Establishing remote connection between a domain and workgroup computer in powershell - powershell

I am trying to establish a Powershell remote connection to a workgroup computer from a domain joined computer. Both are on the same network. i am entering the PSSession from a admin account.
I have an admin account on the target computer, which is not as same as the admin account on the client that i am using to establish the remote connection from.
I am passing the credential of the admin account of the target computer in enter pssessionn cmdlet but couln't establish the remote connection.
I have added my local computer's ip to the trusted hosts list on the target system.i can also ping the target system. I am new to powershell , What i am doing wrong?
The error i am getting if i use the admin credential of the target system:
Enter-PSSession : Connecting to remote server DESKTOP-XXXXXXX failed with the following error message : WinRM cannot process the
request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: We can't sign you in with this
credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If
you previously signed in on this device with another credential, you can sign in with that credential.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS
transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName DESKTOP-XXXXXXX -Credential Get-Credent ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (DESKTOP-XXXXXXX:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed

Related

Executing commands on a remote server via winrm failed

I am trying to remotely manage a windows server which is Azure AD Domain joined. I have activated winrm on both machines. My user has administrator rights and I am working from an elevated prompt. I have even set the Server as trusted host just in case. No matter what I try I keep getting this error message.
Connecting to remote server xxx failed with the following error message: The WinRM client cannot process the request. If the authentication schme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. You can get more information about that by running the following command: winrm help config. For more information, see the about_remote_Troubleshooting Help topic.
CategoryInfo: OpenError: (xxx) [], PSRemotingTranportException
FullyQualifiedErrorId: ServerNotTrusted,PSSessionStateBroken
I am connected via VPN to the company network, I can also ping the server. I also successfully opened a telnet to the server on the port winrm uses normally.
What am I missing?

Invoke-Command only works when domain admin is logged in on remote computer

We have 7 Terminal Servers, and for some reason, I can only use Invoke-Command on those two, when the domain administrator is logged on to the servers.
I will get this error, when I try to use Invoke-Command on them, when the domain administrator isn't logged on to them. The other 5 servers have no issue.
As soon as I log in with the remote administrator, it works flawlessly.
[RDH004] Connecting to remote server RDH004 failed with the following error message : The WSMan service could not launch a host process to process the given request. Make s
ure the WSMan provider host server and proxy are properly registered. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (RDH004:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : 2,PSSessionStateBroken
I did doublecheck if the service Windows Remote Management (WS-Management) was running. And I did create a GPO (Allow remote server management through WinRM) to allow remote connections.
Did the same thing, on all servers to attempt to enable it. All servers are a clone from the same template in ESXi. And all servers are running Windows Server 2016.
I've searched far and wide for solutions, but none of the solutions seem to be the same problem. Especially not, since it works if the server I'm trying to send a remote command to, has the domain administrator logged in.
The cause of this issue is due to the Windows User Account Control (UAC). The remote account must be a domain account and a member of the remote computer Administrators group. If the account is a local computer member of the Administrators group, then UAC does not allow access to the WinRM service. This error happens even if the account is a Local Administrator and the command line is run with administrator privileges.
To solve the problem, UAC filtering for local accounts must be disabled by creating the following DWORD registry entry and setting its value to 1:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] LocalAccountTokenFilterPolicy
Additional Information
https://learn.microsoft.com/en-us/windows/win32/winrm/obtaining-data-from-a-remote-computer

New-PSSession fails when using DOMAIN\USERNAME but works using USERNAME#DOMAIN.com?

I've just encountered a curious issue in my attempts to connect to a remote Exchange server. I spent a long time unable to establish a session and tried a variety of things until I tried changing the format of the username.
The code I'm running is as follows:
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<SERVER>.com/PowerShell/ -Authentication Kerberos -Credential $username
If I set $username to "DOMAIN\username", it returns the following error:
New-PSSession : [<SERVER>.com] Connecting to remote server azuks-
mgt01.wagamama.com failed with the following error message : WinRM cannot
process the request. The following error with errorcode 0x80090311 occurred
while using Kerberos authentication: There are currently
no logon servers available to service the logon request.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are
specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port
does not exist.
-The client and remote computers are in different domains and there is no trust
between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following
command: winrm help config. For more information, see the
about_Remote_Troubleshooting Help topic.
If I set $username to "username#DOMAIN.com", it quite happily establishes a session. I've gone ahead and confirmed that the UPN and SAMAccountName match up for the account. I'm incredibly curious as to what could be the cause of this as I've always been able to use "DOMAIN\username" on other servers.
If you have any thoughts or ideas I'd like to hear them!

PSRemoting fails through VPN

My laptop is domain joined and I use PSRemoting just fine from my office. I get an error when trying to connect outside the office via VPN. I have triple checked our firewall but the issue seems to be with the client or server since "Test-WSMan" succeeds with no issues. I have added the machines to each others' trust hosts and try many other things with no success. Please help!
I am a member of Domain Admins and the laptop is on the domain.
Enter-PSSession : Connecting to remote server SERVERNAME failed with the following error message : WinRM cannot
process the request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: The
are currently no logon servers available to service the logon request.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more
information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession SERVERNAME
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (SERVERNAME:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
From the issue, my understandings are as follows:
While adding the trusted hosts, you should add the servers with FQDN like
Set-Item wsman:\localhost\Client\TrustedHosts -Value Server01.Domain01.Fabrikam.com
During Enter-PSSession, I would recommend you not to use the Kerberos as -Authentication, you can use default since its a domain admin account.
I believe the ports are open from the network side since you have already done that. But make sure to cross-check the state of the port; Its listening properly or not.
I believe these points will help you. Normally, VPN doesnot give this much issue unless the hops are really complicated.

WinRM cannot complete the operation. Verify that the specified computer name is valid

When I try to fetch the service information on remote computer I got an WINRM error.
PS C:\Windows\system32> invoke-command -computername Node1 -ScriptBlock {gsv}
[Node1] Connecting to remote server Node1 failed with the following error
message : WinRM cannot complete the operation. Verify that the specified computer
name is valid, that the computer is accessible over the network, and that a firewall
exception for the WinRM service is enabled and allows access from this computer. By
default, the WinRM firewall exception for public profiles limits access to remote computers
within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (Node1:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : WinRMOperationTimeout,PSSessionStateBroken
Try below workaround to fix WINRM issue.
Connect to Remote server and run below command from cmd as a administrator.
C:\Windows\system32>WinRM quickconfig
WinRM service is already running on this machine.
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made:
Create a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this
machine.
Make these changes [y/n]? y
WinRM has been updated for remote management.
Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this
machine.
Have you checked the remote computer's firewall rules? The default rule only allows IPs in the local subnet.
To allow other IPs:
Open Windows Firewall with Advanced Security
Click Inbound Rules
Double-click Windows Remote Management (HTTP-In) for the Public profile
Click the Scope tab
Under Remote IP address, add any IPs you need
Is WinRM enabled on both computers???
Run
winrm quickconfig
and check it.
Have you checked with port 5985?
Try to Telent port with IP address
Open CMD run as administrator
Telent 10.xx.xx.xxx 5985