PS U:\> setspn -l server1
Registered ServicePrincipalNames for CN=server1,OU=Servers,DC=mydomain,DC=com:
WSMAN/server1.mydomain.com
WSMAN/server1
TERMSRV/server1.mydomain.com
TERMSRV/server1
RestrictedKrbHost/server1
HOST/server1
RestrictedKrbHost/server1.mydomain.com
HOST/server1.mydomain.com

PS U:\> setspn -l server2
Registered ServicePrincipalNames for CN=server2,OU=Servers,DC=mydomain,DC=com:
TERMSRV/server2
TERMSRV/server2.mydomain.com
WSMAN/server2.mydomain.com
WSMAN/server2
RestrictedKrbHost/server2
HOST/server2
RestrictedKrbHost/server2.mydomain.com
HOST/server2.mydomain.com

On both servers:
PS C:\Windows\system32> WinRM get winrm/config/client
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts

PS U:\> Test-NetConnection -ComputerName server1 -Port 5985 | Select TcpTestSucceeded

TcpTestSucceeded
—————-
True

PS U:\> Test-NetConnection -ComputerName server1 -Port 5986 | Select TcpTestSucceeded
WARNING: TCP connect to server1:5986 failed

TcpTestSucceeded
—————-
False

PS U:\> Test-NetConnection -ComputerName server2 -Port 5985 | Select TcpTestSucceeded

TcpTestSucceeded
—————-
True

PS U:\> Test-NetConnection -ComputerName server2 -Port 5986 | Select TcpTestSucceeded
WARNING: TCP connect to server2:5986 failed

TcpTestSucceeded
—————-
False

PS U:\> Test-WSMan -ComputerName server1 -Authentication Kerberos
Test-WSMan : WinRM cannot process the
request. The following error with errorcode 0x80090322 occurred while using Kerberos
authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two
domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts
configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config.

At line:1 char:1
+ Test-WSMan -ComputerName server1 -Authentication Kerberos
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (server1:String) [Test-WSMan], InvalidOperatio
nException
+ FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.TestWSManCommand

PS U:\> Test-WSMan -ComputerName server2 -Authentication Kerberos

wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor : Microsoft Corporation

ProductVersion : OS: 6.3.9600 SP: 0.0 Stack: 3.0

October 2, 2015 at 1:51 am

Hi Jonathan,

Thanks for your (prompt) response!
I checked the link, but I'll need a bit more help to get that translated to my situation.

I have not setup any certificates on server1, nor on server2. If I understand it correctly, the Test-WSMan command does not use SSL (unless explicitly specifying it).

Hugo

October 2, 2015 at 5:02 am

Are any Kerberos Error or failure events generated in the System or Security event logs? One possibility is that you have a large Kerberos Token due to many group memberships. One server could be configured with a larger max token size than the other.

October 2, 2015 at 10:59 am

Hi Curtis,

Many thanks for the suggestion. I took a look and can rule this out. I don't see errors as a result of my logon attempts.

Hugo

October 2, 2015 at 5:17 pm

Another possibility is that the SPN may not be registered to the computer account there are times when other services may have registered the SPN to a domain account. I have seen it a lot with SQL and there is IIS can cause the issue with wsman see https://social.technet.microsoft.com/Forums/windows/en-US/a4c5c787-ea65-4150-8d16-2a19c569a589/enterpssession-winrm-cannot-process-the-request-kerberos-authentication-error-0x80090322?forum=winserverpowershell