I'm writing a powershell v2 script that I'd like to run against a remote server. When I run it, I get the error :
Connecting to remote server failed
with the following error message : The
WinRM client cannot process the
request. Unencrypted traffic is
currently disabled in the client
configuration. Change the client
configurati on and try the request
again. For more information, see the
about_ Remote_Troubleshooting Help
topic.
I looked at the online help for about _ Remote_Troubleshooting, but it didn't point me towards how to enable unecrypted traffic. Below is the script that I'm using that is causing me problems.
Note: I have already run Enable-PSRemoting on the remote machine to allow it to accept incoming requests.
I have tried to use a session option variable, but it doesn't seem to make any difference.
$key = "HKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds"
Set-ItemProperty $key ConsolePrompting True
$tvar = "password"
$password = ConvertTo-SecureString -string $tvar -asPlainText –force
$username="domain\username"
$mySessionOption = New-PSSessionOption -NoEncryption
$credential = New-Object System.Management.Automation.PSCredential($username,$password)
invoke-command -filepath C:\scripts\RemoteScript.ps1 -sessionoption $mySessionOption -authentication digest -credential $credential -computername RemoteServer
How do I enable unencrypted traffic?
AllowEncrypted is defined on the client end, via the WSMAN: drive. You must be running powershell.exe (or powershell_ise.exe) as an elevated process.
ps> cd WSMan:\localhost\Client
ps> dir
Name Value
---- -----
NetworkDelayms 5000
URLPrefix wsman
AllowUnencrypted false
Auth
DefaultPorts
TrustedHosts
You would change it like so (after changing to the directory above):
Set-Item .\allowunencrypted $true
Hope this helps,
Oisin
You probably will need to set the AllowUnencrypted config setting in both the Client and the Service. The Service setting has to be changed in the remote server using the following:
set-item -force WSMan:\localhost\Service\AllowUnencrypted $true
And don't forget to also enable Digest Authorization:
set-item -force WSMan:\localhost\Service\Auth\Digest $true
You can allow unencrypted traffic on the client with the following command (execute it on the client):
winrm set winrm/config/client '#{AllowUnencrypted="true"}'
To verify, you can get the whole config (client and service) with this command:
winrm get winrm/config
Be aware that each machine has two configs (one for being a client, one for beeing a server). To allow unencrypted traffic on the server, execute the following command on the server:
winrm set winrm/config/service '#{AllowUnencrypted="true"}'
This worked for me:
enable-wsmancredssp –role server
If the parameter AllowUnencryptedTraffic is under GPO, you can set it through registrar:
$RegPath = 'HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client'
$RegUnencryptedTraffic = 'AllowUnencryptedTraffic'
$RegValue = '1'
Set-ItemProperty -Path $RegPath -Name $RegUnencryptedTraffic -Value $RegValue
Related
I am trying to do something straightforward, use PowerShell Invoke-Command from an Azure Function. The destination machine is in my Azure subscription and in the same virtual network. The code below fails with the error below.
A difficulty is that Azure Functions are "serverless" so when I try various solutions, such as setting the local TrustedHosts file, it fails because there is no such file.
I want to use the simplest method that is reasonably secure. I tried various other authentication schemes with no luck.
using namespace System.Net
# Input bindings are passed in via param block.
param($Request, $TriggerMetadata)
$adminName = 'chuck-admin'
$adminPassword = 'XXXXXXX'
$secPassword = ConvertTo-SecureString $adminPassword -AsPlainText -Force
$vmCreds = New-Object System.Management.Automation.PSCredential ($adminName, $secPassword)
$vmReturn = Invoke-Command -ComputerName chuck-vm-3 -Credential $vmCreds -ScriptBlock{whoami}
Push-OutputBinding -Name Response -Value ([HttpResponseContext]#{
StatusCode = [HttpStatusCode]::OK
Body = $vmReturn
})
System.Management.Automation.Remoting.PSRemotingTransportException:
Connecting to remote server chuck-vm-3 failed with the following error message :
The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting.
Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated.
You can get more information about that by running the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
I am trying to remotely deploy wsp file present in server2 by running a powershell script in server1.
