I have a problem in communication between two hosts, in details, I have two hosts in LAN.
1) [A] 192.168.1.10: On this host I have Windows Server 2012 R2
2) [B] 192.168.1.12: On this host I have Windows Server 2003 with ADFS installed.
My problem is:
I have to add a new user on ADFS by running powershell script on first host ( 192.168.1.10 ).
I tried this solution:
On host A I Execute current powershell script, for running powershell remote commands:
$pw = convertto-securestring -AsPlainText -Force -String <mypassword>
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist "DOMAIN\User",$pw
$session = Enter-PSSession -computername 192.168.1.12 -credential $cred
This instantiates a remote connection with host B which has ADFS.
On host B I have a script "CreateADUser.ps1" that add a new record on ADFS. But I don't like this solution.
Can I connect directy ADFS on host B by host A?
What function When I have more request on A host?
Important information:
to need I can't using directly B host, but I have to pass from A host.
What is your solution?
Related
I have written a PowerShell script which uninstall a program and install a newer version of the program on my servers (Update Programs). Now I want to create another script which run the aforementioned script on the servers. Consider that I have to connect to my servers through using IPs, UserName and password and using domain is not an option.
How is this possible?
PowerShell version is 4
I have tried this code to simply get date:
$User = "administrator"
$PWord = ConvertTo-SecureString -String "Password1234" -AsPlainText -Force
$Credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $User, $PWord
$session = New-PSSession -ComputerName '10.60.60.100' -Credential $Credential
Invoke-Command -Session $session -ScriptBlock {Get-Date}
and I got this error:
New-PSSession : [10.60.60.100] Connecting to remote server 10.60.60.100 failed with the following error message : The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. You can get more information about that by running the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
This is because you’re not running your command from a trusted host, or because the remote computers wsman service isn’t configured properly. I’d start by running the following command to configure wsman on the remote machine:
wsman quickconfig
If that doesn’t fix the problem, then you need to add your computer to the remote machines trusted hosts. You can do that by running the following:
winrm s winrm/config/client '#{TrustedHosts="RemoteComputer"}'
I normally use Windows Remote Desktop to connect to a server machine. All connection configs are saved in an .rdp file.
I want to instead use PowerShell to connect to that same server, in a similar fashion as SSH. I researched and found about PowerShell remoting with Enter-PSSession, but I don't know what arguments to give it.
What I know so far:
Client machine OS: Windows 10. Host machine OS: Windows Server 2012 R2.
Client and host machines are in different networks/Active Directories. Simply running Enter-PSSession <HOSTNAME> doesn't work.
Host machine's PSRemoting is enabled. If I'm on a machine in its same AD, it can be connected with Enter-PSSession <HOSTNAME>
My question is, if I have a working .rdp file, can I infer what's needed to PSRemote to a remote server? Or even better, can I pass that .rdp file to a PS command to make the shell connection?
If trust is present, this should work.
Enter-PSSession -Computername <FQDN>
If no trust, you have to pass a PowerShell credential object. This should be a credential that has access on the target machine. The .rdp file cannot help at all.
Enter-PSSession -Computername <FQDN> -Credential $CustomPScredentialObject
You can create a credential object by:
$CustomPScredentialObject = Get-Credential "Domain\UserID" #this will give an interactive prompt for password
Non-interactive Credential Object:
$SecurePassword = "PlaintextPassword" | ConvertTo-SecureString -Force -AsPlainText
$CustomPScredentialObject = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "Domain\userid", $SecurePassword
Now you can use this credential object for PSSession.
I have follow issue: I trying to run remote command on my server (windows server 2012 r2) via powershell command, powershell script looks follow
$password = ConvertTo-SecureString $pass -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PsCredential($deployadmin,$password)
$scriptBlock1 = {Get-NetAdapter}
Invoke-Command -computername $server -Credential $credentials -scriptblock $scriptBlock1
and I've get an error 'Access is denied'
I've tryied to run on server Enable-PSRemoting for allow remote connection.
I use credential for user that is Administrator on that server.
Strange thing, that this command is succeeds for credentials of another user on this server, those user is also Administrator.
What I'm missing ?
Thank for any advice
Update:
command Test-WSMan $server is succeeds
try command winrm quickconfigthe system suggested setting up a remote access, after the configuration, the Invoke-Command command was executed without errors
I would be grateful if anyone would explain this behavior
Fun!
When you execute winrm quickconfig the following happens:
Starts the WinRM service
Set the WinRM service type to auto start
Create a listener to accept requests on any IP address
Enable firewall exception for WS-Management traffic (for http only)
This article has additional detail.
I am trying to use CREDSSP on a New Server (Server C)
I have successfully setup credssp on Two Other Servers. (Server A to Server B)
I am now trying to connect from Server A to Server C using CREDSSP, but no matter what I do, I get the following error:
[SERVER_C.domain.edu] Connecting to remote server SERVER_C.domain.edu failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (SERVER_C.domain.edu:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken
This is my query that works perfectly from Server A to Server B:
# Setting the Credentials to be used to sign into the Server B.
$pass = ConvertTo-SecureString "Password" -asplaintext -force
$mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist "domain\user.service",$pass
#
#
# The Remote Execution Command. Fully Qualified Domain name is critical since we are using Credssp.
# Credssp is being used to resolve an issue with a double hop authentication issue. Other steps setup on each computer had to be completed before Credssp would work
Invoke-Command -ComputerName SERVER_B.domain.edu -command { C:\helloWorld.ps1 } -Authentication Credssp -Credential $mycred
I have double checked everything I can think of between Server C (New Server) and Server B (Old Server) and I cant find any reason why im getting the error.
