Remote development on Windows over SSH - powershell double-hop authentication - powershell

I set up the remote development over SSH from my windows 10 machine to one of our new Windows 2022 servers. This due the fact that I need to use an other account with extra permissions to be able to run the script on the server.
Everything works fine, I can do 'remote development' over SSH with the other account and write & test powershell code on the server.
When I try to contact an external source in my script (like a fileshare or SQL), I noticed the dreaded "Double-hop" problem pops up.
As the first hop is SSH and not a real WinRM session, I thought this wouldn't be a problem?
Can I force VsCode/Powershell to not see the SSH connection as the first hop?
Or is this something Microsoft changed/enforced for security reasons?
By the way, I'm using Powershell 7 on both client and server

Whether SSH or WinRM, it's the OS on the first jump box that knows this is a remote session. If you want to be able to pass credentials off to a second box you'll need to look into enabling CredSSP.
To enable on your Windows server:
Enable-WSManCredSSP -Role server -Force -ErrorAction Stop
This should then allow you to access secondary servers. We do this to support a number of things; example: remoting into box A, and making box A grab some software from box B to do an install.
Always disable CredSSP afterwards:
Disable-WSManCredSSP -Role server -ErrorAction Stop

Related

Invoke-Command only works when domain admin is logged in on remote computer

We have 7 Terminal Servers, and for some reason, I can only use Invoke-Command on those two, when the domain administrator is logged on to the servers.
I will get this error, when I try to use Invoke-Command on them, when the domain administrator isn't logged on to them. The other 5 servers have no issue.
As soon as I log in with the remote administrator, it works flawlessly.
[RDH004] Connecting to remote server RDH004 failed with the following error message : The WSMan service could not launch a host process to process the given request. Make s
ure the WSMan provider host server and proxy are properly registered. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (RDH004:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : 2,PSSessionStateBroken
I did doublecheck if the service Windows Remote Management (WS-Management) was running. And I did create a GPO (Allow remote server management through WinRM) to allow remote connections.
Did the same thing, on all servers to attempt to enable it. All servers are a clone from the same template in ESXi. And all servers are running Windows Server 2016.
I've searched far and wide for solutions, but none of the solutions seem to be the same problem. Especially not, since it works if the server I'm trying to send a remote command to, has the domain administrator logged in.
The cause of this issue is due to the Windows User Account Control (UAC). The remote account must be a domain account and a member of the remote computer Administrators group. If the account is a local computer member of the Administrators group, then UAC does not allow access to the WinRM service. This error happens even if the account is a Local Administrator and the command line is run with administrator privileges.
To solve the problem, UAC filtering for local accounts must be disabled by creating the following DWORD registry entry and setting its value to 1:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] LocalAccountTokenFilterPolicy
Additional Information
https://learn.microsoft.com/en-us/windows/win32/winrm/obtaining-data-from-a-remote-computer

Cannot connect to server using Enter-PSSession

I'm quite new to PowerShell and am trying to write a script that connects to our web server from our db server and pulls a file across. Unfortunately I'm hitting hurdles straight out of the gate with the following error when trying to use the Enter-PSSession cmdlet:
http://imgur.com/jzpmV6z
I can confirm that PowerShell on the web server is set up and ready to receive connections:
http://imgur.com/o3g4bxK
I am at a loss as to what to check now. Any help would be greatly appreciated.
EDIT: Just to confirm, I am able to RDP into the web server from the db server fine.
If you are not using domain joined Machines and domain user accounts you will need to add the destination server to your trusted hosts list
Set-Item WSMan:\LocalHost\Client\TrustedHosts\ -Value "192.168.100.234"
You should check if you have machines add first
Get-Item WSMan:\Localhost\Client\TrustedHosts
if you do you will need to append the new ipaddress or the pervious values will be overwritten.
You should also check the network profiles on both machines. Powershell remoting will not work with the network profile set to Public.
EDIT:
You need to run: Enable-PsRemoting not winrm qc to allow powershell remoting
winrm is only half the puzzle.
Hello. dont Have a reputation to post a comment, so read some info
heare. If you have a domain you can try to do this: In the group
policy mmc: Policies/Administrative Templates /Windows
Components/Windows Remote Management (WinRM)/WinRM Service
Allow Remote Server management through WinRM
Set the Policy to Enabled.
Set the IPv4 and IPv6 filters to *
enter link description here
Or you can try to do something like this:
On local host and remote PC
Set-ExecutionPolicy remotesigned -Scope CurrentUser -Force| Out-Null
winrm qc -q| Out-Null

