Enter-PSSession fails to Windows server 2012

Tagged: 

This topic contains 5 replies, has 3 voices, and was last updated by Profile photo of Jonathan Warnken Jonathan Warnken 1 year, 9 months ago.

  • Author
    Posts
  • #30364
    Profile photo of Hugo Tap
    Hugo Tap
    Participant

    When trying to connect to "server1" I receive the error below. The, for me, strange part: connecting to "server2" works without issue.
    Both servers have PowerShell 5 installed, and I ran Enable-PSRemoting.
    The only difference I am aware of: server1 is Windows Server 2012, and server2 is Windows Server 2012 R2

    Checked the SPNs (results below, same between servers)
    Checked the results of "WinRM get winrm/config/client" (result below, same between servers)
    Checked if there could be an firewall issue (results below, same between servers)
    Ran Test-WSMan, for server1 that resulted in an error. (results below)

    So the big question: What would it take to get PSRemoting working on server1? Prefferable without CredSSP.

    PS U:\> Enter-PSSession : Connecting to remote server server1 failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An
    unknown security error occurred.
    Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
    After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
    Note that computers in the TrustedHosts list might not be authenticated.
    -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
    At line:1 char:1
    + Enter-PSSession 'server1' -Credential:'mydomain\me'
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (server1:String) [Enter-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

    PS U:\> setspn -l server1
    Registered ServicePrincipalNames for CN=server1,OU=Servers,DC=mydomain,DC=com:
    WSMAN/server1.mydomain.com
    WSMAN/server1
    TERMSRV/server1.mydomain.com
    TERMSRV/server1
    RestrictedKrbHost/server1
    HOST/server1
    RestrictedKrbHost/server1.mydomain.com
    HOST/server1.mydomain.com

    PS U:\> setspn -l server2
    Registered ServicePrincipalNames for CN=server2,OU=Servers,DC=mydomain,DC=com:
    TERMSRV/server2
    TERMSRV/server2.mydomain.com
    WSMAN/server2.mydomain.com
    WSMAN/server2
    RestrictedKrbHost/server2
    HOST/server2
    RestrictedKrbHost/server2.mydomain.com
    HOST/server2.mydomain.com

    On both servers:
    PS C:\Windows\system32> WinRM get winrm/config/client
    Client
    NetworkDelayms = 5000
    URLPrefix = wsman
    AllowUnencrypted = false
    Auth
    Basic = true
    Digest = true
    Kerberos = true
    Negotiate = true
    Certificate = true
    CredSSP = false
    DefaultPorts
    HTTP = 5985
    HTTPS = 5986
    TrustedHosts

    PS U:\> Test-NetConnection -ComputerName server1 -Port 5985 | Select TcpTestSucceeded

    TcpTestSucceeded
    —————-
    True

    PS U:\> Test-NetConnection -ComputerName server1 -Port 5986 | Select TcpTestSucceeded
    WARNING: TCP connect to server1:5986 failed

    TcpTestSucceeded
    —————-
    False

    PS U:\> Test-NetConnection -ComputerName server2 -Port 5985 | Select TcpTestSucceeded

    TcpTestSucceeded
    —————-
    True

    PS U:\> Test-NetConnection -ComputerName server2 -Port 5986 | Select TcpTestSucceeded
    WARNING: TCP connect to server2:5986 failed

    TcpTestSucceeded
    —————-
    False

    PS U:\> Test-WSMan -ComputerName server1 -Authentication Kerberos
    Test-WSMan : WinRM cannot process the
    request. The following error with errorcode 0x80090322 occurred while using Kerberos
    authentication: An unknown security error occurred.
    Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two
    domains.
    After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts
    configuration setting or use HTTPS transport.
    Note that computers in the TrustedHosts list might not be authenticated.
    -For more information about WinRM configuration, run the following command: winrm help config.

    At line:1 char:1
    + Test-WSMan -ComputerName server1 -Authentication Kerberos
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (server1:String) [Test-WSMan], InvalidOperatio
    nException
    + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.TestWSManCommand

    PS U:\> Test-WSMan -ComputerName server2 -Authentication Kerberos

    wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
    ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
    ProductVendor : Microsoft Corporation

    ProductVersion : OS: 6.3.9600 SP: 0.0 Stack: 3.0

  • #30365
    Profile photo of Jonathan Warnken
    Jonathan Warnken
    Participant
  • #30366
    Profile photo of Hugo Tap
    Hugo Tap
    Participant

    Hi Jonathan,

    Thanks for your (prompt) response!
    I checked the link, but I'll need a bit more help to get that translated to my situation.

    I have not setup any certificates on server1, nor on server2. If I understand it correctly, the Test-WSMan command does not use SSL (unless explicitly specifying it).

    Hugo

  • #30369
    Profile photo of Curtis Smith
    Curtis Smith
    Participant

    Are any Kerberos Error or failure events generated in the System or Security event logs? One possibility is that you have a large Kerberos Token due to many group memberships. One server could be configured with a larger max token size than the other.

  • #30380
    Profile photo of Hugo Tap
    Hugo Tap
    Participant

    Hi Curtis,

    Many thanks for the suggestion. I took a look and can rule this out. I don't see errors as a result of my logon attempts.

    Hugo

  • #30385
    Profile photo of Jonathan Warnken
    Jonathan Warnken
    Participant

    Another possibility is that the SPN may not be registered to the computer account there are times when other services may have registered the SPN to a domain account. I have seen it a lot with SQL and there is IIS can cause the issue with wsman see https://social.technet.microsoft.com/Forums/windows/en-US/a4c5c787-ea65-4150-8d16-2a19c569a589/enterpssession-winrm-cannot-process-the-request-kerberos-authentication-error-0x80090322?forum=winserverpowershell

You must be logged in to reply to this topic.