I have three windows 2008 R2 servers; DEV, UAT and Live. I am deploying web apps between these servers, including IIS setup and config and database backup and restore via a PowerShell script. I use a powershell remote session.
I would like to prevent any machine, other than my deployment machine, from creating a powershell remote session on the host, even if the user is authenticated. Is this possible?
I have looked extensively through the PSRemoting documentation and can't find anything helpful.
Thanks in advance
Read the below link to better understand what needs to be done but I think you need to set the trusted host on the remote servers.
http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/02/23/remotely-managing-your-server-core-using-winrm-and-winrs.aspx
This is an excerp from the blog.
On the Windows server Core box
Run the following commands on the console of the Server Core box to lower security:
WinRM set winrm/config/service/auth #{Basic="true"}
WinRM set winrm/config/client #{TrustedHosts="<local>"}
WinRM set winrm/config/client #{TrustedHosts="RemoteHost"}
Where RemoteHost is the host you want to be able to connect to the server.
You can also use certificate-based authentication.
http://blogs.msdn.com/b/wmi/archive/2009/03/23/how-to-use-wsman-config-provider-for-certificate-authentication.aspx
If you only want your computer to be able to connect, install the certificate on your computer and don't give it to anyone else.
Related
I set up the remote development over SSH from my windows 10 machine to one of our new Windows 2022 servers. This due the fact that I need to use an other account with extra permissions to be able to run the script on the server.
Everything works fine, I can do 'remote development' over SSH with the other account and write & test powershell code on the server.
When I try to contact an external source in my script (like a fileshare or SQL), I noticed the dreaded "Double-hop" problem pops up.
As the first hop is SSH and not a real WinRM session, I thought this wouldn't be a problem?
Can I force VsCode/Powershell to not see the SSH connection as the first hop?
Or is this something Microsoft changed/enforced for security reasons?
By the way, I'm using Powershell 7 on both client and server
Whether SSH or WinRM, it's the OS on the first jump box that knows this is a remote session. If you want to be able to pass credentials off to a second box you'll need to look into enabling CredSSP.
To enable on your Windows server:
Enable-WSManCredSSP -Role server -Force -ErrorAction Stop
This should then allow you to access secondary servers. We do this to support a number of things; example: remoting into box A, and making box A grab some software from box B to do an install.
Always disable CredSSP afterwards:
Disable-WSManCredSSP -Role server -ErrorAction Stop
I have an on-premises network and an Azure virtual network that are connected together via a gateway.
With this setup, all machines (on-premises and Azure) are joined to the domain which allows me remote access to the administrative shares as well as remote Powershell sessions on each machine in the Azure virtual network from machines in my office. For example, I can simply open up Windows Explorer and type in the address bar \\machinename\c$ or I can open a remote Powershell session by using the command $Session = New-PSSession -ComputerName machinename.
This works perfectly for one of my Azure subscriptions, but on another Azure subscription that appears to be configured identically, the remote Powershell command is failing with error:
New-PSSession : [machinename] Connecting to remote server machinename failed with the following error message : WinRM cannot process the request. The following error occurred while
using Kerberos authentication: Cannot find the computer machinename. Verify that the computer exists on the network and that the name provided is spelled correctly. For more information,
see the about_Remote_Troubleshooting Help topic.
When I look in DNS on the Azure domain controller, the machine that I am trying to connect to exists. When I look in DNS on-premises, the machine is missing. What it looks like to me is a replication problem between the two domain controllers.
The first thing that is likely to be suggested is to start looking at WinRM configurations on the client machine. To be clear, the same machine is able to connect successfully to machines in a virtual network in a different Azure subscription so it is very unlikely that anything on the client machine needs to be changed. Nevertheless, I Googled the Kerberos error with remote Powershell and have checked that the TrustedHosts setting on the client is set to *.
Interestingly enough, I can successfully open a remote Powershell session from a machine in the Azure subscription to a machine in my office, I just can't go the other direction....from Azure to my office. This would seem to indicate maybe a one-way trust instead of two-way, but I am not sure how to verify this.
I ran the tool and it is reporting that everything is working with regard to replication.
So I guess what I am wondering is if this is truly a replication issue or if someone can give me an idea of what the problem might really be.
Edit 1
Now it looks like the domain controller in the Azure network is replicating just fine but any other VM that I add to the Azure network is not replicating. Based on this I will guess that the replication is working, but it would seem it only works for the domain controller and not any other machine. I have no idea what that means.
Based on the error message, it seems that the DNS records on Azure domain controller are not replicated to the on-premises domain controller.
To verify this, you can run the command below on the on-premises machine, and use the IP address as the value of parameter -ComputerName instead of the machine name. The PowerShell session should be established successfully if this is a DNS issue.
New-PSSession -ComputerName IP address of server on Azure
Also, you can run the following commands on the domain controllers to check the replication status.
repadmin /kcc
repadmin /replisummlry
If the output of commands are successfully, you can run the following command to replicate manually, and check the DNS again.
repadmin /syncall
Finally, to check the trust relationship, you can refer to the following link for step-by-step guide.
https://technet.microsoft.com/en-us/library/cc753821(v=ws.11).aspx
Update
Based on the new information you provided, I would recommend to check the type of DNS zone on the Azure DNS server. Please make sure the type is Primary zone, and store the zone in Active Directory.
