Im trying to run the following
$secpasswd = 'Test'
$secpasswd = ConvertTo-SecureString $secpasswd -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ('domain2\nick', $secpasswd)
[scriptblock]$CheckDNS = {
Get-DnsServerResourceRecord -Name 'computername' -ZoneName domain2.local -ComputerName domain2dC.domain2.local }
invoke-command -scriptblock $CheckDNS -Credential $mycreds -ComputerName domain2managementbox.domain2.local
This should be running Get-DnsServerResourceRecord module on the target machine however im getting the following error:
Failed to get the zone information for domain2.local on server domain2managementbox.domain2.local.
+ CategoryInfo : PermissionDenied: (dgtest.local:root/Microsoft/...rResourceRecord) [Get-DnsServerResourceRecord], CimException
+ FullyQualifiedErrorId : WIN32 5,Get-DnsServerResourceRecord
When I run the command on the box itself it works fine and I have the correct permissions.
Thanks
You're attempting to "double hop" with your credentials (from your client machine, to "domain2managementbox.domain2.local" and then again to "domain2dC.domain2.local". This is not permitted using the default kerberos authentication.
Run Enable-WSManCredSSP -Role Client -DelegateComputer domain2managementbox.domain2.local -Force on your client machine.
Run on Enable-WSMaCredSSP -Role Server –Force on "domain2managementbox.domain2.local"
... and then use -CredSSP as an additional authentication parameter for Invoke-Command.
Related
Running the following Powershell script to try to connect to Gov Azure AD:
Add-Type -Path ".\Source\Binaries\Microsoft\Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
Import-Module ".\Source\Binaries\Microsoft\Microsoft.Exchange.Management.ExoPowershellModule.dll"
$username = "email#businessdomain.onmicrosoft.us"
$password = ConvertTo-SecureString "testemailpassword" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ($username, $password)
$connectionURI = "https://ps.compliance.protection.office365.us/powershell-liveid/"
New-EXOPSSession -ConnectionUri $connectionURI -Credential $cred
But seeing this error come back
New-EXOPSSession : unknown_user_type: Unknown User Type
At line:9 char:1
+ New-EXOPSSession -ConnectionUri $connectionURI -Credential $cred
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-ExoPSSession], AdalException
+ FullyQualifiedErrorId : Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException,Microsoft.Exchange.Management.E
xoPowershellSnapin.NewExoPSSession
I am able to run this similar script for a non-government environment (https://ps.compliance.protection.outlook.com/powershell-liveid/ as my URI) and see that I successfully connect without error
Please make sure the credentials (username and password )provided are correct and not having any special characters in them while using in the script and make sure to use latest microsoft exchange online module of v2 .
Try to get the credential first , then pass them in the connection segment.
$cred=get-credential
Connect-ExchangeOnline -Credential $cred -ShowProgress $true
$connectionURI = "https://ps.compliance.protection.office365.us/powershell-liveid/"
New-EXOPSSession -ConnectionUri $connectionURI -Credential $cred -ShowProgress $true
Or please try to use command as for non mfa account by using credential and dont credentials for mfa enabled account
$UserCredential = Get-Credential
Connect-IPPSSession -Credential $UserCredential
Or something like this SO refrence
Note: If ExchangeEnvironmentName is used, ConnectionUri parameter is
not required.
Use the stored variable name ($UserCredential) for this parameter .
• You can try below command which connects to Exchange Online PowerShell in a Microsoft GCC High organization:
Connect-ExchangeOnline -Credential $UserCredential -ShowProgress $true -ExchangeEnvironmentName O365USGovGCCHigh
In case, if the account you are using has MFA enabled use
userprincipal name.
Example:
Connect-ExchangeOnline -UserPrincipalName lxxra#xxxxxairlines.us -ExchangeEnvironmentName O365USGovGCCHigh
To connect to Microsoft 365 DoD organization replace environment name with O365USGovDoD to this Connect-ExchangeOnline -UserPrincipalName xxxx#contoso.com -ShowProgress $true
Give your user name correctly and Microsoft authenticator will authenticate if mfa enabled.
References:
Connect to Exchange Online PowerShell | Microsoft Docs
addazureaccount-unknownusertype | social.msdn.microsoft.com
Say I have a script: Install.ps1
As an admin, I want to be able to run this script for a specified user: joe.smith
Joe.smith is not an admin.
All of this should be done on localhost, no need to remote to a different computer.
Things I've tried:
new-pssession localhost -credential SSN314\joe.smith
Error: new-pssession : [localhost] Connecting to remote server localhost failed with the following error message : Access is
denied. For more information, see the about_Remote_Troubleshooting Help topic.
Also I've tried:
$username = "joe.smith"
$password = "pass"
$secstr = New-Object -TypeName System.Security.SecureString
$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username, $secstr
Invoke-Command -FilePath "C:\dir\Install.ps1" -Credential $cred -ComputerName "."
