Problems enabling PSRemoting on domain joined Windows 2008 R2 server

This topic contains 10 replies, has 2 voices, and was last updated by  Ronnie Jorgensen 1 month ago.

  • Author
    Posts
  • #82247

    Ronnie Jorgensen
    Participant

    Hi all,

    I have followed this guide to enable PS Remoting: http://www.techrepublic.com/article/how-to-enable-powershell-remoting-via-group-policy/

    I have some domain joined Windows Server 2008 R2 servers that has a few problems and I cannot work out what it is.

    You can see below the output running winrm get winrm/config directly on one of the servers. I can confirm that there is no third party AV installed on this server and Windows firewall is turned off. Service is not disabled.

    PS C:\Users\rj_admin> winrm get winrm/config
    WSManFault
    Message = WinRM cannot process the request. The following error occured while using Negotiate authentication: An unknown security error occurred.
    Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
    After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use
    HTTPS transport.
    Note that computers in the TrustedHosts list might not be authenticated.
    -For more information about WinRM configuration, run the following command: winrm help config.

    Error number: -2144108387 0x8033809D
    An unknown security error occurred.

    Below is from when i run a command from my domain controller that sit on the same virtual platform.

    PS C:\Windows\system32> Invoke-Command -ComputerName SERVER1 -ScriptBlock { $PSVersionTable.PSVersion }
    [SERVER1] Connecting to remote server SERVER1 failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An
    unknown security error occurred.
    Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
    After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
    Note that computers in the TrustedHosts list might not be authenticated.
    -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo : OpenError: (SERVER1:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : -2144108387,PSSessionStateBroken

  • #82249

    Don Jones
    Keymaster

    WinRM and Remoting are related, but they're not the same thing. Did you run Enable-PSRemoting on the machine(s) you're trying to connect to? It's possible to enable WinRM but NOT enable Remoting.

  • #82252

    Don Jones
    Keymaster

    Oh, sorry – you're attempting to do this via GPO. OK. First, check out our free "Secrets of PowerShell Remoting," and just confirm you did everything in there. Nothing against TechRepublic, but that's the Remoting bible.

    Then in PowerShell, see if you have a WSMAN: drive, and if you can run Get-PSSessionConfiguration.

  • #82253

    Ronnie Jorgensen
    Participant

    Oh also to say some of these servers still run PS 2.0

    Output from Enable-PSRemoting

    PS C:\Users\rj_admin> Enable-PSRemoting

    WinRM Quick Configuration
    Running command "Set-WSManQuickConfig" to enable this machine for remote management through WinRM service.
    This includes:
    1. Starting or restarting (if already started) the WinRM service
    2. Setting the WinRM service type to auto start
    3. Creating a listener to accept requests on any IP address
    4. Enabling firewall exception for WS-Management traffic (for http only).

    Do you want to continue?
    [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y
    WinRM already is set up to receive requests on this machine.
    Set-WSManQuickConfig : WinRM cannot process the request. The following error occured while using Negotiate authentication: An unknown security error occurred.
    Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
    After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
    Note that computers in the TrustedHosts list might not be authenticated.
    -For more information about WinRM configuration, run the following command: winrm help config.
    At line:50 char:33
    + Set-WSManQuickConfig <<<

  • #82256

    Don Jones
    Keymaster

    Are you certain you ran that in an elevated shell ("as Administrator")?

  • #82258

    Ronnie Jorgensen
    Participant

    PS C:\Users\rj_admin> cd wsman:
    PS WSMan:\> ls

    WSManConfig:

    ComputerName Type
    ———— —-
    localhost Container

    PS WSMan:\>

    PS WSMan:\> Get-PSSessionConfiguration
    Get-ChildItem : WinRM cannot process the request. The following error occured while using Negotiate authentication: Anunknown security error occurred.
    Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
    After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
    Note that computers in the TrustedHosts list might not be authenticated.
    -For more information about WinRM configuration, run the following command: winrm help config.
    At line:31 char:6
    + dir <<<

  • #82259

    Ronnie Jorgensen
    Participant

    Yes i am, i see Administrator: Windows PowerShell at the top

  • #82262

    Don Jones
    Keymaster

    Then, it unfortunately seems broken. If Set-WsManQuickConfig breaks, then something at the authentication level is borked. I've not run into that before, so I'm not certain how to fix it.

    • #82265

      Ronnie Jorgensen
      Participant

      Ok, will try a few more things. thank you though for the assistance.

      BR
      Ronnie

  • #82271

    Ronnie Jorgensen
    Participant

    Hi Don, Just FYI i installed 5.1 to the server and rebooted it and now it works. Need to find another server and give it a reboot and then see if that solves it.

    • #82273

      Ronnie Jorgensen
      Participant

      So i restarted another server and although it still did not work after that. enable-psremoting now works and after that the enter-pssession -computerName server1 now works.

      will fix the rest of the servers and then get them all updated to 5.1 while im at it 🙂

You must be logged in to reply to this topic.