August 1, 2013 at 2:18 am #8982
Suspect I know the answer here but would like confirmation. I have to give someone the ability to enter a remote PS session on a test exchange 2010 server from a development computer. The issue is that the two servers are in different domains and there is no trust set up between them. (nor can there be)
A remote session can be established between the Exchange server and the development server, but not the other way around. I suspect that this is because the Exchange server can see the DCs for the Dev servers domain, whereas the DCs for the Exchange domain are not visible. I have attached a crude diagram of the set up.
I have tried to get it to authenticate locally with no success. this is the error I see
PS F:\> enter-pssession -ComputerName acmembx2a -Credential acme.local\administrator
enter-pssession : Connecting to remote server acmembx2a failed with the following error message : WinRM cannot process
the request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: There are
currently no logon servers available to service the logon request.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more
information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ enter-pssession -ComputerName acmembx2a -Credential acme.local\administrator
+ CategoryInfo : InvalidArgument: (acmembx2a:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
I have set trusted hosts to *
the command works from within the ACME domain
if anyone can point me to an article on how to set this up that would be great. Or confirm that this set up will not work.
August 1, 2013 at 2:30 am #8987
Update – resolved it
As the ACME computers are all VMs I added a vNIC to the DC and attached it to the corporate network.
that has got me around that initial problem, however I would like to know if this can be achieved without the DC being attached to the same network.
August 1, 2013 at 6:29 am #8998
Well, the broad sense they obviously have to be on the same network, in that they need to be able to resolve names to IP addresses and route packets back and forth. Different, untrusted domains is no problem – you either have to use TrustedHosts or SSL (I cover both in "Secrets of PowerShell Remoting"). But you still need name resolution and routing in place.
August 1, 2013 at 2:01 pm #9017
Thanks, it's what I thought then. Time to really study your guide and not just dip into it!
You must be logged in to reply to this topic.