Powershell CREDSSP Problems - powershell

I am trying to use CREDSSP on a New Server (Server C)
I have successfully setup credssp on Two Other Servers. (Server A to Server B)
I am now trying to connect from Server A to Server C using CREDSSP, but no matter what I do, I get the following error:
[SERVER_C.domain.edu] Connecting to remote server SERVER_C.domain.edu failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (SERVER_C.domain.edu:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken
This is my query that works perfectly from Server A to Server B:
# Setting the Credentials to be used to sign into the Server B.
$pass = ConvertTo-SecureString "Password" -asplaintext -force
$mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist "domain\user.service",$pass
#
#
# The Remote Execution Command. Fully Qualified Domain name is critical since we are using Credssp.
# Credssp is being used to resolve an issue with a double hop authentication issue. Other steps setup on each computer had to be completed before Credssp would work
Invoke-Command -ComputerName SERVER_B.domain.edu -command { C:\helloWorld.ps1 } -Authentication Credssp -Credential $mycred
I have double checked everything I can think of between Server C (New Server) and Server B (Old Server) and I cant find any reason why im getting the error.
I know that if I take out the CREDSSP part, The script works, except where a double hop is involved. So the Server is definitely connecting.
I made sure to run the following commands:
Enable-psremoting
Set-ExecutionPolicy -Scope localMachine -ExecutionPolicy RemoteSigned
Enable-WSManCredSSP -Role Client -DelegateComputer '*.reskit.org' –Force
Enable-WSManCredSSP -Role Server –Force
wsman
Also followed these steps: Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System
-> Credentials Delegation -> Allow Delegating Fresh Credentials. Verify that it is enabled and configured with an SPN appropriate for the target computer. For example,
for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. For more information, see the
about_Remote_Troubleshooting Help topic.
And as I mentioned, I know Server A is setup correctly, because I run the script above to Server B without issue.
Any suggestions would really be appreciated.
The only thought I have is that Server A and B are running Powershell 3 and Server C is running Powershell 5

I notice that the Enable-WSManCredSSP -Role Client command uses *.reskit.org instead of *.domain.eu.(?)
To me it's not completely clear which commands were run at the server or at the client, but look OK at first sight. I recently configured credssp also to solve the double hop problem, as follows:
On the server:
Enable-WSManCredSSP -Role Server -Force
Get-WSManCredSSP shows: The machine is not configured to allow delegating fresh credentials. This computer is configured to receive credentials from a remote client computer.
On the client:
winrm quickconfig
Enable-WSManCredSSP -role client *.mydomain.com
Get-WSMancredSSP shows:
The machine is configured to allow delegating fresh credentials to the following target(s): wsman/*.mydomain.com. This computer is not configured to receive credentials from a remote client computer.
My clientside script starts an explicit remote session via:
$session = New-PSSession -Computer $computerName -Credential $credential -Authentication Credssp

Related

How to execute powershell script from server1 for deploying wsp in server2

I am trying to remotely deploy wsp file present in server2 by running a powershell script in server1.
I am able to successfully log in to the server2 through server1 using the below command:
$password = ConvertTo-SecureString "password" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("username",$password)
but I am not able to deploy the wsp file. This is the code that I tried:
Enter-PSSession -ComputerName server2 -Credential $cred
Add-PSSnapin Microsoft.Sharepoint.Powershell –EA 0
Update-SPSolution -Identity TechSoup.Web.wsp -LiteralPath "C:\Program Files ...Debug\Some.wsp" -GacDeployment
I have also tried to put the above code in a script, save it and run the script remotely.
This is the error that I am getting. I believe it is because I don't have admin privileges, I can say this because when I run the deployment code from server2 as admin, the wsp file is getting deployed. So, how can I get admin privileges remotely. The user has the admin privileges, all I need to do is run it with elevated privileges(like right-click and run as admin, but programatically)
Update-SPSolution : Cannot access the local farm. Verify that the
local farm is properly configured, currently available, and that you
have the appropriate permissions to access the database before trying
again
EDIT
I have tried the below script code in admin mode in powershell:
$password = ConvertTo-SecureString "serverpassword" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("userName",$password)
Enable-PSRemoting
Enable-WSmanCredSSP -Role Server
winrm set winrm/config/winrs '#{MaxShellsPerUser="25"}'
winrm set winrm/config/winrs '#{MaxMemoryPerShellMB="600"}'
Enter-PSSession -ComputerName Server2 -Credential $cred -Authentication credssp
However, I keep getting this error:
Enter-PSSession : Connecting to remote server Server2 failed
with the following error message : The WinRM client cannot process
the request. CredSSP authentication is currently disabled in the
client configuration. Change the client configuration and try the
request again. CredSSP authentication must also be enabled in the
server configuration. Also, Group Policy must be edited to allow
credential delegation to the target computer. Use gpedit.msc and look
at the following policy: Computer Configuration -> Administrative
Templates -> System -> Credentials Delegation -> Allow Delegating
Fresh Credentials. Verify that it is enabled and configured with an
SPN appropriate for the target computer. For example, for a target
computer name "myserver.domain.com", the SPN can be one of the
following: WSMAN/myserver.domain.com or WSMAN/*.domain.com For more
information, see the about_Remote_Troubleshooting Help topic
No matter what I try, I get this error. I have tried these techniques:
Allowed Delegating fresh credentials as well as NTLM fresh credentials in GPEdit.
I have tried the script present in This link
I have added user privileges in compmgmt.msc at
Remote Desktop Users
WinRMRemoteWMIUsers__
WSS_ADMIN_WPG
Remote Management Users
Can anyone suggest any thing ??
In order to run SharePoint commands remotely please follow the steps outlined in: Remote PowerShell to Manage SharePoint on-premises
Essentially, after enabling remoting, you have to enable CredSSP access in order for your credentials to be sent to the remote and local computer in order for you to run elevated commands.
On the server:
Enable-PSRemoting
Enable-WSmanCredSSP -Role Server
winrm set winrm/config/winrs '#{MaxShellsPerUser="25"}'
winrm set winrm/config/winrs '#{MaxMemoryPerShellMB="600"}'
And on the client:
Enable-PSRemoting
Enable-WSmanCredSSP -Role Client -DelegateComputer "server2.contoso.com"
Then on the client you can enter the session:
Enter-PSSession -ComputerName server2 -Credential $cred -Authentication Credssp

