In our domain environment, I'm having some problems getting remote scripting to work in combination with "Credssp" for several servers. Please allow me to explain the setup and issues at hand.
ServerA, we use as our client server to remotely execute PS scripts.
Both Servers B and C share the same Active Directory OU, thus have the same policies applied to them.
Now when we try to connect to Server B using the following commands, the next error appears:
$Credential = (Get-Credential -Credential $env:USERNAME) $PSSession = New-PSSession "ServerB" -Authentication Credssp -Credential $Credential -ErrorAction Continue Invoke-Command -Session $PSSession -FilePath "D:\Some-Script.ps1";"" Error: New-PSSession : [ServerB] Connecting to remote server Server B failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:14 + $PSSession = New-PSSession "ServerB" -Authentication Credssp -Credential ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed
When I try the same thing, from the same client, but this time for ServerC, everything works fine.
– Is my account member of the local Admin Group?
– Is the Firewall setup correctly
– I've added ServerB as a delegate computer on the client (ServerA) with this command
Enable-WSManCredSSP -Role Client -DelegateComputer ServerB and even Enable-WSManCredSSP -Role Client -DelegateComputer *.ourdomain
– Other Powershell commands I tried:
Enable-PSRemoting -force Enable-WSManCredSSP -Role Server -Force Set-WSManQuickConfig Get-WSManCredSSP The machine is not configured to allow delegating fresh credentials. This computer is configured to receive credentials from a remote client computer.
Now the funny thing is, New-PSSession in combination with Kerberos authentication DOES work!
Does anyone here have a clue on where to look? Thanks in advance!
You've done everything I think I would have tried, to troubleshoot this. It may be that something is _broken_, as opposed to merely misconfigured. I've seen a few instances where "something" in Remoting or WS-Man just gets screwed up. What versions of Windows and WMF are you dealing with?
Thanks a million for looking into this.
Ofcourse it could simply be broken, but this isn't just one server. It's about a dozen servers that suddenly showed this behavior.
Thanks again, and if someone might have a hunch, please let me know!
There's not actually much living in the registry.
So, some troubleshooting.
Can you directly remote to these broken machines? Without the hop in the middle? As a test? Using an account you know has local Administrator privileges on them.
Can you make CIM connections (Get-CimInstance) to these machines?
On an affected machine, run Get-PSSessionConfiguration | fl * to confirm the access control list on the default microsoft.powershell Remoting endpoint.
BTW, WMF4.0 is what PowerShell 4.0 comes in. It might be worth checking $PSVersionTable to make sure you know what version you're running.
Did you make sure net framework 4.0 was installed before wmf4? The wmf4 installer doesn't check and you end up with a partially broken powershell.
Sorry for the delay, but here is the extra info:
Versions are the same on the working servers.
The autorisations are fine, even tried with my own account added to the ACL.
Thanks again all.
something i have hit before is FQDN is the PSsession command
$PSSession = New-PSSession "ServerB.domain.name.com" -Authentication Credssp -Credential $Credential -ErrorAction Continue
Were you able to resolve the issue? If so would it be possible for you to shed some light on how this issue was resolved in your environment?
You must be logged in to reply to this topic.