Author Posts

October 16, 2017 at 8:11 pm

Hi all,

I have followed this guide to enable PS Remoting: http://www.techrepublic.com/article/how-to-enable-powershell-remoting-via-group-policy/

I have some domain joined Windows Server 2008 R2 servers that has a few problems and I cannot work out what it is.

You can see below the output running winrm get winrm/config directly on one of the servers. I can confirm that there is no third party AV installed on this server and Windows firewall is turned off. Service is not disabled.

PS C:\Users\rj_admin> winrm get winrm/config
WSManFault
Message = WinRM cannot process the request. The following error occured while using Negotiate authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use
HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config.

Error number: -2144108387 0x8033809D
An unknown security error occurred.

Below is from when i run a command from my domain controller that sit on the same virtual platform.

PS C:\Windows\system32> Invoke-Command -ComputerName SERVER1 -ScriptBlock { $PSVersionTable.PSVersion }
[SERVER1] Connecting to remote server SERVER1 failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An
unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (SERVER1:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : -2144108387,PSSessionStateBroken

October 16, 2017 at 8:12 pm

WinRM and Remoting are related, but they're not the same thing. Did you run Enable-PSRemoting on the machine(s) you're trying to connect to? It's possible to enable WinRM but NOT enable Remoting.

October 16, 2017 at 8:13 pm

Oh, sorry – you're attempting to do this via GPO. OK. First, check out our free "Secrets of PowerShell Remoting," and just confirm you did everything in there. Nothing against TechRepublic, but that's the Remoting bible.

Then in PowerShell, see if you have a WSMAN: drive, and if you can run Get-PSSessionConfiguration.

October 16, 2017 at 8:15 pm

Oh also to say some of these servers still run PS 2.0

Output from Enable-PSRemoting

PS C:\Users\rj_admin> Enable-PSRemoting

WinRM Quick Configuration
Running command "Set-WSManQuickConfig" to enable this machine for remote management through WinRM service.
This includes:
1. Starting or restarting (if already started) the WinRM service
2. Setting the WinRM service type to auto start
3. Creating a listener to accept requests on any IP address
4. Enabling firewall exception for WS-Management traffic (for http only).

Do you want to continue?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y
WinRM already is set up to receive requests on this machine.
Set-WSManQuickConfig : WinRM cannot process the request. The following error occured while using Negotiate authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config.
At line:50 char:33
+ Set-WSManQuickConfig <<<

October 16, 2017 at 8:16 pm

Are you certain you ran that in an elevated shell ("as Administrator")?

October 16, 2017 at 8:17 pm

PS C:\Users\rj_admin> cd wsman:
PS WSMan:\> ls

WSManConfig:

ComputerName Type
———— —-
localhost Container

PS WSMan:\>

PS WSMan:\> Get-PSSessionConfiguration
Get-ChildItem : WinRM cannot process the request. The following error occured while using Negotiate authentication: Anunknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config.
At line:31 char:6
+ dir <<<

October 16, 2017 at 8:19 pm

Yes i am, i see Administrator: Windows PowerShell at the top

October 16, 2017 at 8:27 pm

Then, it unfortunately seems broken. If Set-WsManQuickConfig breaks, then something at the authentication level is borked. I've not run into that before, so I'm not certain how to fix it.

October 16, 2017 at 8:31 pm

Ok, will try a few more things. thank you though for the assistance.

BR
Ronnie

October 16, 2017 at 9:08 pm

Hi Don, Just FYI i installed 5.1 to the server and rebooted it and now it works. Need to find another server and give it a reboot and then see if that solves it.

October 16, 2017 at 9:57 pm

So i restarted another server and although it still did not work after that. enable-psremoting now works and after that the enter-pssession -computerName server1 now works.

will fix the rest of the servers and then get them all updated to 5.1 while im at it 🙂