Enter-PSSession fails to Windows server 2012

Tagged: 

This topic contains 5 replies, has 3 voices, and was last updated by  Jonathan Warnken 1 year, 11 months ago.

  • Author
    Posts
  • #30364

    Hugo Tap
    Participant

    When trying to connect to "server1" I receive the error below. The, for me, strange part: connecting to "server2" works without issue.
    Both servers have PowerShell 5 installed, and I ran Enable-PSRemoting.
    The only difference I am aware of: server1 is Windows Server 2012, and server2 is Windows Server 2012 R2

    Checked the SPNs (results below, same between servers)
    Checked the results of "WinRM get winrm/config/client" (result below, same between servers)
    Checked if there could be an firewall issue (results below, same between servers)
    Ran Test-WSMan, for server1 that resulted in an error. (results below)

    So the big question: What would it take to get PSRemoting working on server1? Prefferable without CredSSP.

    PS U:\> Enter-PSSession : Connecting to remote server server1 failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An
    unknown security error occurred.
    Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
    After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
    Note that computers in the TrustedHosts list might not be authenticated.
    -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
    At line:1 char:1
    + Enter-PSSession 'server1' -Credential:'mydomain\me'
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (server1:String) [Enter-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

    PS U:\> setspn -l server1
    Registered ServicePrincipalNames for CN=server1,OU=Servers,DC=mydomain,DC=com:
    WSMAN/server1.mydomain.com
    WSMAN/server1
    TERMSRV/server1.mydomain.com
    TERMSRV/server1
    RestrictedKrbHost/server1
    HOST/server1
    RestrictedKrbHost/server1.mydomain.com
    HOST/server1.mydomain.com

    PS U:\> setspn -l server2
    Registered ServicePrincipalNames for CN=server2,OU=Servers,DC=mydomain,DC=com:
    TERMSRV/server2
    TERMSRV/server2.mydomain.com
    WSMAN/server2.mydomain.com
    WSMAN/server2
    RestrictedKrbHost/server2
    HOST/server2
    RestrictedKrbHost/server2.mydomain.com
    HOST/server2.mydomain.com

    On both servers:
    PS C:\Windows\system32> WinRM get winrm/config/client
    Client
    NetworkDelayms = 5000
    URLPrefix = wsman
    AllowUnencrypted = false
    Auth
    Basic = true
    Digest = true
    Kerberos = true
    Negotiate = true
    Certificate = true
    CredSSP = false
    DefaultPorts
    HTTP = 5985
    HTTPS = 5986
    TrustedHosts

    PS U:\> Test-NetConnection -ComputerName server1 -Port 5985 | Select TcpTestSucceeded

    TcpTestSucceeded
    —————-
    True

    PS U:\> Test-NetConnection -ComputerName server1 -Port 5986 | Select TcpTestSucceeded
    WARNING: TCP connect to server1:5986 failed

    TcpTestSucceeded
    —————-
    False

    PS U:\> Test-NetConnection -ComputerName server2 -Port 5985 | Select TcpTestSucceeded

    TcpTestSucceeded
    —————-
    True

    PS U:\> Test-NetConnection -ComputerName server2 -Port 5986 | Select TcpTestSucceeded
    WARNING: TCP connect to server2:5986 failed

    TcpTestSucceeded
    —————-
    False

    PS U:\> Test-WSMan -ComputerName server1 -Authentication Kerberos
    Test-WSMan : WinRM cannot process the
    request. The following error with errorcode 0x80090322 occurred while using Kerberos
    authentication: An unknown security error occurred.
    Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two
    domains.
    After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts
    configuration setting or use HTTPS transport.
    Note that computers in the TrustedHosts list might not be authenticated.
    -For more information about WinRM configuration, run the following command: winrm help config.

    At line:1 char:1
    + Test-WSMan -ComputerName server1 -Authentication Kerberos
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (server1:String) [Test-WSMan], InvalidOperatio
    nException
    + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.TestWSManCommand

    PS U:\> Test-WSMan -ComputerName server2 -Authentication Kerberos

    wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
    ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
    ProductVendor : Microsoft Corporation

    ProductVersion : OS: 6.3.9600 SP: 0.0 Stack: 3.0

  • #30365

    Jonathan Warnken
    Participant
  • #30366

    Hugo Tap
    Participant

    Hi Jonathan,

    Thanks for your (prompt) response!
    I checked the link, but I'll need a bit more help to get that translated to my situation.

    I have not setup any certificates on server1, nor on server2. If I understand it correctly, the Test-WSMan command does not use SSL (unless explicitly specifying it).

    Hugo

  • #30369

    Curtis Smith
    Participant

    Are any Kerberos Error or failure events generated in the System or Security event logs? One possibility is that you have a large Kerberos Token due to many group memberships. One server could be configured with a larger max token size than the other.

  • #30380

    Hugo Tap
    Participant

    Hi Curtis,

    Many thanks for the suggestion. I took a look and can rule this out. I don't see errors as a result of my logon attempts.

    Hugo

  • #30385

    Jonathan Warnken
    Participant

    Another possibility is that the SPN may not be registered to the computer account there are times when other services may have registered the SPN to a domain account. I have seen it a lot with SQL and there is IIS can cause the issue with wsman see https://social.technet.microsoft.com/Forums/windows/en-US/a4c5c787-ea65-4150-8d16-2a19c569a589/enterpssession-winrm-cannot-process-the-request-kerberos-authentication-error-0x80090322?forum=winserverpowershell

You must be logged in to reply to this topic.