Invoke-Command in PSSession

This topic contains 5 replies, has 3 voices, and was last updated by Profile photo of Mark Prior Mark Prior 3 months, 3 weeks ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #40107
    Profile photo of Deadly Bagel
    Deadly Bagel
    Participant

    We have almost 300 servers running in a shared storage setup that requires some delicate management. Intensive disk use on more than a few servers at a time causes performance issues, but that's what PowerShell is for right?

    Unfortunately I've hit a snag, it's most flexible to run this from within a PSSession on a central server, but then I cannot run Invoke-Command. In fact I can't create any new sessions at all, local or remote, just getting the following error:

    [(server)] Connecting to remote server (server) failed with the following error message
    : WinRM cannot process the request. The following error with errorcode 0x8009030d occurred while using Negotiate
    authentication: A specified logon session does not exist. It may already have been terminated.
    Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
    After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
    use HTTPS transport.
    Note that computers in the TrustedHosts list might not be authenticated.
    -For more information about WinRM configuration, run the following command: winrm help config. For more
    information, see the about_Remote_Troubleshooting Help topic.

    I can only assume this is because you can't create a session from within a session, but I can't find any documentation on it or anything online. I'm aware of the double-hop dilemma and am pretty sure it's not what is happening, I'm providing credentials and the command runs perfectly fine when run outside a session.

    Easily replicated with:

    Enter-PSSession localhost
    Invoke-Command  -Credential  -scriptblock { $env:computername }
    

    Is there any way to allow this? I'd rather not need to set it up in a scheduled task with a database or something.

    #40118
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Welcome to double-hop authentication problems, or "you can't do that by default." That is in fact what's happening. Have a look at "Secrets of PowerShell Remoting" on our eBooks page. It covers this.

    You're providing a credential, but you're not doing the other things needed for this to work – such as specifying -UseSSL or forcing Basic authentication and using TrustedHosts. The problem is that because there's no authentication context, the machine initiating the second connection can't authenticate the identity of the third machine.

    #40180
    Profile photo of Don Jones
    Don Jones
    Keymaster

    And, incidentally, the only reason Enter-PSSession localhost works so consistently is that there's a hardcoded authentication exception for localhost. It's always considered a trusted connection.

    #40181
    Profile photo of Don Jones
    Don Jones
    Keymaster

    And, incidentally, the only reason Enter-PSSession localhost works so consistently is that there's a hardcoded authentication exception for localhost. It's always considered a trusted connection.

    #40962
    Profile photo of Deadly Bagel
    Deadly Bagel
    Participant

    Ahh I see, once I eventually got hold of it (I guess with the site move the ebooks are temporarily offline? EDIT: Now working but Google links are still busted) The Secrets Of PowerShell Remoting almost got me there. I found I additionally had to enable "Allow Delegation of Fresh Credentials with NTLM-only server authentication" and add the destination in there, and as these servers are not on a domain the credential is [server]\Administrator, and now it's going through nicely.

    Thank you for your assistance.

    • This reply was modified 3 months, 3 weeks ago by Profile photo of Deadly Bagel Deadly Bagel.
    #41035
    Profile photo of Mark Prior
    Mark Prior
    Participant

    I experienced this allot when i first started, below is not the safest way but works (at least until you can look at the books)

    $Username = "Domain\Username"
    $Password = ConvertTo-SecureString "Pasword" -AsPlainText -Force
    $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
    
    
    invoke-command -computername "{FQDN Computername} or {IP Address} double quotes not needed"  -Authentication credssp -Credential $Cred {
    
    Stuff goes here
    } 
Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.