I know that if I take out the CREDSSP part, The script works, except where a double hop is involved. So the Server is definitely connecting.
I made sure to run the following commands:
Enable-psremoting
Set-ExecutionPolicy -Scope localMachine -ExecutionPolicy RemoteSigned
Enable-WSManCredSSP -Role Client -DelegateComputer '*.reskit.org' –Force
Enable-WSManCredSSP -Role Server –Force
wsman
Also followed these steps: Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System
-> Credentials Delegation -> Allow Delegating Fresh Credentials. Verify that it is enabled and configured with an SPN appropriate for the target computer. For example,
for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. For more information, see the
about_Remote_Troubleshooting Help topic.
And as I mentioned, I know Server A is setup correctly, because I run the script above to Server B without issue.
Any suggestions would really be appreciated.
The only thought I have is that Server A and B are running Powershell 3 and Server C is running Powershell 5
I notice that the Enable-WSManCredSSP -Role Client command uses *.reskit.org instead of *.domain.eu.(?)
To me it's not completely clear which commands were run at the server or at the client, but look OK at first sight. I recently configured credssp also to solve the double hop problem, as follows:
On the server:
Enable-WSManCredSSP -Role Server -Force
Get-WSManCredSSP shows: The machine is not configured to allow delegating fresh credentials. This computer is configured to receive credentials from a remote client computer.
On the client:
winrm quickconfig
Enable-WSManCredSSP -role client *.mydomain.com
Get-WSMancredSSP shows:
The machine is configured to allow delegating fresh credentials to the following target(s): wsman/*.mydomain.com. This computer is not configured to receive credentials from a remote client computer.
My clientside script starts an explicit remote session via:
$session = New-PSSession -Computer $computerName -Credential $credential -Authentication Credssp
I have an Amazon EC2 instance.
Using powershell on my local workstation, I want to be able to remote into my Amazon EC2 instance and execute some commands.
I have found many articles online but none are working or I misunderstood them (probably the latter).
Some I tried are
Managing Windows EC2 Instances remotely with Powershell
Administering EC2 instance with Windows Powershell
Enabling- PSRemoting
How to Run PowerShell Commands on Remote Computers
My understanding is that I need to:
Amazon EC2 Dashboard > Network & Security > Security Groups > Add port 5985
//Local & EC2 PowerShell(Administrator)
enable-psremoting -force
//Local PowerShell(Administrator)
set-item wsman:\localhost\Client\TrustedHosts -value "*" -force
$password = convertto-securestring -asplaintext -force -string myPassword
$credential = new-object -typename system.management.automation.pscredential -argumentlist "myUsername", $password
$session = new-pssession ec2-00-00-00-000.compute-1.amazonaws.com -credential $credential
enter-pssession $session
But I get this error
new-pssession : [ec2-00-00-00-000.compute-1.amazonaws.com] Connecting to remote server
ec2-00-00-00-000.compute-1.amazonaws.com failed with the following error message : WinRM cannot complete the
operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and
that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM
firewall exception for public profiles limits access to remote computers within the same local subnet. For more
information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12
+ $session = new-pssession ec2-00-00-00-000.compute-1.amazonaws.com -credential $c ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
gTransportException
+ FullyQualifiedErrorId : WinRMOperationTimeout,PSSessionOpenFailed
Solution found here.
The missing link was to (on the EC2 instance) open Windows Firewall with Advanced Security and edit an inbound rule.
Full Steps:
EC2 Instance
1) Open PowerShell as administrator
2) Enter enable-psremoting -force
3) Open Windows Firewall with Advanced Security
4) Inbound Rules -> Find Windows Remote Management (Http-In) - there are 2, do this for both
5) Right click -> Properties -> Advanced -> Check public
Local
6) Open PowerShell as administrator
7) Enter enable-psremoting -force
8) Enter the following:
$password = convertto-securestring -asplaintext -force -string MY_PASSWORD
$credential = new-object -typename system.management.automation.pscredential -argumentlist "MY_USERNAME", $password
$session = new-pssession MY_EC2_PUBLIC_IP -credential $credential
enter-pssession $session
Write-Host "Hello, World (from $env:COMPUTERNAME)"
I think that not exposing PowerShell via SSH was one of the biggest design mistakes MS did. Even years later they are too proud / blind to do revert that poor decision.
I suggest you to not fight with WinRM and instead, use an SSH server on your Windows machine.
You'll benefit from having a simple, standard, secure way to connect to your server from any device (I'm doing remote PS sessions from my iPad).
There is the opensource cygwin and my favorite proprietary (with free offering) PowershellServer
You'll thank me when your Windows server will play nicely with the rest of the world.
UPDATE
I got back to this old thread and would like to add another option - using the new(ish) AWS Systems Manager run-command capability.
This allows you to have no administrative port exposed to the external world so no need to fiddle with host / cloud firewalls.
It also provide other benefits like auditing, permissions etc...