Remote Execution of a PowerShell script results in "The WinRM client cannot process the request. [...] HTTPS transport must be used [...]"

I have written a PowerShell script which uninstall a program and install a newer version of the program on my servers (Update Programs). Now I want to create another script which run the aforementioned script on the servers. Consider that I have to connect to my servers through using IPs, UserName and password and using domain is not an option.
How is this possible?
PowerShell version is 4
I have tried this code to simply get date:
$User = "administrator"
$PWord = ConvertTo-SecureString -String "Password1234" -AsPlainText -Force
$Credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $User, $PWord
$session = New-PSSession -ComputerName '10.60.60.100' -Credential $Credential
Invoke-Command -Session $session -ScriptBlock {Get-Date}
and I got this error:
New-PSSession : [10.60.60.100] Connecting to remote server 10.60.60.100 failed with the following error message : The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. You can get more information about that by running the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
This is because you’re not running your command from a trusted host, or because the remote computers wsman service isn’t configured properly. I’d start by running the following command to configure wsman on the remote machine:
wsman quickconfig
If that doesn’t fix the problem, then you need to add your computer to the remote machines trusted hosts. You can do that by running the following:
winrm s winrm/config/client '#{TrustedHosts="RemoteComputer"}'

Error when to resolve Double Hop issue with powershell

Today we need to resolve double hop issue with PowerShell.
But it is failed when we do following try:
Machines: client1, server1, networkpath
One client1 run following:
$session = New-PSSession -Computer server1 -Authentication Credssp -Credential "username"
Following error thrown:
New-PSSession : [server1] Connecting to remote server server1 failed with the
following error message : The WinRM client cannot process the request. The
authentication mechanism requested by the client is not supported by the server
or unencrypted traffic is disabled in the service configuration. Verify the
unencrypted traffic setting in the service configuration or specify one of the
authentication mechanisms supported by the server. To use Kerberos, specify the
computer name as the remote destination. Also verify that the client computer
and the destination computer are joined to a domain. To use Basic, specify
the computer name as the remote destination, specify Basic authentication and
provide user name and password. Possible authentication mechanisms reported by
server: Negotiate For more information, see the about_Remote_Troubleshooting
Help topic.
At line:1 char:12
+ $session = New-PSSession -Computer server1 -Authentication Credssp -Creden ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin gTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed
We have done following configuration:
Client1:
Enable-WSManCredSSP -Role Client -DelegateComputer Server1
Server1:
Enable-WSManCredSSP -Role Server
All servers are in workgroup.
Following suggestions from Resolve Double-Hop Issue in PowerShell Remoting
following steps can fix the err
Run gpedit.msc on client.
Expand to Local Computer Policy -> Computer
Configuration -> Administrative Templates -> System -> Credentials
Delegation.
Double click Allow Delegating Fresh Credentials with NTLM-only Server Authentication.
Enable Allow Delegating Fresh Credentials.
Click Show... and add wsman/Server1.
Click several OK to close the popup dialogs.
Now we can run following script successful on client:
$session = New-PSSession -Computer server1 -Authentication Credssp -Credential "username"
Enter-PSSession $session
Test-Path "NetWorkPath"
Posting this solution in case someone is still having an issue with a simple resolution to DoubleHop without using CredSSP.
Try this out:
https://www.powershellgallery.com/packages/Invoke-PSSession
It Invokes a PSSession, then Registers a PSSessionConfiguration with the Credentials that you provided. Basically providing the credentials for that DoubleHop

