Get-Service -ComputerName in PSSession (require other privileges)

This topic contains 3 replies, has 2 voices, and was last updated by  Don Jones 3 years, 3 months ago.

  • Author
    Posts
  • #15129

    AlbertWa
    Participant

    Hi

    I can successfully create a remote session using Enter-PSSession to a server SRV_A from a computer MyComputer. Inside this session if I execute the cmdlet Get-Service -ComputerName ComputerB, I get the error "Cannot open Service Control Manager on computer 'ComputerB'. This operation might require other privileges.". But when I do the cmdlet "Get-Service -ComputerName ComputerB" from a Powershell session directly on SRV_A, it runs correctly. Of course I use the same user to create the remote session (cmdlet Enter-PSSession) than when I log directly on SRV_A. All machines have Powershell 4.0 installed and SRV_A and ComputerB are in the same domain.

    What is wrong? Can we not use a "Get-Service -ComputerName xxx" inside a Remote Powershell Session? Do we get not exactly the same right from a Remote Powershell Session than a "normal" Powershell Session with the same user?

    Thank you for any help

  • #15130

    Don Jones
    Keymaster

    You're running into the "double hop" problem, as described in "Secrets of PowerShell Remoting."

    Your credential delegates when you remote to SRV_A. However, once there, your credential cannot (by default) be delegated further. So SRV_A cannot access non-local resources.

    The ebook Secrets of PowerShell Remoting describes this in more detail and offers solutions, which usually requires enabling additional authentication mechanisms and setting up multiple-hop delegation.

  • #15138

    AlbertWa
    Participant

    Hi

    Thank you for your prompt answer. I tried the following, but still get the same error.

    On SRV_A:
    Set-Item WSMAN:\localhost\client\auth\credssp –value $true
    Set-Item WSMAN:\localhost\service\auth\credssp –value $true
    Enable-WSManCredSSP –Role Server

    On MyComputer:
    Set-Item WSMAN:\localhost\client\auth\credssp –value $true
    Enable-WSManCredSSP –Role Client –Delegate SRV_A

    As I'm not an expert in authentication mechanism, I'm a bit lost... What did I miss?

  • #15139

    Don Jones
    Keymaster

    Likely the cmdlet isn't enabled for CredSSP. Try using it in Invoke-Command.

You must be logged in to reply to this topic.