Invoke-Command in PSSession

Welcome Forums General PowerShell Q&A Invoke-Command in PSSession

This topic contains 5 replies, has 3 voices, and was last updated by

2 years, 7 months ago.

  • Author
  • #40107

    Points: 0
    Rank: Member

    We have almost 300 servers running in a shared storage setup that requires some delicate management. Intensive disk use on more than a few servers at a time causes performance issues, but that's what PowerShell is for right?

    Unfortunately I've hit a snag, it's most flexible to run this from within a PSSession on a central server, but then I cannot run Invoke-Command. In fact I can't create any new sessions at all, local or remote, just getting the following error:

    [(server)] Connecting to remote server (server) failed with the following error message
    : WinRM cannot process the request. The following error with errorcode 0x8009030d occurred while using Negotiate
    authentication: A specified logon session does not exist. It may already have been terminated.
    Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
    After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
    use HTTPS transport.
    Note that computers in the TrustedHosts list might not be authenticated.
    -For more information about WinRM configuration, run the following command: winrm help config. For more
    information, see the about_Remote_Troubleshooting Help topic.

    I can only assume this is because you can't create a session from within a session, but I can't find any documentation on it or anything online. I'm aware of the double-hop dilemma and am pretty sure it's not what is happening, I'm providing credentials and the command runs perfectly fine when run outside a session.

    Easily replicated with:

    Enter-PSSession localhost
    Invoke-Command  -Credential  -scriptblock { $env:computername }

    Is there any way to allow this? I'd rather not need to set it up in a scheduled task with a database or something.

  • #40118

    Points: 1,785
    Helping HandTeam Member
    Rank: Community Hero

    Welcome to double-hop authentication problems, or "you can't do that by default." That is in fact what's happening. Have a look at "Secrets of PowerShell Remoting" on our eBooks page. It covers this.

    You're providing a credential, but you're not doing the other things needed for this to work – such as specifying -UseSSL or forcing Basic authentication and using TrustedHosts. The problem is that because there's no authentication context, the machine initiating the second connection can't authenticate the identity of the third machine.

  • #40181

    Points: 1,785
    Helping HandTeam Member
    Rank: Community Hero

    And, incidentally, the only reason Enter-PSSession localhost works so consistently is that there's a hardcoded authentication exception for localhost. It's always considered a trusted connection.

  • #40962

    Points: 0
    Rank: Member

    Ahh I see, once I eventually got hold of it (I guess with the site move the ebooks are temporarily offline? EDIT: Now working but Google links are still busted) The Secrets Of PowerShell Remoting almost got me there. I found I additionally had to enable "Allow Delegation of Fresh Credentials with NTLM-only server authentication" and add the destination in there, and as these servers are not on a domain the credential is [server]\Administrator, and now it's going through nicely.

    Thank you for your assistance.

  • #41035

    Points: 35
    Rank: Member

    I experienced this allot when i first started, below is not the safest way but works (at least until you can look at the books)

    $Username = "Domain\Username"
    $Password = ConvertTo-SecureString "Pasword" -AsPlainText -Force
    $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
    invoke-command -computername "{FQDN Computername} or {IP Address} double quotes not needed"  -Authentication credssp -Credential $Cred {
    Stuff goes here

The topic ‘Invoke-Command in PSSession’ is closed to new replies.