Remote command failure even after unencrypted traffic is true - powershell

I am trying to open remote PSSession from one PC to another. Both PCs are in the LAN and reachable, but whenever I try to enter PSSession the following error occurs:
Enter-PSSession : Connecting to remote server pc2 failed with the
following error message : The WinRM client cannot process the request.
Unencrypted traffic is currently disabled in the client configuration.
Change the client configuration and try the request again. For more
information, see the about_Remote_Troubleshooting Help topic. At
line:1 char:1
+ Enter-PSSession -ComputerName pc2 -Authentication Basic -Credential admin
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (pc2:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
I have set AllowUnencrypted to true in both
WSMan::localhost\Client
and
WSMan::localhost\Service
location on the remote PC, but still getting the same error. Are there other settings I need to update?

Related

How to remote into a password protected server using PowerShell

I'm trying to remote into a password protected server using powershell, but it keeps throwing errors.
My code:
winrm set winrm/config/client #{TrustedHosts="XX.X.XXX.XX"}
$cred = Get-Credential
New-PSSession XX.X.XXX.XX -Credential $cred
and the output:
PS C:\Users\user.name> winrm set winrm/config/client #{TrustedHosts="XX.X.XXX.XX"}
$cred = Get-Credential
New-PSSession XX.X.XXX.XX -Credential $cred
winrm : Error: Invalid use of command line. Type "winrm -?" for help.
At line:1 char:1
+ winrm set winrm/config/client #{TrustedHosts="XX.X.XXX.XX"}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (Error: Invalid ...m -?" for help.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
New-PSSession : [XX.X.XXX.XX] Connecting to remote server XX.X.XXX.XX failed with the following error message : The WinRM client cannot process the request. Default authentication may be
used with an IP address under the following conditions: the transport is HTTPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use winrm.cmd to
configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. For more information on how to set TrustedHosts run the following command: winrm help
config. For more information, see the about_Remote_Troubleshooting Help topic.
At line:3 char:1
+ New-PSSession XX.X.XXX.XX-Credential $cred
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CannotUseIPAddress,PSSessionOpenFailed
My IP address is in the format XX.X.XXX.XX, but I censored it because I have no idea how secure/insecure it is to put that on the internet.

Enter-PSSession not working, Firewall port 5985 is open

Error:
Enter-PSSession : Connecting to remote server sadcm0000081 failed with the following error message : WinRM cannot
complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the
network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By
default, the WinRM firewall exception for public profiles limits access to remote computers within the same local
subnet. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName sadcm0000081
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (sadcm0000081:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
Test-WSN Output:
Test-Wsman : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859046" Machine="SADCM0000078.adc
.corpintra.net"><f:Message>WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer i
s accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. B
y default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. </f:Messa
ge></f:WSManFault>
At line:1 char:1
+ Test-Wsman -ComputerName sadcm0000081
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (sadcm0000081:String) [Test-WSMan], InvalidOperationException
+ FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.TestWSManCommand
Try first to running powershell Enable-PSRemoting with an administrator console.
After that look after the Windows Firewall rules of remote administration.

PowerShell Double Hop Issue

I’m trying to run a PowerShell script on SYSTEM1, which executes robocopy on SYSTEM2, copying files to SYSTEM3,4,5,etc.
SYSTEM1 and SYSTEM2 are on the same domain, but SYSTEM2 is not behind a firewall (hence the need to run robocopy from SYSTEM2 and not SYSTEM1).
SYSTEM3,4,5 are on different domains than SYSTEM2, as well as different domains than each other.
I set the script up like this (it uses the net use command to prompt the user for credentials for the different domains):
Foreach($server in $servers) {
$command = {
param($cred, $server);
$error.clear();
# Stored credentials in local variables
$user = $cred.GetNetworkCredential().username
$pass = $cred.GetNetworkCredential().password
#establish connection from SYSTEM2-> $server
net use \\$server\c$\Deployments /delete
net use \\$server\c$\Deployments /USER:$user $pass
# Check to see if C:\Deployments exists on server, and if not create it.
if ((Test-Path \\$server\c$\Deployments) -eq $FALSE) {
$c = {
New-Item \\$server\c$\Deployments -type directory
}
$ws = Invoke-Command -ComputerName $server -Credential $cred -ScriptBlock $c
}
# Copy over the deployment packages
$dest = "\\$server\Deployments\$DeploymentDate\$CurrentDirectoryName"
robocopy $CurrentDirectoryPath $dest /W:20 /R:15 /e /XF CopyPackage.ps1
# Delete connection from SYSTEM2 -> $server
net use \\$server\c$\Deployments /delete
However, the net use command returns an error after the credentials are entered:
The network connection could not be found.
+ CategoryInfo : NotSpecified: (The network con...d not be found.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
+ PSComputerName : SYSTEM2
More help is available by typing NET HELPMSG 2250.
System error 55 has occurred.
+ CategoryInfo : NotSpecified: (System error 55 has occurred.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
+ PSComputerName : SYSTEM2
The specified network resource or device is no longer available.
[SYSTEM3] Connecting to remote server failed with the following error message : WinRM cannot process the request. The
following error occured while using Kerberos authentication: There are currently no logon servers available to service
the logon request.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more
information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (:) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionStateBroken
+ PSComputerName : SYSTEM2
The network connection could not be found.
+ CategoryInfo : NotSpecified: (The network con...d not be found.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
+ PSComputerName : SYSTEM2
More help is available by typing NET HELPMSG 2250.
I’ve read this could be a “double-hop” issue (as detailed here), but I’m not sure how to edit the script to use CredSSP instead of Kerberos (or if this is even the problem).
Any ideas?
Posting this solution in case someone is still having an issue with a simple resolution to DoubleHop without using CredSSP.
Try this out:
https://www.powershellgallery.com/packages/Invoke-PSSession
It Invokes a PSSession, then Registers a PSSessionConfiguration with the Credentials that you provided. Basically providing the credentials for that DoubleHop
Then use Invoke-Command with that new PSSession. It should have the required privileges to do what you need.