Powershell 4.0 Remoting with Non Admin Domain Account

I'm looking for help to properly configure PowerShell Remoting for non-admins on a group of servers. Right now we have a working configuration that allows Admin Domain accounts to successfully connect to the servers with no error. The authentication method we are using is Credssp, using SSL and this works perfectly for a Domain admin account.
On the other hand I have this User Domain Account userTest. This account is mapped to a Domain Group that maps locally (on each server) to the Remote Desktop User Groups. This allows for this user to RDP successfully to this server but has no administrator privileges. It is going to stay that way and it is not an option to make it Local Administrator.
The purpose of this user is to allow non-admin accounts to execute a set of scripts against the server using a Restricted Session, which connecting with a Domain Admin Account. The problem comes when I'm trying to connect with the userTest account. The server responds with a Access is Denied error:
[ServerA] Connecting to remote server ServerA failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (ServerA:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken
Going trough the Analytic EventLogs I found an error message as follows:
The WSMan service could not launch a host process to process the given request. Make sure the WSMan provider host server and proxy are properly registered.
This is the configuration that I have already setup:
Created a PSSessionConfiguration named RemoteDesktopUsers
Register-PSSessionConfiguration -Name RemoteDesktopUsers -StartupScript C:\Start.ps1
Set-PSSessionConfiguration -Name RemoteDesktopUsers -ShowSecurityDescriptorUI
(Added Remote Desktop Users group to this SessionConfiguration)
So yeah, basically from what I have already Googled, this should be all the necessary configuration that you need to able to PSRemote with non-admin accounts. As I already mentioned using a Domain Admin Account connecting to this SessionConfiguration works fine, so I was thinking that I'm missing some kind of permission/privilege/SDDL that allows this user to access:
Windows Server 2008 R2 SP1
Powershell 4.0
Winrm ProductVersion = OS: 6.1.7601 SP: 1.0 Stack: 3.0
You're probably running into this problem because of using CredSSP
Any particular reason you have to use CredSSP? The most popular use of CredSSP is provided for situations in which you need to configure a jump server to remote from one machine, into another, and from there out again to another server. It's well-known as Second-Hop funtionality and is such a huge security hole that the CredSSP is kind of a pain to configure, intentionally.
You have to configure CredSSP in three places, once on your machine from which you'll be remoting, then again on the machine you'll be jumping to, and finally on each machine you'll be connecting to from the jump server.
If you really have to use CredSSP, follow this great guide here on The Scripting Guy's blog.
If you don't need CredSSP
Try this whole process using Default/WSman authorization, and I bet the problems will go away.

PowerShell enter-pssession

I'm using Windows 8.1. and I'm trying to execute commands on another Windows 8.1. by using PowerShell (enter-pssession or invoke-command). I usually have two types of error messages : one telling me that the access is denied and another one telling me that my Firewall does not allow an HTTPS exception. None of the computers is a server. I have already tried executing Set-PSSessionConfiguration -ShowSecurityDescriptorUI -Name Microsoft.PowerShell without any result whatsoever.
I have already tried de-activating my firewall and have already added other computers to my list of trusted hosts.
I always put an IP address after enter-pssession. Could this be the source of the problem?
Thanks in advance :)
P.S. Both computers have winrm, IIS and Apache.
All you need to get started with remoting is available in the help:
PS> Get-Help about_Remote_TroubleShooting -ShowWindow
If you're not in a domain, take a look at this section:
HOW TO CONNECT REMOTELY FROM A WORKGROUP-BASED COMPUTER
-------------------------------------------------------
[..]
When the local computer is not in a domain, the following procedure is required
for remoting.
1. Configure the computer for HTTPS transport or add the names of the
remote computers to the TrustedHosts list on the local computer.
[..]

Powershell restrict Remote access on Host

I have three windows 2008 R2 servers; DEV, UAT and Live. I am deploying web apps between these servers, including IIS setup and config and database backup and restore via a PowerShell script. I use a powershell remote session.
I would like to prevent any machine, other than my deployment machine, from creating a powershell remote session on the host, even if the user is authenticated. Is this possible?
I have looked extensively through the PSRemoting documentation and can't find anything helpful.
Thanks in advance
Read the below link to better understand what needs to be done but I think you need to set the trusted host on the remote servers.
http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/02/23/remotely-managing-your-server-core-using-winrm-and-winrs.aspx
This is an excerp from the blog.
On the Windows server Core box
Run the following commands on the console of the Server Core box to lower security:
WinRM set winrm/config/service/auth #{Basic="true"}
WinRM set winrm/config/client #{TrustedHosts="<local>"}
WinRM set winrm/config/client #{TrustedHosts="RemoteHost"}
Where RemoteHost is the host you want to be able to connect to the server.
You can also use certificate-based authentication.
http://blogs.msdn.com/b/wmi/archive/2009/03/23/how-to-use-wsman-config-provider-for-certificate-authentication.aspx
If you only want your computer to be able to connect, install the certificate on your computer and don't give it to anyone else.