How to configure PSRemoting without domain

This topic contains 2 replies, has 3 voices, and was last updated by  Noah Sparks 3 years, 6 months ago.

  • Author
    Posts
  • #14120

    Remy van Tour
    Participant

    Hey guys,

    I'm really stuck on this. Could anyone explain to me as simple as possible how to setup and connect with PSR without a domain environment?

    Thanks!

  • #14121

    Dave Wyatt
    Moderator

    The main limitation is that without a domain, you can't use Kerberos authentication. This means that you need to either set up an HTTPS listener on all machines, or use the TrustedHosts list on the client computers (with HTTPS being the more secure option, as it authenticates both client and server.) There's more information bout how to configure both of these options in the "Secrets of PowerShell Remoting" free ebook, which you can download from this site: click on Resources -> Free Ebooks along the top of the page.

  • #14151

    Noah Sparks
    Participant

    In the environment I work in we use this pretty frequently by creating HTTPS listeners and self signed certs...if you go the self signed route you need to specify some extra options to ignore the cert problems. Here is basic code you can use to establish the https connection.

    $Computer = " #you can use ip as long as you ignore the cert
    $Username = "
    $Password = "
    $pass = ConvertTo-SecureString -AsPlainText $Password -Force
    $Cred = New-Object System.Management.Automation.PSCredential -ArgumentList $Username,$pass
    $PSSO = New-PSSessionOption -SkipCACheck -SkipCNCheck

    Enter-PSSession -ComputerName $Computer -UseSSL -SessionOption $PSSO -Credential $Cred

    Creating the listener unfortunately is not very straight forward either compared to the normal Enable-PSRemoting which just configures things for HTTPS....if you're going to be using this frequently though it is easy enough to write a script to set up listeners which is what I did. There are probably good details in the book Dave mentioned.

    One caveat I have found is that on servers older than 2008 R2 the certificate skip checks don't seem to work and a valid certificate matching the hostname is required.

You must be logged in to reply to this topic.