Joe.smith is not an admin, which is why I think I'm getting the access denied error.
joe.smith is a domain account.
joe.smith has full control when I run the : Set-PSSessionConfiguration -ShowSecurityDescriptorUI -Name Microsoft.Powershell command
Any help is appreciated.
The issue as I see it is you are trying to remote to the local PC. You should be able to use Start-Process instead.
Start-Process powershell.exe -ArgumentList "-file","C:\dir\Install.ps1" -Credential $cred
Am using Powershell script to copy a folder from local system to remote VM.
The below script works fine when am running from my local system.
New-SelfSignedCertificate -DnsName dummy.southcentralus.cloudapp.azure.com -CertStoreLocation Cert:\LocalMachine\My
winrm create winrm/config/Listener?Address=*+Transport=HTTPS #{Hostname="dummy.southcentralus.cloudapp.azure.com"; CertificateThumbprint="9C207E7D249D385FDE9D4BBFE7AF7EB008RDGD"}
$pw = convertto-securestring -AsPlainText -Force -String <Password>
$cred = new-object -typename System.Management.Automation.PSCredential - argumentlist <username>,$pw
$session = new-pssession -computername dummy.southcentralus.cloudapp.azure.com -credential $cred
Copy-Item -Path C:\Jenkins\workspace\deploy-service\bin.zip -Destination F:\destpath\bin1.zip -ToSession $session
But when I use the same script in Jenkins at the build step. It throws me an error as given below.
"WinRM cannot process the request. The following error with errorcode 0x8009030d occurred while using Negotiate authentication: A specified logon session does not exist. It may already have been terminated."
What I tried So Far to resolve this error:
I have ensured that winrm is setup on both the host machines involved. Infact with 'Unrestricted' access via set-ExecutionPolicy.
I have Ensured remote machine running as a non-domain user, because local machine is running as a non-domain user.
Used Invoke-Command.
Change in this line, fixed my issue.
$cred = new-object -typename System.Management.Automation.PSCredential - argumentlist <username>,$pw
as
$cred = new-object -typename System.Management.Automation.PSCredential - argumentlist <domainname>\<username>,$pw
PSCredential, would expect the credential to be with domainname\username rather than passing username alone.
I am trying to invoke a PowerShell command on a remote computer. I'd like to request a certificate from an in-house CA. If I run the following command directly on the remote PC the operation is successful:
Get-Certificate -Template 1.3.6.1.4.1.311.21.8.9612972.3074733.7357589.1249582.14248002.117.5480590.5436517 -Credential $cred -Url ldap: -CertStoreLocation Cert:\LocalMachine\My
When I run the following command from a remote computer on the same domain I get the WIN32: 87 error shown below. I have googled the error extensively and cannot figure out the issue (fyi.. I have mitigated the double hop issue earlier in my script by using Enable-WSManCredSSP).
$user = 'ABCCOmpany\<password>' #We are using the local machine's Administrator account
$password = ConvertTo-SecureString '<password>' -asplaintext -force
$credential = New-Object -typename System.Management.Automation.PSCredential -ArgumentList $user, $password
$RequestAndReceiveCertificateSuccessful = Invoke-Command -Session $s -ScriptBlock{param($cred) Get-Certificate -Template 1.3.6.1.4.1.311.21.8.9612972.3074733.7357589.1249582.14248002.117.5480590.5436517 -Credential $cred -Url ldap: -CertStoreLocation Cert:\LocalMachine\My} -ArgumentList $credential
Error:
The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
+ CategoryInfo : NotSpecified: (:) [Get-Certificate], Exception
+ FullyQualifiedErrorId : System.Exception,Microsoft.CertificateServices.Commands.GetCertificateCommand
+ PSComputerName : Agent3
I'm trying to connect to amazon windows instance using powershell. I'm following the steps from the below link:
Execute powershell script remotely on Amazon EC2 instance from my local computer
http://barakme.tumblr.com/post/89748667258/windows-remote-execution-with-powershell-and-winrm
http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/connecting_to_windows_instance.html
I cannot make this to work. I'm new Amazon CLI, I've been struggling for the past few days to connect to my windows instance which is already running.
I keep getting the same error each time. Am I missing out something?
enable-psremoting -force
set-item wsman:\localhost\Client\TrustedHosts -value "*" -force
$password = convertto-securestring -asplaintext -force -string "MY_PASSWORD_GOES_HEREr"
$credential = new-object -typename system.management.automation.pscredential -argumentlist "MY_USERNAME", $pa
ssword
$session = new-pssession x.x.x.x -credential $credential
new-pssession : [x.x.x.x] Connecting to remote server x.x.x.x failed with the following error message : WinRM
cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over
the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By
default, the WinRM firewall exception for public profiles limits access to remote computers within the same local
subnet. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12
+ $session = new-pssession x.x.x.x -credential $credential
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
gTransportException
+ FullyQualifiedErrorId : WinRMOperationTimeout,PSSessionOpenFailed