Author Posts

May 8, 2014 at 5:48 am

Hi

I can successfully create a remote session using Enter-PSSession to a server SRV_A from a computer MyComputer. Inside this session if I execute the cmdlet Get-Service -ComputerName ComputerB, I get the error "Cannot open Service Control Manager on computer 'ComputerB'. This operation might require other privileges.". But when I do the cmdlet "Get-Service -ComputerName ComputerB" from a Powershell session directly on SRV_A, it runs correctly. Of course I use the same user to create the remote session (cmdlet Enter-PSSession) than when I log directly on SRV_A. All machines have Powershell 4.0 installed and SRV_A and ComputerB are in the same domain.

What is wrong? Can we not use a "Get-Service -ComputerName xxx" inside a Remote Powershell Session? Do we get not exactly the same right from a Remote Powershell Session than a "normal" Powershell Session with the same user?

Thank you for any help

May 8, 2014 at 5:59 am

You're running into the "double hop" problem, as described in "Secrets of PowerShell Remoting."

Your credential delegates when you remote to SRV_A. However, once there, your credential cannot (by default) be delegated further. So SRV_A cannot access non-local resources.

The ebook Secrets of PowerShell Remoting describes this in more detail and offers solutions, which usually requires enabling additional authentication mechanisms and setting up multiple-hop delegation.

May 8, 2014 at 9:24 am

Hi

Thank you for your prompt answer. I tried the following, but still get the same error.

On SRV_A:
Set-Item WSMAN:\localhost\client\auth\credssp –value $true
Set-Item WSMAN:\localhost\service\auth\credssp –value $true
Enable-WSManCredSSP –Role Server

On MyComputer:
Set-Item WSMAN:\localhost\client\auth\credssp –value $true
Enable-WSManCredSSP –Role Client –Delegate SRV_A

As I'm not an expert in authentication mechanism, I'm a bit lost... What did I miss?

May 8, 2014 at 9:48 am

Likely the cmdlet isn't enabled for CredSSP. Try using it in Invoke-Command.