I am able to successfully log in to the server2 through server1 using the below command:
$password = ConvertTo-SecureString "password" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("username",$password)
but I am not able to deploy the wsp file. This is the code that I tried:
Enter-PSSession -ComputerName server2 -Credential $cred
Add-PSSnapin Microsoft.Sharepoint.Powershell –EA 0
Update-SPSolution -Identity TechSoup.Web.wsp -LiteralPath "C:\Program Files ...Debug\Some.wsp" -GacDeployment
I have also tried to put the above code in a script, save it and run the script remotely.
This is the error that I am getting. I believe it is because I don't have admin privileges, I can say this because when I run the deployment code from server2 as admin, the wsp file is getting deployed. So, how can I get admin privileges remotely. The user has the admin privileges, all I need to do is run it with elevated privileges(like right-click and run as admin, but programatically)
Update-SPSolution : Cannot access the local farm. Verify that the
local farm is properly configured, currently available, and that you
have the appropriate permissions to access the database before trying
again
EDIT
I have tried the below script code in admin mode in powershell:
$password = ConvertTo-SecureString "serverpassword" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("userName",$password)
Enable-PSRemoting
Enable-WSmanCredSSP -Role Server
winrm set winrm/config/winrs '#{MaxShellsPerUser="25"}'
winrm set winrm/config/winrs '#{MaxMemoryPerShellMB="600"}'
Enter-PSSession -ComputerName Server2 -Credential $cred -Authentication credssp
However, I keep getting this error:
Enter-PSSession : Connecting to remote server Server2 failed
with the following error message : The WinRM client cannot process
the request. CredSSP authentication is currently disabled in the
client configuration. Change the client configuration and try the
request again. CredSSP authentication must also be enabled in the
server configuration. Also, Group Policy must be edited to allow
credential delegation to the target computer. Use gpedit.msc and look
at the following policy: Computer Configuration -> Administrative
Templates -> System -> Credentials Delegation -> Allow Delegating
Fresh Credentials. Verify that it is enabled and configured with an
SPN appropriate for the target computer. For example, for a target
computer name "myserver.domain.com", the SPN can be one of the
following: WSMAN/myserver.domain.com or WSMAN/*.domain.com For more
information, see the about_Remote_Troubleshooting Help topic
No matter what I try, I get this error. I have tried these techniques:
Allowed Delegating fresh credentials as well as NTLM fresh credentials in GPEdit.
I have tried the script present in This link
I have added user privileges in compmgmt.msc at
Remote Desktop Users
WinRMRemoteWMIUsers__
WSS_ADMIN_WPG
Remote Management Users
Can anyone suggest any thing ??
In order to run SharePoint commands remotely please follow the steps outlined in: Remote PowerShell to Manage SharePoint on-premises
Essentially, after enabling remoting, you have to enable CredSSP access in order for your credentials to be sent to the remote and local computer in order for you to run elevated commands.
On the server:
Enable-PSRemoting
Enable-WSmanCredSSP -Role Server
winrm set winrm/config/winrs '#{MaxShellsPerUser="25"}'
winrm set winrm/config/winrs '#{MaxMemoryPerShellMB="600"}'
And on the client:
Enable-PSRemoting
Enable-WSmanCredSSP -Role Client -DelegateComputer "server2.contoso.com"
Then on the client you can enter the session:
Enter-PSSession -ComputerName server2 -Credential $cred -Authentication Credssp
I have written a PowerShell script which uninstall a program and install a newer version of the program on my servers (Update Programs). Now I want to create another script which run the aforementioned script on the servers. Consider that I have to connect to my servers through using IPs, UserName and password and using domain is not an option.
How is this possible?
