PowerShell Access is denied. PSRemotingTransportException + FullyQualifiedErrorId : PSSessionStateBroken - powershell

I was trying to establish a remote connection to another system and execute some basic commands.
Below are the steps that I have done :
Configured the remote machine to accept Shell commands - Enable-PSRemoting –
Force
Tested the configuration on remote machine - Test-WsMan COMPUTERNAME.
Executed the following commands on the host machine :
1.Invoke-Command -ComputerName COMPUTERNAME -ScriptBlock { Get-ChildItem C:\ } -credential USERNAME.
2.Invoke-Command -ComputerName COMPUTERNAME -ScriptBlock { Get-ChildItem C:\ } -credential $Credentials.
3.Invoke-Command -ComputerName COMPUTERNAME -ScriptBlock { Get-ChildItem C:\ }
In all the cases, we were getting access denied error :
Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. + CategoryInfo : OpenError: (:) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionStateBroken

From MSDN:
Start Windows PowerShell as an administrator by right-clicking the Windows PowerShell shortcut and selecting Run As Administrator.
The WinRM service is confi gured for manual startup by default. You must change the startup type to Automatic and start the service on each computer you want to work with. At the PowerShell prompt, you can verify that the WinRM service is running using the following command:
get-service winrm
The value of the Status property in the output should be “Running”.
To configure Windows PowerShell for remoting, type the following command:
Enable-PSRemoting –force
In many cases, you will be able to work with remote computers in other domains. However, if the remote computer is not in a trusted domain, the remote computer might not be able to authenticate your credentials. To enable authentication, you need to add the remote computer to the list of trusted hosts for the local computer in WinRM. To do so, type:
winrm s winrm/config/client '#{TrustedHosts="RemoteComputer"}'
Here, RemoteComputer should be the name of the remote computer, such as:
winrm s winrm/config/client '#{TrustedHosts="CorpServer56"}'
You should check if the winrm is running. Also add your remote hosts to the trusted hosts list (or your local machine).
Hope that helps.

Related

Running cmd command to remote host on PowerShell

I need to run in PowerShell script cmd command, which command will be running on remote cmd line. So I put in my script
Invoke-Command -ComputerName $line -scriptblock {cmd.exe /c "whoami"} -credential $Cred
and it works, but only if on remote host was run Enable-PSRemoting -Force
Otherwise I get error:
[192.168.1.1] Connecting to remote server 192.168.1.1 failed with the following error message : Access denied. For more information, see the about_Remote_Trou
bleshooting Help topic.
+ CategoryInfo : OpenError: (192.168.1.1:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken
I need run that command to many (about 200) remote hosts, so the question is how can I do this without manually running on each remote host Enable-PSRemoting -Force? Server is in domain but romote hostd don't.
If your servers are on a domain, you could enable PS Remoting on them all via Group Policy: https://www.briantist.com/how-to/powershell-remoting-group-policy/

Powershell remoting does not have the correct permissions

On the non-domain server SERVER I have a local administrator account USER.
On the domain client machine I am running as a domain user.
Using the following code I attempt to view all services on SERVER
$cred = Get-Credential "SERVER\USER"
Invoke-Command -ComputerName SERVER -ScriptBlock {Get-Service} -Credential $cred
However, I receive the following error
Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
+ CategoryInfo : NotSpecified: (:) [Get-Service], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand
Yet, if I RDP to SERVER as USER, I can manually open a Powershell window and run Get-Service without any issues. What's going on?
When remoting cross-domain, the remote command/session will not run with administrative rights. Even though you're connecting as a local admin, the resulting PSSession will not be elevated.
To fix this, you need to set the registry key LocalAccountTokenFilterPolicy located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System to 1. See Microsoft for more details

Getting error in installing executables (.msi/.exe) on remote servers using PowerShell

