Get-Service -ComputerName in PSSession (require other privileges)

This topic contains 3 replies, has 2 voices, and was last updated by Profile photo of Don Jones Don Jones 2 years, 11 months ago.

  • Author
    Posts
  • #15129
    Profile photo of AlbertWa
    AlbertWa
    Participant

    Hi

    I can successfully create a remote session using Enter-PSSession to a server SRV_A from a computer MyComputer. Inside this session if I execute the cmdlet Get-Service -ComputerName ComputerB, I get the error "Cannot open Service Control Manager on computer 'ComputerB'. This operation might require other privileges.". But when I do the cmdlet "Get-Service -ComputerName ComputerB" from a Powershell session directly on SRV_A, it runs correctly. Of course I use the same user to create the remote session (cmdlet Enter-PSSession) than when I log directly on SRV_A. All machines have Powershell 4.0 installed and SRV_A and ComputerB are in the same domain.

    What is wrong? Can we not use a "Get-Service -ComputerName xxx" inside a Remote Powershell Session? Do we get not exactly the same right from a Remote Powershell Session than a "normal" Powershell Session with the same user?

    Thank you for any help

  • #15130
    Profile photo of Don Jones
    Don Jones
    Keymaster

    You're running into the "double hop" problem, as described in "Secrets of PowerShell Remoting."

    Your credential delegates when you remote to SRV_A. However, once there, your credential cannot (by default) be delegated further. So SRV_A cannot access non-local resources.

    The ebook Secrets of PowerShell Remoting describes this in more detail and offers solutions, which usually requires enabling additional authentication mechanisms and setting up multiple-hop delegation.

  • #15138
    Profile photo of AlbertWa
    AlbertWa
    Participant

    Hi

    Thank you for your prompt answer. I tried the following, but still get the same error.

    On SRV_A:
    Set-Item WSMAN:\localhost\client\auth\credssp –value $true
    Set-Item WSMAN:\localhost\service\auth\credssp –value $true
    Enable-WSManCredSSP –Role Server

    On MyComputer:
    Set-Item WSMAN:\localhost\client\auth\credssp –value $true
    Enable-WSManCredSSP –Role Client –Delegate SRV_A

    As I'm not an expert in authentication mechanism, I'm a bit lost... What did I miss?

  • #15139
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Likely the cmdlet isn't enabled for CredSSP. Try using it in Invoke-Command.

You must be logged in to reply to this topic.