Pssession credssp issue

This topic contains 6 replies, has 4 voices, and was last updated by Profile photo of Mark Prior Mark Prior 5 months, 1 week ago.

  • Author
    Posts
  • #43703
    Profile photo of Troy Oosterwijk
    Troy Oosterwijk
    Participant

    Hi all,

    In our domain environment, I'm having some problems getting remote scripting to work in combination with "Credssp" for several servers. Please allow me to explain the setup and issues at hand.

    ServerA, we use as our client server to remotely execute PS scripts.
    ServerB, is one of our servers to which we connect with a Pssession command (actually several servers with the same behaviour).
    ServerC, another server also used to connect to with a Pssession command (again actually several servers with also the same behaviour).

    Both Servers B and C share the same Active Directory OU, thus have the same policies applied to them.
    We have had the PSsessions working on both B and C, but recently something has changed and no longer we can create a Pssession to Server B. yet Server C still functions perfectly.

    Now when we try to connect to Server B using the following commands, the next error appears:

    $Credential = (Get-Credential -Credential $env:USERNAME)
    $PSSession = New-PSSession "ServerB" -Authentication Credssp -Credential $Credential -ErrorAction Continue
    Invoke-Command -Session $PSSession -FilePath "D:\Some-Script.ps1";""
    
    Error:
    New-PSSession : [ServerB] Connecting to remote server Server B failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
    At line:1 char:14
    + $PSSession = New-PSSession "ServerB" -Authentication Credssp -Credential  ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
        + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed
    

    When I try the same thing, from the same client, but this time for ServerC, everything works fine.
    Now ofcourse I did some research myself and allready checked the following steps:

    – Is my account member of the local Admin Group?
    Yes, although through another group which resides in the Local admin group on both Server B and C
    Also tried adding my account explicitly on the LocalAdmin group, no change.

    – Is the Firewall setup correctly
    Yes, for both ServerA as ServerB the same rules are applied

    – I've added ServerB as a delegate computer on the client (ServerA) with this command

    Enable-WSManCredSSP -Role Client -DelegateComputer ServerB
    
    and even
    
    Enable-WSManCredSSP -Role Client -DelegateComputer *.ourdomain
    

    – Other Powershell commands I tried:

    Enable-PSRemoting -force
    
    Enable-WSManCredSSP -Role Server -Force
    
    Set-WSManQuickConfig
    
    Get-WSManCredSSP
    The machine is not configured to allow delegating fresh credentials. 
    This computer is configured to receive credentials from a remote client computer.
    

    Now the funny thing is, New-PSSession in combination with Kerberos authentication DOES work!
    Sadly in our environment we require Credssp.
    Like mentioned before, we did have some changes with OU's and policies and also a .net update.
    It's hard to pinpoint when exactly it stopped working on ServerB.

    Does anyone here have a clue on where to look? Thanks in advance!

    T.O. out

  • #43710
    Profile photo of Don Jones
    Don Jones
    Keymaster

    You've done everything I think I would have tried, to troubleshoot this. It may be that something is _broken_, as opposed to merely misconfigured. I've seen a few instances where "something" in Remoting or WS-Man just gets screwed up. What versions of Windows and WMF are you dealing with?

  • #43834
    Profile photo of Troy Oosterwijk
    Troy Oosterwijk
    Participant

    Hey Don,

    Thanks a million for looking into this.
    Our environment is Windows 2008 R2 and we recently upgraded to WMF 3.0, in order to use Powershell 4.0

    Ofcourse it could simply be broken, but this isn't just one server. It's about a dozen servers that suddenly showed this behavior.
    All the other servers in our setup are still working as they used to. So personally I was thinking more in line of a stale registry entry that causes the problems, but that's because I don't know where to look anymore.

    Thanks again, and if someone might have a hunch, please let me know!

    T.O.

  • #43838
    Profile photo of Don Jones
    Don Jones
    Keymaster

    There's not actually much living in the registry.

    So, some troubleshooting.

    Can you directly remote to these broken machines? Without the hop in the middle? As a test? Using an account you know has local Administrator privileges on them.

    Can you make CIM connections (Get-CimInstance) to these machines?

    On an affected machine, run Get-PSSessionConfiguration | fl * to confirm the access control list on the default microsoft.powershell Remoting endpoint.

    BTW, WMF4.0 is what PowerShell 4.0 comes in. It might be worth checking $PSVersionTable to make sure you know what version you're running.

  • #43875
    Profile photo of TomBaker
    TomBaker
    Participant

    Did you make sure net framework 4.0 was installed before wmf4? The wmf4 installer doesn't check and you end up with a partially broken powershell.

  • #44667
    Profile photo of Troy Oosterwijk
    Troy Oosterwijk
    Participant

    Sorry for the delay, but here is the extra info:

    Name Value
    —- —–
    PSVersion 4.0
    WSManStackVersion 3.0
    SerializationVersion 1.1.0.1
    CLRVersion 4.0.30319.42000
    BuildVersion 6.3.9600.16406
    PSCompatibleVersions {1.0, 2.0, 3.0, 4.0}
    PSRemotingProtocolVersion 2.2

    Versions are the same on the working servers.

    The autorisations are fine, even tried with my own account added to the ACL.
    Connecting with Kerberos works fine, just the CredSSP parameter that gives the "Access Denied".
    Also CIM connections seem to work fine.

    @TomBaker
    I'm not sure which hotfix I installed first. If it would be a case of a partially broken PS, are there any other problems/signs that might show if that's true? Besides the CredSSP issues, I haven't experienced any other issues while using PS on the affected servers.

    Thanks again all.
    T.O.

  • #44670
    Profile photo of Mark Prior
    Mark Prior
    Participant

    something i have hit before is FQDN is the PSsession command

    try,

    $PSSession = New-PSSession "ServerB.domain.name.com" -Authentication Credssp -Credential $Credential -ErrorAction Continue
    • This reply was modified 5 months, 1 week ago by Profile photo of Mark Prior Mark Prior.

You must be logged in to reply to this topic.