Remote Powershell session connection failure with Kerberos authentication - powershell

I have an on-premises network and an Azure virtual network that are connected together via a gateway.
With this setup, all machines (on-premises and Azure) are joined to the domain which allows me remote access to the administrative shares as well as remote Powershell sessions on each machine in the Azure virtual network from machines in my office. For example, I can simply open up Windows Explorer and type in the address bar \\machinename\c$ or I can open a remote Powershell session by using the command $Session = New-PSSession -ComputerName machinename.
This works perfectly for one of my Azure subscriptions, but on another Azure subscription that appears to be configured identically, the remote Powershell command is failing with error:
New-PSSession : [machinename] Connecting to remote server machinename failed with the following error message : WinRM cannot process the request. The following error occurred while
using Kerberos authentication: Cannot find the computer machinename. Verify that the computer exists on the network and that the name provided is spelled correctly. For more information,
see the about_Remote_Troubleshooting Help topic.
When I look in DNS on the Azure domain controller, the machine that I am trying to connect to exists. When I look in DNS on-premises, the machine is missing. What it looks like to me is a replication problem between the two domain controllers.
The first thing that is likely to be suggested is to start looking at WinRM configurations on the client machine. To be clear, the same machine is able to connect successfully to machines in a virtual network in a different Azure subscription so it is very unlikely that anything on the client machine needs to be changed. Nevertheless, I Googled the Kerberos error with remote Powershell and have checked that the TrustedHosts setting on the client is set to *.
Interestingly enough, I can successfully open a remote Powershell session from a machine in the Azure subscription to a machine in my office, I just can't go the other direction....from Azure to my office. This would seem to indicate maybe a one-way trust instead of two-way, but I am not sure how to verify this.
I ran the tool and it is reporting that everything is working with regard to replication.
So I guess what I am wondering is if this is truly a replication issue or if someone can give me an idea of what the problem might really be.
Edit 1
Now it looks like the domain controller in the Azure network is replicating just fine but any other VM that I add to the Azure network is not replicating. Based on this I will guess that the replication is working, but it would seem it only works for the domain controller and not any other machine. I have no idea what that means.

Based on the error message, it seems that the DNS records on Azure domain controller are not replicated to the on-premises domain controller.
To verify this, you can run the command below on the on-premises machine, and use the IP address as the value of parameter -ComputerName instead of the machine name. The PowerShell session should be established successfully if this is a DNS issue.
New-PSSession -ComputerName IP address of server on Azure
Also, you can run the following commands on the domain controllers to check the replication status.
repadmin /kcc
repadmin /replisummlry
If the output of commands are successfully, you can run the following command to replicate manually, and check the DNS again.
repadmin /syncall
Finally, to check the trust relationship, you can refer to the following link for step-by-step guide.
https://technet.microsoft.com/en-us/library/cc753821(v=ws.11).aspx
Update
Based on the new information you provided, I would recommend to check the type of DNS zone on the Azure DNS server. Please make sure the type is Primary zone, and store the zone in Active Directory.
You can check this by using the DNS Manager.

Related

How to add new local user in Azure VM through the PowerShell?

I have VM machine running which is not part of the domain and I would like to add the new local user through the PowerShell. Is this possible to do?
Once you have created your VM in Azure you will be able to interact with it as any other windows machine via PowerShell.
You will create a New-PSSession to the machine (you will use the ip adress for the VM as the computername):
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-6
You will then enter the session and create the local user: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/new-localuser?view=powershell-5.1
The main issue you may run into is, depending on firewall rules, you may not be able to directly access your azure VM. You will likely need to create a VPN in azure, include your Azure VM in that VPN, and then access the VPN from your local machine before you are able to establish a connection to the Azure VM. Please see the documentation for setting this up here: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal.

