PowerShell remote call. Access is denied - powershell

In order to automate test releases, I need access to remote computer in other domain group.
What I've done on remote computer:
run Enable-PSRemoting
set TrustedHosts "*"
added https listener with self-signed certificate
opened 5985 and 5986 ports
So now scripts are running successfuly via PowerShell console.
But when I'm trying to run remote script via TeamCity agent I've been receiving following error:
Connecting to remote server failed with the following error message :
Access is denied. For more information, see the
about_Remote_Troubleshooting Help topic.
TeamCity agent service is running with Local System rights.
Session initialization
$password = ConvertTo-SecureString $appServerPwd -AsPlainText -Force
$appCred = New-Object System.Management.Automation.PsCredential($appServerUser,$password)
$rs = New-PSSession -ComputerName $appServer -Credential $appCred -UseSSL -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck) -Authentication Negotiate
Also when I'm trying to make remote call to domain computer via TeamCity everything works.
Do you have any idea how to solve this issue ?
Dima

I've found the problem, as soon I changed "Local System" user to Administrator user on TeamCity agent service, everything started to work.
So the issues was in rights (starting PSSesion) between "Local System" and Administrator.

Related

How to execute powershell script from server1 for deploying wsp in server2

I am trying to remotely deploy wsp file present in server2 by running a powershell script in server1.
I am able to successfully log in to the server2 through server1 using the below command:
$password = ConvertTo-SecureString "password" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("username",$password)
but I am not able to deploy the wsp file. This is the code that I tried:
Enter-PSSession -ComputerName server2 -Credential $cred
Add-PSSnapin Microsoft.Sharepoint.Powershell –EA 0
Update-SPSolution -Identity TechSoup.Web.wsp -LiteralPath "C:\Program Files ...Debug\Some.wsp" -GacDeployment
I have also tried to put the above code in a script, save it and run the script remotely.
This is the error that I am getting. I believe it is because I don't have admin privileges, I can say this because when I run the deployment code from server2 as admin, the wsp file is getting deployed. So, how can I get admin privileges remotely. The user has the admin privileges, all I need to do is run it with elevated privileges(like right-click and run as admin, but programatically)
Update-SPSolution : Cannot access the local farm. Verify that the
local farm is properly configured, currently available, and that you
have the appropriate permissions to access the database before trying
again
EDIT
I have tried the below script code in admin mode in powershell:
$password = ConvertTo-SecureString "serverpassword" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("userName",$password)
Enable-PSRemoting
Enable-WSmanCredSSP -Role Server
winrm set winrm/config/winrs '#{MaxShellsPerUser="25"}'
winrm set winrm/config/winrs '#{MaxMemoryPerShellMB="600"}'
Enter-PSSession -ComputerName Server2 -Credential $cred -Authentication credssp
However, I keep getting this error:
Enter-PSSession : Connecting to remote server Server2 failed
with the following error message : The WinRM client cannot process
the request. CredSSP authentication is currently disabled in the
client configuration. Change the client configuration and try the
request again. CredSSP authentication must also be enabled in the
server configuration. Also, Group Policy must be edited to allow
credential delegation to the target computer. Use gpedit.msc and look
at the following policy: Computer Configuration -> Administrative
Templates -> System -> Credentials Delegation -> Allow Delegating
Fresh Credentials. Verify that it is enabled and configured with an
SPN appropriate for the target computer. For example, for a target
computer name "myserver.domain.com", the SPN can be one of the
following: WSMAN/myserver.domain.com or WSMAN/*.domain.com For more
information, see the about_Remote_Troubleshooting Help topic
No matter what I try, I get this error. I have tried these techniques:
Allowed Delegating fresh credentials as well as NTLM fresh credentials in GPEdit.
I have tried the script present in This link
I have added user privileges in compmgmt.msc at
Remote Desktop Users
WinRMRemoteWMIUsers__
WSS_ADMIN_WPG
Remote Management Users
Can anyone suggest any thing ??
In order to run SharePoint commands remotely please follow the steps outlined in: Remote PowerShell to Manage SharePoint on-premises
Essentially, after enabling remoting, you have to enable CredSSP access in order for your credentials to be sent to the remote and local computer in order for you to run elevated commands.
On the server:
Enable-PSRemoting
Enable-WSmanCredSSP -Role Server
winrm set winrm/config/winrs '#{MaxShellsPerUser="25"}'
winrm set winrm/config/winrs '#{MaxMemoryPerShellMB="600"}'
And on the client:
Enable-PSRemoting
Enable-WSmanCredSSP -Role Client -DelegateComputer "server2.contoso.com"
Then on the client you can enter the session:
Enter-PSSession -ComputerName server2 -Credential $cred -Authentication Credssp

How does authentication work when using Invoke-Command?

I'm looking for a good reference to understand what actually behinds the scene of Invoke-Command. Does this retrieve current logged user context to run command remotely? So saying I'm a domain admin who has administrative rights on target joined computers so what I'd need to do just like
Invoke-Command -ComputerName mypc -FilePath "C:\Script\stuff.ps"
Connecting to remote serve mypc failed with the following error
message : WinRM cannot complete the operation. Verify that the
specified computer name is valid, that the computer is accessible over
the network, and that a firewall exception for the WinRM service is
enabled and allows access from this computer. By default, the WinRM
firewall exception for public profiles limits access to remote
computers within the same local subnet.
If I try with the following code snippet I'm able to access to the pc
$so = New-PsSessionOption –SkipCACheck -SkipCNCheck
Enter-PSSession -ComputerName mypc -Credential contoso\admin -UseSSL -SessionOption $so -Authentication Kerberos
The error output from Invoke-Command seems to indicate that it uses WinRm but I don't know the main difference between the first compared with the second one.

