Remoting across domains

This topic contains 3 replies, has 2 voices, and was last updated by Profile photo of Steven Robbins Steven Robbins 3 years, 11 months ago.

  • Author
    Posts
  • #8982
    Profile photo of Steven Robbins
    Steven Robbins
    Participant

    Hi,

    Suspect I know the answer here but would like confirmation. I have to give someone the ability to enter a remote PS session on a test exchange 2010 server from a development computer. The issue is that the two servers are in different domains and there is no trust set up between them. (nor can there be)
    A remote session can be established between the Exchange server and the development server, but not the other way around. I suspect that this is because the Exchange server can see the DCs for the Dev servers domain, whereas the DCs for the Exchange domain are not visible. I have attached a crude diagram of the set up.
    I have tried to get it to authenticate locally with no success. this is the error I see

    PS F:\> enter-pssession -ComputerName acmembx2a -Credential acme.local\administrator
    enter-pssession : Connecting to remote server acmembx2a failed with the following error message : WinRM cannot process
    the request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: There are
    currently no logon servers available to service the logon request.
    Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
    After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
    use HTTPS transport.
    Note that computers in the TrustedHosts list might not be authenticated.
    -For more information about WinRM configuration, run the following command: winrm help config. For more
    information, see the about_Remote_Troubleshooting Help topic.
    At line:1 char:1
    + enter-pssession -ComputerName acmembx2a -Credential acme.local\administrator
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (acmembx2a:String) [Enter-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

    I have set trusted hosts to *
    the command works from within the ACME domain

    if anyone can point me to an article on how to set this up that would be great. Or confirm that this set up will not work.

  • #8987
    Profile photo of Steven Robbins
    Steven Robbins
    Participant

    Update – resolved it
    As the ACME computers are all VMs I added a vNIC to the DC and attached it to the corporate network.
    that has got me around that initial problem, however I would like to know if this can be achieved without the DC being attached to the same network.

  • #8998
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Well, the broad sense they obviously have to be on the same network, in that they need to be able to resolve names to IP addresses and route packets back and forth. Different, untrusted domains is no problem – you either have to use TrustedHosts or SSL (I cover both in "Secrets of PowerShell Remoting"). But you still need name resolution and routing in place.

  • #9017
    Profile photo of Steven Robbins
    Steven Robbins
    Participant

    Thanks, it's what I thought then. Time to really study your guide and not just dip into it!

You must be logged in to reply to this topic.