I use Windows 8.1 Enterprise 64 bit and Powershell 4.0.
I want execute powershell remoting and using authentication CredSSP.
I open Console Powershell, run as Administrator, and execute Enter-PSSession command to connect to remote computer.
But I get error about connection.
PS C:\Documents and Settings\kiquenet> Enter-PSSession -ComputerName DC -credential devrsg.com\Administrator
Anyways, I test command from Windows XP and Windows 7, and connection is OK.
PS C:\Documents and Settings\kiquenet> Enter-PSSession -ComputerName DC -credential devrsg.com\Administrator
[dc]: PS C:\Users\Administrator\Documents> exit
Now, I test in Windows 8.1.
I test command enable-psremoting and I get error:
PS C:\Windows\system32> Enable-PSRemoting -force
WinRM ya está configurado para recibir solicitudes en este equipo.
WinRM has been updated to receive requests.
Set-WSManQuickConfig : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2"
Machine="localhost"><f:Message><f:ProviderFault provider="Config provider"
path="%systemroot%\system32\WsmSvc.dll"><f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault"
Code="2" Machine="MYCOMPUTERW8.mycompany.net"><f:Message>Unable to check the status of the firewall.
</f:Message></f:WSManFault></f:ProviderFault></f:Message></f:WSManFault>
En línea: 69 Carácter: 17
+ Set-WSManQuickConfig -force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Set-WSManQuickConfig], InvalidOperationException
+ FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.SetWSManQuickConfigCommand
Same error using the command Enable-PSRemoting -force -SkipNetworkProfileCheck.
I test command winrm quickconfig and I get error:
PS C:\Windows\system32> winrm quickconfig -force
WinRM service is already running on this machine.
WSManFault
Message
ProviderFault
WSManFault
Message = Unable to check the status of the firewall.
Nº de error: -2147024894 0x80070002
The system cannot find the file specified.
I have SmartScreen and Firewall disabled in my Windows 8.1. (I have Symantec Endpoint protection disabled)
Any suggestions?
update:
I test those commads:
PS C:\> Enable-PSRemoting -SkipNetworkProfileCheck -Force
PS C:\>Set-NetFirewallRule –Name "WINRM-HTTP-In-TCP-PUBLIC" –RemoteAddress Any
but I get error:
PS C:\Windows\system32> Set-NetFirewallRule -Name "WINRM-HTTP-In-TCP-PUBLIC" -RemoteAddress Any
Set-NetFirewallRule : No se encontraron objetos MSFT_NetFirewallRule cuya propiedad 'InstanceID' sea igual a
'WINRM-HTTP-In-TCP-PUBLIC'. Compruebe el valor de la propiedad e inténtelo de nuevo.
En línea: 1 Carácter: 1
+ Set-NetFirewallRule -Name "WINRM-HTTP-In-TCP-PUBLIC" -RemoteAddress Any
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (WINRM-HTTP-In-TCP-PUBLIC:String) [Set-NetFirewallRule], CimJobException
+ FullyQualifiedErrorId : CmdletizationQuery_NotFound_InstanceID,Set-NetFirewallRule
Reference: http://technet.microsoft.com/en-us/library/hh849694.aspx
Update 2
Now,I execute Net stop MPSSVC (Windows Firewall Service), and I get this error
Enter-PSSession -ComputerName DC -credential dersg.com\Administrator
Enter-PSSession : Connecting to remote server DC failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
En línea: 1 Carácter: 1
+ Enter-PSSession -ComputerName DC -credential devrsg.com\Administrator
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (DC:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
Update 3.
I execute this command (https://stackoverflow.com/a/22816386/206730)
Set-PSSessionConfiguration -ShowSecurityDescriptorUI -Name Microsoft.PowerShell
Now, I execute the command and all is OK
PS C:\Documents and Settings\kiquenet> Enter-PSSession -ComputerName DC -credential devrsg.com\Administrator
[dc]: PS C:\Users\Administrator\Documents> exit
Now, I enable CredSSP in server and in client:
Enable-WSManCredSSP -Role Server –Force
Enable-WSManCredSSP -Role Client -DelegateComputer * -Force
Now, I test command using CredSSP:
$serverName = "DC"
$username = "devrsg\Administrator"
$password = "xxxxxx"
$adjPwd = $password | ConvertTo-SecureString -asPlainText -Force
$testCred = (New-Object System.Management.Automation.PSCredential($username,$adjPwd))
$scriptBlock = {
Write-Host ("hello, world: {0}, {1}" -f $env:USERNAME, (hostname))
}
Invoke-Command $scriptBlock -computername $serverName -credential $testCred -Authentication Credssp
and I get the error:
PS C:\> .\testRemoteCredSSP.ps1
[DC] Error de conexión al servidor remoto DC. Mensaje de error: El cliente WinRM no puede procesar la solicitud. Una
directiva de equipo no permite delegar credenciales de usuario en el equipo de destino porque éste no es de confianza.