Unable to connect to remote server using Enter-PSSession cmdlet

I am getting below error message when I try to access one of the AWS Cloud Servers through"Enter-PSSession" cmdlet. I have Admin rights on the server and provide the necessary credential as well but still no gain. Please help to resolve or suggest alternate way to remotely access the Server.
------------------Connecting to remote server XYZ.XXXXXX.com failed with the following error message : WinRM cannot complete the
operation. Verify that the specified computer name is valid, that the
computer is accessible over the network, and that a firewall
exception for the WinRM service is enabled and allows access from this
computer. By default, the WinRM firewall exception for public
profiles limits access to remote computers within the same local
subnet. For more information, see the about_Remote_Troubleshooting
Help topic.
Make sure that the server behind that name has the proper IP address.
You can do that if you ping the host name, and then ping the turned IP with attribute -a
Ping server.com
Ping -a <IP returned by that hostname>
If the second ping return different hostname, thats were you have problem.
If it does not return any hostname, then it might be behind switch or firewall rule that does not allow reverse lookup.
If everything is good, try to see if the WinRM is working with the following command
Test-WSMan <hostname or an IP>
If that is return the ProductVersion then that machine has WindowsRemote Manager enabled.
If that is not working then you dont have windows remote management enabled on that machine, and of course check the firewall.
But if you dont have an issue here then you better check if you have CredSSP enabled/disabled, but for that you would need to read a bit more, here is a nice article about it :
https://4sysops.com/archives/using-credssp-for-second-hop-powershell-remoting/
And if after all that you still have the issue, make sure you know if you are using Certificates to authenticate, if thats the case it really depend on how your PKI is all set.
Make sure the remote host is reachable over you network .
if reachable over network, make make sure remoting is enabled on the derstination server.
if windows firewall service is not running, start it on the destination server .

How to Programmatically Set Up Powershell Remoting on an Azure VM

My goal is to write a Powershell script that will run New-AzureRmResourceGroup and New-AzureRmResourceGroupDeployment in order to provision a resource group according to an ARM .json template file. Said resource group includes a virtual machine, virtual network, network security group, public IP address, network interface attached to the virtual machine, and two storage accounts. After that, I want the same script to go on and copy a specific program installer to the virtual machine in that resource group and run that installer, automatically without further user interaction. However, I can't seem to begin a remote Powershell session with the virtual machine. I run the command:
$sess = New-PSSession -ComputerName **.***.**.*** -Port XXXX -Credential $cred
where the *s are the IP address of the Virtual Machine; XXXX is the Port that is open for RDP according to the Network Security Group associated with the virtual network that the Virtual Machine is on; and $cred contains the credentials of the admin user on the Virtual Machine.
The command always returns an error:
New-PSSession : [**.***.**.***] Connecting to remote server **.***.**.*** failed with the following error message :
The client cannot connect to the destination specified in the request. Verify that the service on the destination is
running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the
destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the
destination to analyze and configure the WinRM service: "winrm quickconfig". For more information, see the
about_Remote_Troubleshooting Help topic.
Note that I did make sure to add the Virtual Machine's IP address to the list of Trusted-Hosts on my local machine. (Until I did that, I got a different error message.) Also, I am able to connect to the Virtual Machine if I click on its Connect button in the Azure portal and then click on the .rdp file that's downloaded. This remote session uses the same IP address, port, and credentials as the one I'm trying and failing to set up in Powershell. This is what I don't understand.
Why does that happen? Is there some additional work I need to do to prepare the VM for accepting remote Powershell sessions? Is there any way to configure it in the ARM template so that the VM will be ready to accept them from the get-go? (It would be difficult if I need to run some commands on the VM to set Powershell remoting up, since I can't Powershell remote in to run them because of this very problem. Maybe I could run them as a custom script extension?)
Final notes: This VM is "new" style, not "classic" style. I know there is lots of documentation out there for "classic" style Azure VMs, but that's not what I'm working with. Also, even after running winrm quickconfig on the VM as the error suggested, and enabling administrative rights remotely to local users, I get the same error when I run New-PSSession.
Open up 5985-5986 on your NSG
Drop the port part on your command:
$sess = New-PSSession -ComputerName ... -Credential $cred
WinRM endpoint is set up automatically for new VM's (if you don't somehow override it). But you need to open 5985 for nonsecure and 5986 for secure remoting