I have a list of executables(.msi and .exe) which I have to install on some remote servers (in same domain) silently using PowerShell script. For that first I am copying all programs from local server to remote servers. Next I am trying to install all these programs one by one to the remote servers. For that I am using below code:
Copy-Item -Path "C:\path\to\softwares\*" -Destination "C:\path\to\destination" # this is copying all softwares on destination path
$destItem = Get-ChildItem -Path "C:\path\to\destination"
foreach($software in $destItem)
{
$setup = Invoke-Command -ComputerName <computer> -ScriptBlock {$temp=Start-Process "C:\path\to\$software" -ArgumentList "/s" -Wait -PassThrough;$Temp}
}
Problem is: When I run this script I get the following error:
[172.xx.xx.xxx] Connecting to remote server 172.xx.xx.xxx failed with the following error message : The WinRM client
cannot process the request. Default authentication may be used with an IP address under the following conditions: the
transport is HTTPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use
winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. For more
information on how to set TrustedHosts run the following command: winrm help config. For more information, see the
about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (172.xx.xx.xxx:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : CannotUseIPAddress,PSSessionStateBroken
I ran command winrm quickconfig on local machine and got this result:
WinRM service is already running on this machine.
WinRM is already set up for remote management on this computer.
and from remote servers got this output:
WinRm already is set up to recieve requests on this machine.
WinRm already is set up for remote management on this machine.
Windows version: Windows Server 2012R2
PS version: 4
Question is: How can I resolve this issue and can install executables on remote servers?
You might try to put the remote computer into the list of trusted hosts:
View the list of TrustedHosts
get-item wsman:\localhost\Client\TrustedHosts
Add all computers (be careful!) to the list of TrustedHosts
set-item wsman:\localhost\Client\TrustedHosts -value *
Add a computer with a specific IP address to the list of Trusted Hosts
set-item wsman:\localhost\Client\TrustedHosts -value 192.168.0.10
Check Matt Wrock's article about remotely installing software on windows:
http://www.hurryupandwait.io/blog/safely-running-windows-automation-operations-that-typically-fail-over-winrm-or-powershell-remoting
In his Boxstarter library he tackles this by wrapping the commands in a scheduled task using the Invoke-FromTask command:
Invoke-FromTask #"
Start-Process "$env:temp\net45.exe" -verb runas -wait `
-argumentList "/quiet /norestart /log $env:temp\net45.log"
"#

Enable PowerShell remoting on new Azure VM

I've created a new VM in Windows Azure to use to act as a host to learn a bit of Powershell Remoting. After the VM was created I RDP'd onto the box and enabled remoting via the following command:
Enable-PSRemoting
I confirmed both prompts with 'a' replies and it finished without errors. If I run
Get-PSSessionConfiguration
I can see that three endpoints (?) have been set up. In the Azure portal I can see that the Powershell port is open - both 5986 is open as a public and private port.
I've added the public IP address of the machine to my hosts file, but when I try the following:
Enter-PSSession -ComputerName AZURESERVERNAME
I get an error:
Enter-PSSession : Connecting to remote server AZURESERVERNAME failed
with the following error message : A specified logon session does not
exist. It may already have been terminated. For more information, see
the about_Remote_Troubleshooting Help topic. At line:1 char:1
+ Enter-PSSession -ComputerName AZURESERVERNAME
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (AZURESERVERNAME:String) [Enter-PSSession],
PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
I've also tried setting all hosts as trused as follows:
cd wsman::localhost\client
Set-Item .\TrustedHosts *
Restart-Service WinRM
But that doesn't seemed to have helped either.
Is there anything else I need to do to get this working?
Thanks
OK, figured this out thanks to the awesome Secrets of Powershell Remoting ebook. Looks like you must add the machine directly to the TrustedHosts via IP address:
Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value '11.22.33.44'
Then use that IP address and specify credentials in the Enter-PSSession:
Enter-PSSession -ComputerName 11.22.33.44 -Credential 11.22.33.44\username
You should then get a prompt for your password and voila! :)
I've successfully created a SharePoint farm in Azure using the scripts from Automated-Deployment-of-SharePoint-2013-with-Windows-Azure-PowerShell
On that page there are steps that configure PowerShell to work with Azure
Set-ExecutionPolicy ByPass
Enable-PSRemoting
Enable-WSManCredSSP -role client -delegatecomputer "*.cloudapp.net"
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentialsDomain"
Set-ItemProperty $regKey -Name WSMan -Value "WSMAN/*.cloudapp.net"
Get-AzureSubscription -ExtendedDetails
You may also need to do this
Run GPEdit.msc You must also enable delegating of fresh credentials
using group policy editor on your client machine. Computer
Configuration -> Administrative Templates -> System -> Credentials
Delegation and then change the state of "Allow Delegating Fresh
Credentials with NTLM-only server authentication" to "Enabled." Its
default state will say, "Not configured."
In the Add Servers sections add the following.
WSMAN/*.cloudapp.net