La identidad del equipo de destino se puede comprobar si configura el servicio WSMAN para usar un certificado válido
con el siguiente comando: winrm set winrm/config/service '#{CertificateThumbprint="<huellaDigital>"}' O bien puede
comprobar en el Visor de eventos si hay un evento que especifique que no se pudo crear el siguiente SPN:
WSMAN/<FQDNdelEquipo>. Si encuentra este evento, puede crear manualmente el SPN con setspn.exe . Si el SPN existe,
pero CredSSP no puede usar Kerberos para validar la identidad del equipo de destino y desea permitir la delegación de
credenciales de usuario en el equipo de destino, use gpedit.msc y mire la siguiente directiva: Configuración del
equipo -> Plantillas administrativas -> Sistema -> Delegación de credenciales -> Permitir credenciales nuevas con
autenticación solo NTLM de servidor. Compruebe que esté habilitada esta opción y configurada con el correspondiente
SPN para el equipo de destino. Por ejemplo, para un nombre de equipo de destino "miservidor.dominio.com", el SPN puede
ser alguno de los siguientes: WSMAN/miservidor.dominio.com o WSMAN/*.dominio.com. Pruebe de nuevo la solicitud después
de realizar estos cambios. Para obtener más información, consulte el tema de la Ayuda about_Remote_Troubleshooting.
+ CategoryInfo : OpenError: (DC:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : -2144108124,PSSessionStateBroken
English message:
Enter-PSSession : Connecting to remote server failed with the following error me
ssage : The WinRM client cannot process the request.
A computer policy does not allow the delegation of the user credentials to the target computer because the computer is not trusted. The identity of the target computer can be verified if you configure the WSMAN service to use a valid certificate using the following command: winrm set winrm/config/service '#{CertificateThumbprint="<thumbprint>"}'
Or you can check the Event Viewer for an event that specifies that the following SPN could not be created: WSMAN/<computerFQDN>. If you find this event, you can manually create the SPN using setspn.exe .
If the SPN exists, but CredSSP can not use Kerberos to validate the identity of the target computer and you still want to allow the delegation of the user credentials to the target computer, use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication.
Verify that it is enabled and configured with an SPN appropriate for the target computer.
For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com.
Try the request again after these changes.
For more information, see the about_Remote_Troubleshooting Help topic.
CredSSP will not send your credentials to a machine it does not trust, you can add a trust with the remote server in two ways.
Set the GPO setting in Admin templates/System/Credentials Delegation/Allow delegating fresh credentials to either the server (WSMAN/dc.domain.com) or wildcard for everything in the domain (WSMAN/*.domain.com).
Get the Certificate thumbprint for that machine and run winrm set winrm/config/service '#{CertificateThumbprint="<thumbprint>"}'.
You can get the Certificate thumbprints of the server by running: Get-ChildItem "Cert:\LocalMachine\Remote Desktop\"
Related
Hi got an issue to turn on a firewall rule :
My goal is to set up a network firewall rule on my public profile for a specific displaygroup with a range of ip networks (variable).
commmand :
https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallrule?view=windowsserver2022-ps
I ve tried to switch the variable and always the same issue below :
$IPAddresses = #('192.168.124.0/22','192.168.125.0/22','192.168.127.0/22','192.168.136.0/22','192.168.138.0/22','192.168.139.0/22')
set-netfirewallrule -DisplayGroup "Recherche du réseau" -Enabled True -Profile Public -RemoteAddress $IPAddresses -LocalAddress $IPAddresses
set-netfirewallrule : Impossible de combiner des points de terminaison logiques (tuples de confiance) avec des adresses ou des ports spécifiques.
Au caractère Ligne:1 : 1
+ set-netfirewallrule -DisplayGroup "Recherche du réseau" -Enabled True ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument : (MSFT_NetFirewal...ystemName = ""):root/standardcimv2/MSFT_NetFirewallRule) [Set-NetFirewallRule], CimException
+ FullyQualifiedErrorId : HRESULT 0x80070057,Set-NetFirewallRule
set-netfirewallrule : Impossible de combiner des points de terminaison logiques (tuples de confiance) avec des adresses ou des ports spécifiques.