Powershell 4.0 Remoting with Non Admin Domain Account

I'm looking for help to properly configure PowerShell Remoting for non-admins on a group of servers. Right now we have a working configuration that allows Admin Domain accounts to successfully connect to the servers with no error. The authentication method we are using is Credssp, using SSL and this works perfectly for a Domain admin account.
On the other hand I have this User Domain Account userTest. This account is mapped to a Domain Group that maps locally (on each server) to the Remote Desktop User Groups. This allows for this user to RDP successfully to this server but has no administrator privileges. It is going to stay that way and it is not an option to make it Local Administrator.
The purpose of this user is to allow non-admin accounts to execute a set of scripts against the server using a Restricted Session, which connecting with a Domain Admin Account. The problem comes when I'm trying to connect with the userTest account. The server responds with a Access is Denied error:
[ServerA] Connecting to remote server ServerA failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (ServerA:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken
Going trough the Analytic EventLogs I found an error message as follows:
The WSMan service could not launch a host process to process the given request. Make sure the WSMan provider host server and proxy are properly registered.
This is the configuration that I have already setup:
Created a PSSessionConfiguration named RemoteDesktopUsers
Register-PSSessionConfiguration -Name RemoteDesktopUsers -StartupScript C:\Start.ps1
Set-PSSessionConfiguration -Name RemoteDesktopUsers -ShowSecurityDescriptorUI
(Added Remote Desktop Users group to this SessionConfiguration)
So yeah, basically from what I have already Googled, this should be all the necessary configuration that you need to able to PSRemote with non-admin accounts. As I already mentioned using a Domain Admin Account connecting to this SessionConfiguration works fine, so I was thinking that I'm missing some kind of permission/privilege/SDDL that allows this user to access:
Windows Server 2008 R2 SP1
Powershell 4.0
Winrm ProductVersion = OS: 6.1.7601 SP: 1.0 Stack: 3.0
You're probably running into this problem because of using CredSSP
Any particular reason you have to use CredSSP? The most popular use of CredSSP is provided for situations in which you need to configure a jump server to remote from one machine, into another, and from there out again to another server. It's well-known as Second-Hop funtionality and is such a huge security hole that the CredSSP is kind of a pain to configure, intentionally.
You have to configure CredSSP in three places, once on your machine from which you'll be remoting, then again on the machine you'll be jumping to, and finally on each machine you'll be connecting to from the jump server.
If you really have to use CredSSP, follow this great guide here on The Scripting Guy's blog.
If you don't need CredSSP
Try this whole process using Default/WSman authorization, and I bet the problems will go away.

Powershell restrict Remote access on Host

I have three windows 2008 R2 servers; DEV, UAT and Live. I am deploying web apps between these servers, including IIS setup and config and database backup and restore via a PowerShell script. I use a powershell remote session.
I would like to prevent any machine, other than my deployment machine, from creating a powershell remote session on the host, even if the user is authenticated. Is this possible?
I have looked extensively through the PSRemoting documentation and can't find anything helpful.
Thanks in advance
Read the below link to better understand what needs to be done but I think you need to set the trusted host on the remote servers.
http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/02/23/remotely-managing-your-server-core-using-winrm-and-winrs.aspx
This is an excerp from the blog.
On the Windows server Core box
Run the following commands on the console of the Server Core box to lower security:
WinRM set winrm/config/service/auth #{Basic="true"}
WinRM set winrm/config/client #{TrustedHosts="<local>"}
WinRM set winrm/config/client #{TrustedHosts="RemoteHost"}
Where RemoteHost is the host you want to be able to connect to the server.
You can also use certificate-based authentication.
http://blogs.msdn.com/b/wmi/archive/2009/03/23/how-to-use-wsman-config-provider-for-certificate-authentication.aspx
If you only want your computer to be able to connect, install the certificate on your computer and don't give it to anyone else.