PowerShell version is 4
I have tried this code to simply get date:
$User = "administrator"
$PWord = ConvertTo-SecureString -String "Password1234" -AsPlainText -Force
$Credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $User, $PWord
$session = New-PSSession -ComputerName '10.60.60.100' -Credential $Credential
Invoke-Command -Session $session -ScriptBlock {Get-Date}
and I got this error:
New-PSSession : [10.60.60.100] Connecting to remote server 10.60.60.100 failed with the following error message : The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. You can get more information about that by running the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
This is because you’re not running your command from a trusted host, or because the remote computers wsman service isn’t configured properly. I’d start by running the following command to configure wsman on the remote machine:
wsman quickconfig
If that doesn’t fix the problem, then you need to add your computer to the remote machines trusted hosts. You can do that by running the following:
winrm s winrm/config/client '#{TrustedHosts="RemoteComputer"}'
I have follow issue: I trying to run remote command on my server (windows server 2012 r2) via powershell command, powershell script looks follow
$password = ConvertTo-SecureString $pass -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PsCredential($deployadmin,$password)
$scriptBlock1 = {Get-NetAdapter}
Invoke-Command -computername $server -Credential $credentials -scriptblock $scriptBlock1
and I've get an error 'Access is denied'
I've tryied to run on server Enable-PSRemoting for allow remote connection.
I use credential for user that is Administrator on that server.
Strange thing, that this command is succeeds for credentials of another user on this server, those user is also Administrator.
What I'm missing ?
Thank for any advice
Update:
command Test-WSMan $server is succeeds
try command winrm quickconfigthe system suggested setting up a remote access, after the configuration, the Invoke-Command command was executed without errors
I would be grateful if anyone would explain this behavior
Fun!
When you execute winrm quickconfig the following happens:
Starts the WinRM service
Set the WinRM service type to auto start
Create a listener to accept requests on any IP address
Enable firewall exception for WS-Management traffic (for http only)
This article has additional detail.
I am trying to use CREDSSP on a New Server (Server C)
I have successfully setup credssp on Two Other Servers. (Server A to Server B)
I am now trying to connect from Server A to Server C using CREDSSP, but no matter what I do, I get the following error:
[SERVER_C.domain.edu] Connecting to remote server SERVER_C.domain.edu failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (SERVER_C.domain.edu:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken
This is my query that works perfectly from Server A to Server B:
# Setting the Credentials to be used to sign into the Server B.
$pass = ConvertTo-SecureString "Password" -asplaintext -force
$mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist "domain\user.service",$pass
#
#
# The Remote Execution Command. Fully Qualified Domain name is critical since we are using Credssp.
# Credssp is being used to resolve an issue with a double hop authentication issue. Other steps setup on each computer had to be completed before Credssp would work
Invoke-Command -ComputerName SERVER_B.domain.edu -command { C:\helloWorld.ps1 } -Authentication Credssp -Credential $mycred
I have double checked everything I can think of between Server C (New Server) and Server B (Old Server) and I cant find any reason why im getting the error.
I know that if I take out the CREDSSP part, The script works, except where a double hop is involved. So the Server is definitely connecting.
I made sure to run the following commands:
Enable-psremoting
Set-ExecutionPolicy -Scope localMachine -ExecutionPolicy RemoteSigned
Enable-WSManCredSSP -Role Client -DelegateComputer '*.reskit.org' –Force
Enable-WSManCredSSP -Role Server –Force
wsman
Also followed these steps: Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System
-> Credentials Delegation -> Allow Delegating Fresh Credentials. Verify that it is enabled and configured with an SPN appropriate for the target computer. For example,
for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. For more information, see the
about_Remote_Troubleshooting Help topic.
And as I mentioned, I know Server A is setup correctly, because I run the script above to Server B without issue.
Any suggestions would really be appreciated.
The only thought I have is that Server A and B are running Powershell 3 and Server C is running Powershell 5
I notice that the Enable-WSManCredSSP -Role Client command uses *.reskit.org instead of *.domain.eu.(?)
To me it's not completely clear which commands were run at the server or at the client, but look OK at first sight. I recently configured credssp also to solve the double hop problem, as follows:
On the server:
Enable-WSManCredSSP -Role Server -Force
Get-WSManCredSSP shows: The machine is not configured to allow delegating fresh credentials. This computer is configured to receive credentials from a remote client computer.
On the client:
winrm quickconfig
Enable-WSManCredSSP -role client *.mydomain.com
Get-WSMancredSSP shows:
The machine is configured to allow delegating fresh credentials to the following target(s): wsman/*.mydomain.com. This computer is not configured to receive credentials from a remote client computer.
My clientside script starts an explicit remote session via:
$session = New-PSSession -Computer $computerName -Credential $credential -Authentication Credssp