Au caractère Ligne:1 : 1
+ set-netfirewallrule -DisplayGroup "Recherche du réseau" -Enabled True ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument : (MSFT_NetFirewal...ystemName = ""):root/standardcimv2/MSFT_NetFirewallRule) [Set-NetFirewallRule], CimException
+ FullyQualifiedErrorId : HRESULT 0x80070057,Set-NetFirewallRule
If someone could help me ^^
Thks
Cannot enable TLS1.2 on Windows 7SP1 with powershell 2.0 :
PS C:\Windows\system32> $PSVersionTable
Name Value
---- -----
CLRVersion 2.0.50727.8806
BuildVersion 6.1.7601.17514
PSVersion 2.0
WSManStackVersion 2.0
PSCompatibleVersions {1.0, 2.0}
SerializationVersion 1.1.0.1
PSRemotingProtocolVersion 2.1
I guess P.Sv2.0 is using .NET v2.0 :
PS C:\Windows\system32> $PSVersionTable.CLRVersion
Major Minor Build Revision
----- ----- ----- --------
2 0 50727 8806
PS C:\Windows\system32> [System.Environment]::Version
Major Minor Build Revision
----- ----- ----- --------
2 0 50727 8806
Moreover, the following .NET versions are installed on this system :
PS C:\Windows\system32> Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | Get-ItemProperty -Name Version, Release -ErrorAction 0 | where { $_.PSChildName -match '^(?!S)\p{L}'} | select Version, Release, PSChildName
Version Release PSChildName
------- ------- -----------
2.0.50727.5420 v2.0.50727
3.0.30729.5420 v3.0
3.0.4506.5420 Windows Communication Foundation
3.0.6920.5011 Windows Presentation Foundation
3.5.30729.5420 v3.5
4.8.03761 528049 Client
4.8.03761 528049 Full
4.0.0.0 Client
However, I cannot set TLSv1.2 with that configuration :
PS C:\Windows\system32> [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Exception lors de la définition de « SecurityProtocol » : « Impossible de convertir la valeur Null en type « System.Net.SecurityProtocolType » en raison de valeurs d'énumération non valides. Spécifiez l'une des valeurs d'énumération suivantes et réessayez. Les valeurs d'énumération possibles sont « Ssl3, Tls ». »
Au niveau de ligne : 1 Caractère : 28
+ [Net.ServicePointManager]:: <<<< SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : PropertyAssignmentException
PS C:\Windows\system32> [enum]::GetNames([Net.SecurityProtocolType])
Ssl3
Tls
PS C:\Windows\system32>
EDIT 0 : #mclayton Setting up [Net.ServicePointManager]::SecurityProtocol to the integer value of 3072 does not work either :
PS C:\Windows\system32> [Net.ServicePointManager]::SecurityProtocol = 3072
Exception lors de la définition de « SecurityProtocol » : « Impossible de convertir la valeur « 3072 » en type « System.Net.SecurityProtocolType » en raison de valeurs d'énumérati
on non valides. Spécifiez l'une des valeurs d'énumération suivantes et réessayez. Les valeurs d'énumération possibles sont « Ssl3, Tls ». »
Au niveau de ligne : 1 Caractère : 28
+ [Net.ServicePointManager]:: <<<< SecurityProtocol = 3072
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : PropertyAssignmentException
Can you help me ?
To expand on #Abraham Zinala's comment, the Tls12 enumeration value wasn't added to the System.Net.SecurityProtocolType enum until Dot Net Framework version 4.5 (see https://learn.microsoft.com/en-us/dotnet/api/system.net.securityprotocoltype?view=netframework-4.5).
Your PowerShell 2.0 install is using a lower version than this, so it can't resolve the value of [Net.SecurityProtocolType]::Tls12.
What you can do instead is use the integer value of the enum:
# assign the magic number to a variable for clarity
$tls12 = 3072;
[Net.ServicePointManager]::SecurityProtocol = $tls12;
I have 2 windows server, Server1 (now 2019) and ServerUpdate (2012 R2)
On each server I have an admin user named: AdminUpdate with the same password.
Im currently switching my Server1 windows server 2012 R2 for a windows server 2019. The following powershell code was working #1 before the switch.
I try to run this powershell on ServerUpdate to stop aservice on Server1
# Obtient une instance du mot passe sécurisé
$passwordCred = ConvertTo-SecureString *SomePassword* -AsPlainText -Force
# Obtient les crédentials
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList AdminUpdate, $passwordCred
# Effectue le Stop sur le service
invoke-command -computerName *Server1Ip* -scriptBlock {
# Effectue le stop en local
Stop-Service -Name $args[0] -Force
} -credential $cred -ArgumentList *someServiceName*
For some reason I always got this error:
'*someServiceName*'.