PS Remote session without passing credentials

I want to start a New-PSSession without having to pass credentials in a script. I know you can get the password from a file or have it hardcoded in the script and then convert it to a secure string to start the session. However, I want to start the session using the current user's credentials.
The machine I am trying to remote to is in the same domain.
I tried:
Enter-PSSession -ComputerName machineInDomain
Enter-PSSession : Connecting to remote server failed with the
following error message : WinRM cannot process the request. The
following error occured while using Kerberos authentication: The
network path was not found. Possible causes are:
-The user name or
password specified are invalid.
-Kerberos is used when no
authentication method and no user name are specified.
-Kerberos
accepts domain user names, but not local user names.
-The Service
Principal Name (SPN) for the remote computer name and port does not
exist. -The client and remote computers are in different domains and
there is no trust between the two domains. After checking for the
above issues, try the following:
-Check the Event Viewer for events
related to authentication.
-Change the authentication method; add
the destination computer to the WinRM TrustedHosts configuration
setting or us e HTTPS transport. Note that computers in the
TrustedHosts list might not be authenticated.
-For more information
about WinRM configuration, run the following command: winrm help
config. For more information, see the about_Remote_Troubleshooting
Help topic.
At line:1 char:16
+ Enter-PSSession <<<< -ComputerName machineInDomain
+ CategoryInfo : InvalidArgument: (machineInDomain:String) [Enter-PSSession],
PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
Kerberos should pass the current user's credentials with trust if in the same domain.
Enter-PSSession -ComputerName $RemoteHost -Authentication Kerberos
Enter-PSSession : Connecting to remote server failed with the following error message
: WinRM cannot process the request. The following error occurred while using Kerberos authentication: The computer
$RemoteHost is unknown to Kerberos. Verify that the computer exists on the network, that the name
provided is spelled correctly, and that the Kerberos configuration for accessing the computer is correct. The most
common Kerberos configuration issue is that an SPN with the format HTTP/$RemoteHost is not
configured for the target. If Kerberos is not required, specify the Negotiate authentication mechanism and resubmit
the operation. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName $RemoteHost -Authentication Ke ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: ($RemoteHost) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
It seems to be a domain problem.

Powershell Remoting Failing After Server Restore

Our server had been set up to have Powershell Remoting enabled, so that we can remotely execute scripts from our developer machines. I should add that I am not massively fluent in Powershell and was not involved in setting this up.
However recently our server suffered a fault and subsequently had to be restored. The restoration process was supposed to restore Windows back to its last backed up state including all programs and data. However since the restore, Powershell Remoting no longer works on the server.
I receive the following error now when running Enter-PSSession ServerName.
Enter-PSSession : Connecting to remote server failed with the following error message : <f:WSManFault xmlns:f="http://s
chemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2147749890" Machine="ServerName"><f:Message></f:Message></f:WSManFaul
t> For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:16
+ enter-pssession <<<< ServerName
+ CategoryInfo : InvalidArgument: (ServerName:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
Or I get the following error when running New-PSSession ServerName
[ServerName] Connecting to remote server failed with the following error message : <f:WSManFault xmlns:f="http://schemas.
microsoft.com/wbem/wsman/1/wsmanfault" Code="2147749890" Machine="ServerName"><f:Message></f:Message></f:WSManFault> For
more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportExc
eption
+ FullyQualifiedErrorId : PSSessionOpenFailed
(I have replaced the actual server name above with ServerName for privacy purposes)
Any help is much appreciated
Based on this Microsoft Connect item, try adding-SessionOption (New-PSSessionOption -NoMachineProfile) to your Enter-PSSession command.
I have no idea why this would be needed, but it's worth a shot.