PSWA - Not connecting to AD

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of Chris Chris 2 years, 2 months ago.

  • Author
    Posts
  • #19492
    Profile photo of Chris
    Chris
    Participant

    I've got a Server 2012 R2 box that I've installed PSWA on. I can log in just fine with domain credentials, but I cant seem to do a simple Get-ADUser. I can ping the DCs from the PSWA session, and everything works fine from a normal PS session on the box. Here is a read out of what I'm seeing. Any help would be greatly appreciated!

    PS C:\>
    get-aduser john8.doe
    Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have
    the Active Directory Web Services running.
    + CategoryInfo : ResourceUnavailable: (john8.doe:ADUser) [Get-ADUser], ADServerDownException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADUser

    Thanks!

  • #19494
    Profile photo of Don Jones
    Don Jones
    Keymaster

    This is essentially the double hop a problem. You have remotes into a server, but then that same server needs to connect to it on the web service. The active directory commands in particular are difficult with the scenario. You would need to enable multi hop authentication.

  • #19495
    Profile photo of Chris
    Chris
    Participant

    Thanks so much Don, that got me on the right track to solving the problem!

    For anyone coming Google-ing after me, I found some more friendly help over at: http://blogs.msdn.com/b/powershell/archive/2008/06/05/credssp-for-second-hop-remoting-part-i-domain-account.aspx

    This got me this tidbit:

    To enable client-side SSP for winrm, run the following lines:
    Enable-WSManCredSSP -Role client -DelegateComputer * [note here: I saw many an article that suggested *.contoso.com instead of a full *, so that was what I eventually went with]

    To enable server-side SSP for winrm:
    Enable-WSManCredSSP -Role server

    The only thing that snagged in this process was that I had to have the gateway be the client and the computer I was trying to use as my intermediate as my server, which in my case were the same box. (I was trying to remote into the box that was also hosting as my gateway.

    Anyway thanks again Don!

    Chris

You must be logged in to reply to this topic.