Confusing Powershell behavior

Am a bit confused w/ remote executing a powershell command. I have a test server (Win 2k8-R2-SP1) called ServerA, which has powershell remoting enabled correctly. From my dev machine (Win 2k8-R2-SP1), am able to remote execure powershell commands correctly.
But, when I try to execute the same command from a different server called ServerB (Win 2k8-R2), I get the following error
[ServerA] Connecting to remote server failed with the following error message : The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM.
If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig". For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (:) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionStateBroken
All three machines are in the same domain. My confusion is that from my dev machine, I am perfectly able to connect to ServerA and execute the command.
Will the fact that ServerB does not have SP1, make a difference? Please advise. I am using the same domain account which has admin rights on all 3 servers.
And the command that I am trying is
Invoke-Command -ComputerName ServerA -ScriptBlock {Get-UICulture}.
Please help.
Thanks
Run winrm quickconfig or Enable-PSRemoting -force from ServerB.
Verify service is running with get-service winrm
http://technet.microsoft.com/en-us/magazine/ff700227.aspx
Also, run this from your local dev box:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force
I've had this same problem as well, on a machine that was working for remote powershell in the past. In my case the solution was to clear the Security Log. It was full, and I believe this was preventing powershell from making a proper secure connection.
The following fixed my problem:
You either have to empty your iplisten list which can be checked using the following CMD command:
netsh http show iplist
or to add the loop back address to it if there is any other addresses:
netsh http add iplisten 127.0.0.1
I was having this same issue and resolved in the following way. Running
winrm quickconfig
returned the below error.
winrm : WSManFault
At line:1 char:1
+ winrm quickconfig
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (WSManFault:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Message
ProviderFault
WSManFault
Message = WinRM firewall exception will not work since one of the network connection types on this machine is set to Public. Change the network connection type to either Domain or Private and try again.
Error number: -2144108183 0x80338169
WinRM firewall exception will not work since one of the network connection types on this machine is set to Public. Change the network connection type to either Domain or Private and try again.
In my case, this was a virtual NIC for a hypervisor service I was running on my machine. Once I changed this to Private, winrm quickconfig ran without error. I still had issues connecting to some machines and getting the same failure as described in this thread. To resolve, I checked for and started the winrm service where it was stopped.
get-service -ComputerName computer -Name winrm
Status Name DisplayName
------ ---- -----------
Stopped winrm Windows Remote Management (WS-Manag...
get-service -ComputerName computer -Name winrm | Start-Service
To save having to enable WinRM on every single server you manage, you can run this batch script:
Requirements:
A text file with all the servers you wish to enable WinRM on
PSExec in your Windows\System32 directory, downloaded from: https://technet.microsoft.com/en-us/sysinternals/pstools.aspx?f=255&MSPPError=-2147217396
Powershell on the server you're connecting to
Usage: EnablePSRemoting.bat PCs.txt
#echo off
for /f %%f in (%1) do (
psexec.exe \\%%f -accepteula -h -d -s powershell.exe "enable-psremoting -force"
echo Enabled on %%f
)
I have been looking for the answer for days and I found the issue;
It seems that the IIS 7 .NET Extensibility component was not installed causing this issue. We have a 2012 R2 Exchange 2010 server;
https://technet.microsoft.com/en-us/library/dd421841(v=exchg.80).aspx
I installed it by entering this in powershell;
See here the prerequisites for Exchange 2010.
https://technet.microsoft.com/en-us/library/bb691354(v=exchg.141)
This Exchange server of ours has only the mailbox role, the other is still CAS and HUB transport;
So we need this command;
Add-WindowsFeature NET-Framework-Features,RSAT-Clustering,Web-Mgmt-Console,WAS-Process-Model,Web-Basic-Auth,Web-Lgcy-Mgmt-Console,Web-Metabase,Web-Net-Ext,Web-Server,Web-Windows-Auth -Restart
The part of Web-Net-Ext installed the IIS 7.NET Extensibility component.
No need to restart.
Just my 2 cents, maybe this helps someone else :-)
In my case, WinRM was not configured correctly. This is what I used to enable it remotely:
$x=Get-WmiObject -ComputerName "<computer name>" -Namespace "root\cimv2" -Class "Win32_Process" -List
$x.Create('C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "& C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command {Enable-PSRemoting}"',$null,$null)