invoke-command to access non-joined server

This topic contains 4 replies, has 3 voices, and was last updated by Profile photo of Daniel Krebs Daniel Krebs 2 weeks, 1 day ago.

  • Author
    Posts
  • #70104
    Profile photo of CatlynnTeardrop
    CatlynnTeardrop
    Participant

    Hi everyone, please forgive the newbie question and thank you for all your help.

    I'm trying to access a non-joined server from a workstation joined to a domain. When using powershell in Administrator mode I try this code:

    Clear-host
    $S = New-PSSession -Credential 'IP-PKI-ROOT\administrator' -Authentication Negotiate -ComputerName 'IP-PKI-ROOT'
    Invoke-Command -Session $S -ScriptBlock {$p = Get-Process PowerShell}
    

    I have tried changing the -Authentication value to everything listed get many different errors. CredSSP and Negotiate errors listed below.

    New-PSSession : [IP-PKI-ROOT] Connecting to remote server IP-PKI-ROOT failed with the following error message : The WinRM client cannot process the request. CredSSP
    authentication is currently disabled in the client configuration.

    New-PSSession : [IP-PKI-ROOT] Connecting to remote server IP-PKI-ROOT failed with the following error message : WinRM cannot process the request. The following error
    with error code 0x8009030e occurred while using Negotiate authentication: A specified logon session does not exist.

    For CredSSP give that the server needs to stay secure and out of remote access i'm not sure if enabling CredSSP on the server compromises security.

    What is the best way to access the server and run commands remotely on that server.

    I really do think you all for your knowledge and help.

  • #70119
    Profile photo of Don Jones
    Don Jones
    Keymaster

    You don't have a shared authentication space. I'd suggest setting up the endpoint to use HTTPS rather than HTTP, and using Basic authentication. Negotiate is going to try CredSSP first, and the error is indicating that the far end doesn't have it enabled.

    Consider reading "Secrets of PowerShell Remoting" (it's on our eBooks menu). Lots of good information.

  • #70129
    Profile photo of Daniel Krebs
    Daniel Krebs
    Moderator

    You should be able to connect from a domain joined to workgroup machine if you configure the WS-Management Client TrustedHosts list properly as Administrator.

    Search for "Modifying the TrustedHosts List" in our eBook "Secrets of PowerShell Remoting" in the chapter "Access Remote Computers" – https://devopscollective.gitbooks.io/secrets-of-powershell-remoting/content/manuscript/accessing-remote-computers.html

    TrustedHosts list config:

    Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value 'IP-PKI-ROOT' -Force

    Connection script:

    # The Authentication parameter for New-PSSession isn't required. Negotiate is the default which will fallback to NTLM for workgroup machines
    $S = New-PSSession -Credential 'IP-PKI-ROOT\administrator' -ComputerName 'IP-PKI-ROOT'
    Invoke-Command -Session $S -ScriptBlock {$p = Get-Process PowerShell}
    

    I hope above works for you.

    – Daniel

    • #70237
      Profile photo of CatlynnTeardrop
      CatlynnTeardrop
      Participant

      Hi Daniel,
      Thanks for the advice, I tried what you suggested and even tried setting up the HTTPS connection, both settings still get errors.
      I'm thinking that the fact the PKI-Root server is not a member of Workgroup but a member of PKI workgroup, still technically a workgroup but maybe different enough to prevent remote calls. I know that when I do a RDP I have to use the IP address or add an entry in my host file.
      I'm now trying to do this all from the PKI-Root server out to the other 2 domain joined servers.
      I've added the domain joined servers to the WSMan trustedhosts and still not having any luck.
      heres the error:
      New-PSSession : [IP-PKI-CRL-01] Connecting to remote server IP-PKI-CRL-01 failed with the following error message : The
      WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client
      computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the
      TrustedHosts configuration setting.

    • #70282
      Profile photo of Daniel Krebs
      Daniel Krebs
      Moderator

      What do you get if you use the IP address of the PKI root server instead? It shouldn't matter if the workgroup is called WORKGROUP or PKI.

You must be logged in to reply to this topic.