Welcome Forums General PowerShell Q&A WinRM Error with Get-CimInstance

Viewing 8 reply threads
  • Author
    Posts
    • #24617
      Participant
      Topics: 1
      Replies: 3
      Points: 0
      Rank: Member

      Hi,

      I’m going through the CBT Ultimate training videos and have gotten to the WMI and CIM videos. I’m trying to run

      Get-CimInstance -ClassName win32_OperatingSystem -ComputerName DC1

      but I keep getting the same error

      The error seems to say that it’s trying to use Keberos authentication but I haven’t set it up to do that and there’s no -authentication flag on the cmdlet. WinRM is running on all machines. I even went to my DC and ran the same command on all network computers and it works fine for all except the 1 I’m having problems with (Pegasus). I’ve made sure all remote features are enabled in the firewall as well. Not sure where to go from here.

    • #24634
      Keymaster
      Topics: 18
      Replies: 4872
      Points: 1,902
      Helping HandTeam Member
      Rank: Community Hero

      Kerberos is the default auth protocol – that’s Active Directory’s native protocol. It’s the only protocol that will work without any additional setup, but it requires that (a) both machines be in the same domain, or in trusting domains, and (b) that you access the remote computer by using its canonical name from AD, rather than an IP or alias. Kerberos is the only protocol that gets used when you’re not specifying an authentication protocol.

    • #24669
      Participant
      Topics: 1
      Replies: 3
      Points: 0
      Rank: Member

      Hi Don,

      Oh okay, I didn’t know that it was using Kerberos by default. Alright, that’s fine but what I don’t understand is that why does the cmdlet work fine when I’m running it from any of the VMs in my domain. For example, I have DC1, SP1, SQL1 and PEGASUS (host computer). The first 3 can run the command without issue within each other, but it won’t work from Pegasus to any of those VMs or any of the VMs to Pegasus.

      However, if I do this, it works fine:

      $Session = New-CimSession -ComputerName DC1,SP1,SQL1 -Authentication Default -credential $cred
      Get-CimInstance -CimSession $Session -ClassName Win32_OperatingSystem

      I guess, I’m a little confused as too why only this machine needs a CimSession to work. They’re all on the same domain and given that it works for the others, I’m pretty sure I’m using the correct canonical name. I also disabled the firewall completely on Pegasus to see if it was that, but no change, same error.

    • #24671
      Participant
      Topics: 1
      Replies: 19
      Points: 0
      Rank: Member

      Previously, you were using implicit credentials, now you’re using explicit credentials.

      The command you’re running is the same as (changed authentication from default to kerberos):

      $Session = New-CimSession -ComputerName DC1,SP1,SQL1 -Authentication Kerberos -credential $cred
      Get-CimInstance -CimSession $Session -ClassName Win32_OperatingSystem

      I imagine if you run (authentication as kerberos but no credentials provided, i.e., implicit credentials)…

      $Session = New-CimSession -ComputerName DC1,SP1,SQL1 -Authentication Kerberos
      Get-CimInstance -CimSession $Session -ClassName Win32_OperatingSystem
      

      It will fail.

      Who are you logged in as on Pegasus? We can see it’s administrator, but is it the domain administrator or the local administrator? On the domain controller obviously there is only one administrator account and that’s the domain administrator, so that’s not an issue.

    • #24672
      Participant
      Topics: 1
      Replies: 3
      Points: 0
      Rank: Member

      Ohhhh, yea I’m definitely logged in under the local administrator. Whereas, everywhere else I’d logged in under domain\administrator, which is what I used in $cred.

      Okay, that makes sense now. Thanks a lot for clearing that up!

    • #24674
      Participant
      Topics: 1
      Replies: 19
      Points: 0
      Rank: Member

      So obviously that answers your question about why you can’t connect to other machines FROM Pegasus.

      You still have the issue of not being able to connect TO Pegasus from other machines though. Have you checked that Pegasus has an SPN?

    • #24676
      Participant
      Topics: 1
      Replies: 3
      Points: 0
      Rank: Member

      Right, damn I thought I could move on for a second there 😛

      I have’t worked with SPNs yet so I’m not sure but I don’t think so.

      I was wondering. I’ve been following the video tutorials using my local admin account this whole time. For example, if I did Enable-PSSession, it would have been using the local admin account, etc. Is it possible that those features I’ve enabled aren’t applied to the domain account on pegasus? Basically were those changes (enable-pssesion, winrm service running, filrewall exceptions), not applied to the domain account on Pegasus and therefore other machines wouldn’t be able to access it?

      Just a thought.

    • #24677
      Keymaster
      Topics: 18
      Replies: 4872
      Points: 1,902
      Helping HandTeam Member
      Rank: Community Hero

      Enabling Remoting must be done by someone in the local Administrators group; it doesn’t “enable it just for specific accounts.” It’s on or off. Beyond that, you can decide “who can use Remoting” as a separate step; by default, it’s members of the local Administrators and Remote Administration Users groups. So enabling remoting isn’t applied to an account, per se.

      So no, that’s not it.

    • #24678
      Keymaster
      Topics: 18
      Replies: 4872
      Points: 1,902
      Helping HandTeam Member
      Rank: Community Hero

      As a quick aside – have you read “Secrets of PowerShell Remoting?” I ask because it kinda goes into the whys and wherefores – yes, the how-to, but also the “why it has to be that way” stuff. Including cross-domain, domain-to-workgroup, etc.

Viewing 8 reply threads
  • The topic ‘WinRM Error with Get-CimInstance’ is closed to new replies.