You can check this by using the DNS Manager.
I'm looking for help to properly configure PowerShell Remoting for non-admins on a group of servers. Right now we have a working configuration that allows Admin Domain accounts to successfully connect to the servers with no error. The authentication method we are using is Credssp, using SSL and this works perfectly for a Domain admin account.
On the other hand I have this User Domain Account userTest. This account is mapped to a Domain Group that maps locally (on each server) to the Remote Desktop User Groups. This allows for this user to RDP successfully to this server but has no administrator privileges. It is going to stay that way and it is not an option to make it Local Administrator.
The purpose of this user is to allow non-admin accounts to execute a set of scripts against the server using a Restricted Session, which connecting with a Domain Admin Account. The problem comes when I'm trying to connect with the userTest account. The server responds with a Access is Denied error:
[ServerA] Connecting to remote server ServerA failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (ServerA:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken
Going trough the Analytic EventLogs I found an error message as follows:
The WSMan service could not launch a host process to process the given request. Make sure the WSMan provider host server and proxy are properly registered.
This is the configuration that I have already setup:
Created a PSSessionConfiguration named RemoteDesktopUsers
Register-PSSessionConfiguration -Name RemoteDesktopUsers -StartupScript C:\Start.ps1
Set-PSSessionConfiguration -Name RemoteDesktopUsers -ShowSecurityDescriptorUI
(Added Remote Desktop Users group to this SessionConfiguration)
So yeah, basically from what I have already Googled, this should be all the necessary configuration that you need to able to PSRemote with non-admin accounts. As I already mentioned using a Domain Admin Account connecting to this SessionConfiguration works fine, so I was thinking that I'm missing some kind of permission/privilege/SDDL that allows this user to access:
Windows Server 2008 R2 SP1
Powershell 4.0
Winrm ProductVersion = OS: 6.1.7601 SP: 1.0 Stack: 3.0
You're probably running into this problem because of using CredSSP
Any particular reason you have to use CredSSP? The most popular use of CredSSP is provided for situations in which you need to configure a jump server to remote from one machine, into another, and from there out again to another server. It's well-known as Second-Hop funtionality and is such a huge security hole that the CredSSP is kind of a pain to configure, intentionally.
You have to configure CredSSP in three places, once on your machine from which you'll be remoting, then again on the machine you'll be jumping to, and finally on each machine you'll be connecting to from the jump server.
If you really have to use CredSSP, follow this great guide here on The Scripting Guy's blog.
If you don't need CredSSP
Try this whole process using Default/WSman authorization, and I bet the problems will go away.
When deploying on Azure via REST API a VM with Windows2008-SQL-Server template, we need to configure WinRM with a powershell script to enable basic auth. For doing so we use the Azure extension 'CustomScriptExtension' that loads a script from our blobstorage and runs it.
The script's output has errors and Powershell doesn’t respond on port 5985.
We use the SQL-Server-2008R2-SP2-10.50.4319.0-Standard-ENU-Win2008R2 template.
In the deployment we set a listener that uses as protocol ‘Http’.
We open the 5985 port and at the end of the VM provisioning we are able to open a socket on it.
Code:
winrm quickconfig -q
winrm set winrm/config/winrs '#{MaxMemoryPerShellMB="300"}'
winrm set winrm/config '#{MaxTimeoutms="1800000"}'
winrm set winrm/config/service '#{AllowUnencrypted="true"}'
winrm set winrm/config/service/auth '#{Basic="true"}'
For each script's command we have the following error:
Message = Access is denied. \\n\\nError number: -2147024891 0x80070005\\nAccess is denied.
Once the provisioning of the VM is done, we can log in using Remote Desktop and if we launch the powershell script from there, it perfectly works.
After some research we have found this article that proposes a possible solution, but the problem with it is that it exposes a security issue, because the script needs an admin password as parameter.
We are looking for other advice or for a workaround. We are working with a full automated workflow so sadly “hand-made solutions” are not an option for us. Thanks in advance for any help.
I've done this to make the Chef client bootstrap work on an Azure Windows VM. In my case, in addition to what you've done, I had to open 5985 on the Windows Firewall and enable the 5985 endpoint on the cloud service. It was a PITA, but it got the job done.
I need your help, any idea is welcome.
[skipable]
Here's the situation : i was working on a VM hosted in Microsoft cloud (Azure), everything was fine. This VM was supposed to be a Domain Controller (Active Directory), which was link to many VMs (i was working on grid computing with many compute nodes). Everything was setup correctly. The next step was to host a WCF service on a IIS server accessible through https. Therefore i opened port 443 on firewall as well as an valid endpoint for the VM (azure portal). From there things get weird. Opening endpoint 443 on the azure portal didn't work as expected, i needed to reboot the VM. Then i cannot access through RDP connection anymore :-(. However i succeed to take control of the VM via powershell remoting.
[Question]
How can i restore rdp connection via powershell remoting ONLY ? I tried to disabled firewall, open port 3389, capture an image of the vm to recreate it etc.. but nothing worked. Any idea ? i don't want to loose all my work, my fresh service etc..
Thanks you!