+ CategoryInfo : ObjectNotFound: (*someServiceName*:String) [Stop-Service], ServiceCommandException
+ FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.
Commands.StopServiceCommand
+ PSComputerName : *Server1Ip*
But if i try directly this, its return the service
Get-Service -ComputerName *Server1Ip* -Name *someServiceName*
I have check this https://blog.netspi.com/powershell-remoting-cheatsheet/
I have the PSRemoting Enable
I put the sevice WinRM auto
I put my Server1 ip in the Trustedhosts on the ServerUpdate and same for the Server1, I put the ServerUpdate ip in the Trustedhosts
Did someone know why I got this error?
I try to use ConvertTo- and ConvertFrom-SecureString in 2 Powershell scripts, but I've got a problem generating encrypted passwords with a dynamic profile, and then reading/deciphering them with the SAME profile on the SAME machine.
My script ask an Interactive User (IU) to type credential for a Task User (TU).
The logic is to create a PSSession fot the TU inside the powershell session of the IU, to generate a secure string from a plain text (or read-host), and to convert it to regular string to export it to a file.
$scriptUser = Read-Host "Entrez le nom de l'utilisateur qui va chiffrer/utiliser le fichier de mot de passe (domain\user)"
$scriptCredential = Get-Credential -Message "Veuillez entrer le mot de passe de l'utilisateur $scriptUser" -User $scriptUser
$Crypt = New-PSSession -Credential $scriptCredential -ComputerName localhost
if ($Crypt)
{
Enter-PSSession $Crypt
$Texte = "JULIEN"
ConvertTo-SecureString $Texte -AsPlainText -Force | ConvertFrom-SecureString | Set-Content -Path C:\PathToFile\testcrypt_adm_task.txt
Exit-PSSession
}
But when I try to read the content of the file using ConvertFrom-SecureString with the TU (interactive or task scheduler): no way!
> PS C:\PathToFile> Get-Content .\testcrypt_adm_task.txt |
> convertto-securestring convertto-securestring : Key not valid for use
> in specified state. At line:1 char:40
> + Get-Content .\testcrypt_adm_task.txt | convertto-securestring
> + ~~~~~~~~~~~~~~~~~~~~~~
> + CategoryInfo : InvalidArgument: (:) [ConvertTo-SecureString], CryptographicException
> + FullyQualifiedErrorId : ImportSecureString_InvalidArgument_CryptographicError,Microsoft.PowerShell.Commands.Conv ertToSecureStringCommand
If I do the exact same command with my IU, no problem, as if the key used to encrypt my Securestring was bound to my IU and not my TU.
The point is I've got a problem really understanding what is really loaded with PSSession, as the secure-string is readable by my IU and not my TU, even if the encryption operation has been done in a PSSession with the TU creds...
Doesn't Enter-PSSession mean to really enter a session, with all the environment with it ?
Is there something I am missing concerning the environment loaded with Enter-PSSession ?
Thanks for your help
Import-clixml is the only way to save a PowerShell object to disk. Export-clixml will let you import the file into a PowerShell object.
Try changing "| Set-Content -Path C:\PathToFile\testcrypt_adm_task.txt" to "| Export-Clixml -Path C:\PathToFile\testcrypt_adm_task.txt"
When you ready to read it use $mysavedpassword = import-clixml c:\PathToFile\testcrypt_adm_task.txt
Probably you created the secure-string using some different user and trying to covert back to plain text using different user. Please use the same user for making it secure and convert it back to plain text.
I've got a problem to create new object with Invoke-Command:
$a = 'TEST'
Invoke-Command -ComputerName $computer -Credential $cred -ScriptBlock {
param($a, $b, $c)
$o = New-Object -ComObject Outlook.Application
echo $a
} -ArgumentList ($a, $b, $c)
I'm getting the following error:
La récupération de la fabrique de classes COM pour le composant avec le CLSID
{0006F03A-0000-0000-C000-000000000046} a échoué en raison de l'erreur suivante :
80080005 Échec de l'exécution du serveur (Exception de HRESULT : 0x80080005
(CO_E_SERVER_EXEC_FAILURE)).
+ CategoryInfo : ResourceUnavailable: (:) [New-Object], COMException
+ FullyQualifiedErrorId : NoCOMClassIdentified,Microsoft.PowerShell.Commands.NewObjectCommand
TEST
where the trailing "TEST" is the output of echo $a.
I can't create the new object remotly. can you help me?