Remote Execution of a PowerShell script results in "The WinRM client cannot process the request. [...] HTTPS transport must be used [...]"

I have written a PowerShell script which uninstall a program and install a newer version of the program on my servers (Update Programs). Now I want to create another script which run the aforementioned script on the servers. Consider that I have to connect to my servers through using IPs, UserName and password and using domain is not an option.
How is this possible?
PowerShell version is 4
I have tried this code to simply get date:
$User = "administrator"
$PWord = ConvertTo-SecureString -String "Password1234" -AsPlainText -Force
$Credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $User, $PWord
$session = New-PSSession -ComputerName '10.60.60.100' -Credential $Credential
Invoke-Command -Session $session -ScriptBlock {Get-Date}
and I got this error:
New-PSSession : [10.60.60.100] Connecting to remote server 10.60.60.100 failed with the following error message : The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. You can get more information about that by running the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
This is because you’re not running your command from a trusted host, or because the remote computers wsman service isn’t configured properly. I’d start by running the following command to configure wsman on the remote machine:
wsman quickconfig
If that doesn’t fix the problem, then you need to add your computer to the remote machines trusted hosts. You can do that by running the following:
winrm s winrm/config/client '#{TrustedHosts="RemoteComputer"}'

Get 'Access denied' on Invoke-Command for administrator

I have follow issue: I trying to run remote command on my server (windows server 2012 r2) via powershell command, powershell script looks follow
$password = ConvertTo-SecureString $pass -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PsCredential($deployadmin,$password)
$scriptBlock1 = {Get-NetAdapter}
Invoke-Command -computername $server -Credential $credentials -scriptblock $scriptBlock1
and I've get an error 'Access is denied'
I've tryied to run on server Enable-PSRemoting for allow remote connection.
I use credential for user that is Administrator on that server.
Strange thing, that this command is succeeds for credentials of another user on this server, those user is also Administrator.
What I'm missing ?
Thank for any advice
Update:
command Test-WSMan $server is succeeds
try command winrm quickconfigthe system suggested setting up a remote access, after the configuration, the Invoke-Command command was executed without errors
I would be grateful if anyone would explain this behavior
Fun!
When you execute winrm quickconfig the following happens:
Starts the WinRM service
Set the WinRM service type to auto start
Create a listener to accept requests on any IP address
Enable firewall exception for WS-Management traffic (for http only)
This article has additional detail.

Remote Powershell scripting and Jenkins not working

I am having an issue running a remote script using Jenkins. I have installed the PowerShell plug-in and can run PowerShell scripts on the local build server, but when I try to run it on a remote server, it fails all the time. I can run the same script outside of Jenkins locally and remotely and it works just fine. My assumption is that there is a security setting I am missing but for the life of me, I can not find it.
Any insight/help would be greatly appreciate it.
The code below runs using PowerShell on the server but not through Jenkins:
$ErrorActionPreference = 'Stop'
# Create a PSCredential Object using the "User" and "Password" parameters
that you passed to the job
$SecurePassword = 'xxxxxxx' | ConvertTo-SecureString -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList 'ci-user', $SecurePassword
# Invoke a command on the remote machine.
# It depends on the type of job you are executing on the remote machine as
to if you want to use "-ErrorAction Stop" on your Invoke-Command.
Invoke-Command -ComputerName xxx.xx.xx.xxx -Credential $cred -ScriptBlock {
# Restart the W32Time service
Restart-Service -Name W32Time
}
The error below is what I get when I run it in Jenkins. I am using the same username and password when I run it outside of Jenkins and works:
Connecting to remote server xxx.xx.xx.xxx failed with the
following error message : WinRM cannot process the request. The following
error with errorcode 0x8009030d occurred while using Negotiate authentication:
A specified logon session does not exist. It may already have been terminated.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are
specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does
not exist.
-The client and remote computers are in different domains and there is no
trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM
TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command:
winrm help config. For more information, see the about_Remote_Troubleshooting
Help topic.
At C:\Windows\TEMP\jenkins3589460126620702793.ps1:12 char:1
+ Invoke-Command -ComputerName xxx.xx.xx.xxx -Credential $cred -ScriptBlock {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (xxx.xx.xx.xxx:String) [], PSRemoting
TransportException
+ FullyQualifiedErrorId : 1312,PSSessionStateBroken
This could be caused by a few different issues:
Are your remote machine and connecting machine on the same domain? If not, verify the domain of your ci-user and retry.
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList
'connectingserver/ci-user', $SecurePassword
Is WinRM enabled on your remote server, is the WinRM service running, are you setup to allow the appropriate remoting? Follow these steps to verify: https://technet.microsoft.com/en-us/library/ff700227.aspx?f=255&MSPPError=-2147217396
Are both the remote and connecting server setup with the same authentication method? You will want to use either Kerberos or CredSSP. I would consider CredSSP only if you are trying to solve the Double-Hop issue.
I found the error of my ways but hopefully this answer will help anyone else that encounters it.
The problem was that the user I am using is a local user and it needs to be treated as a workgroup user. So instead of ci-user, I needed to pass it as \ci-user. Once I did this, it works like a charm.
Thank you for all your input.