Cannot create remote powershell session after Enable-PSRemoting

I can not remote into any machine to save my life! I have tried everything I can find. If anyone could troubleshoot or guide me, I'd appreciate it as this would be a great tool to add on my domain.
SETUP:
Client machine inside domain
Server machine inside or outside domain - Virtualized and utilized for WSUS Computername: wsustest
CLIENT SERVER MACHINE physical- computername: epizzi-pc
STEPS:
enable-pssremoting done! on all machines
trustedhosts configured with * or client machine added
Firewalls with public profile off just in case
Enter-PSSession -ComputerName wsustest -Credential wsustest\administrator
Enter-PSSession -ComputerName epizzi-pc -Credential epizzi-pc\administrador
Enter-PSSession : Connecting to remote server epizzi-pc failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090311
occurred while using Kerberos authentication: There are currently no logon servers available to service the logon request.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName epizzi-pc -Credential epizzi-pc\administrador
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (epizzi-pc:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
Enter-PSSession -ComputerName wsustest -UseSSL -Credential wsustest\administrator
*Enter-PSSession : Connecting to remote server wsustest failed with the following error message : WinRM cannot complete the operation. Verify that the specified computer name is
valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM
firewall exception for public profiles limits access to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName wsustest -UseSSL -Credential wsustest\administrato ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (wsustest:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed*
ERRORs:
I was receiving the same problem when remoting to a server and found this blog post very helpful - http://jeffgraves.me/2013/10/14/powershell-remoting/
For my specific case I did the following:
On the Local machine
winrm quickconfig (although this was already configured)
winrm s winrm/config/client '#{TrustedHosts="myservername.domain"}'
On the Remote machine
enable-psremoting -force
Set-PSSessionConfiguration -ShowSecurityDescriptorUI -Name Microsoft.PowerShell -Force
I got around this problem by using a fully qualified logon. Instead of "netbiosdomain\accountname", I used fqdn\accountname, as in Microsoft.com\myaccount in the get-credential prompt. May not work for everyone, but it's worth a shot.
This is how I do it. I use this on my scripts.
# This is only done once
Read-Host -AsSecureString | ConvertFrom-SecureString | Out-File
c:\Windows\temp\securepass.txt
# Setup credentials
$SecureString = Get-Content c:\Windows\temp\securepass.txt | ConvertTo-SecureString
$mycredentials = New-Object -TypeName System.Management.Automation.PSCredential
-ArgumentList "yourDomain\userID",$SecureString
# Open remote session:
$MyRSession = New-PSSession -ComputerName Computer1 -Credential $mycredentials
-Authentication default
# Use remote session:
Enter-PSSession $MyRSession
Get rid of -UseSSL. I enabled PSRemoting and had problems with using that. I guess I could look at it later but for now it doesn't matter.
If there is no trust between the client and server computers, you have to enable basic authentication on the server side. Do this by toggling the correct properties on the WSMAN: drive on the server. You'll obviously have to do this interactively on the console or via remote desktop, due to the chicken and egg problem :) Also, this may come into play too:
http://www.nivot.org/blog/post/2009/10/30/PowerShell20EnablingRemotingWithVirtualXPModeOnWindows7
I was getting that same error currently no logon servers available.
The issue was resolved by using instead of Domain\Username as credentials the user UPN or Username#Domain.
I have achieved a remote session with Enter-pssession command, had to follow these exact parameters
$creds = get-credential (the -credential parameter in enter-pssession does not work properly, thus u must previously enter the object at another variable)
Enter-pssession -computername wsustest -authentication Default -credentials $creds
i Also had to set both client and remote server in the trusted hosts wsman: space
another solution which surely wouldve worked but i havent tried, wouldve been setting https: which is harder to do.
thx to all, your comments certainly led to the solution!

PowerShell remote call. Access is denied

In order to automate test releases, I need access to remote computer in other domain group.
What I've done on remote computer:
run Enable-PSRemoting
set TrustedHosts "*"
added https listener with self-signed certificate
opened 5985 and 5986 ports
So now scripts are running successfuly via PowerShell console.
But when I'm trying to run remote script via TeamCity agent I've been receiving following error:
Connecting to remote server failed with the following error message :
Access is denied. For more information, see the
about_Remote_Troubleshooting Help topic.
TeamCity agent service is running with Local System rights.
Session initialization
$password = ConvertTo-SecureString $appServerPwd -AsPlainText -Force
$appCred = New-Object System.Management.Automation.PsCredential($appServerUser,$password)
$rs = New-PSSession -ComputerName $appServer -Credential $appCred -UseSSL -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck) -Authentication Negotiate
Also when I'm trying to make remote call to domain computer via TeamCity everything works.
Do you have any idea how to solve this issue ?
Dima
I've found the problem, as soon I changed "Local System" user to Administrator user on TeamCity agent service, everything started to work.
So the issues was in rights (starting PSSesion) between "Local System" and Administrator.