Tuesday, August 21, 2012

Enabling Powershell Remoting

I manage a bunch of SharePoint farms and have finally gotten around to setting up Powershell Remoting to streamline some of my maintenance tasks.

Following the post Enable and Use Remote Commands in Windows PowerShell, I run the following on my remote servers:
Enable-PSRemoting -force

From my client machine, I tried the following:
$computername="MyComputerName"
$credential="MyCredential"
Enter-PSSession -Computername $computername -Credential $credential

This resulted in the following error:

Enter-PSSession : Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.
 Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
 After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
 Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information,
 see the about_Remote_Troubleshooting Help topic.

I verified that my firewall was allowing the WinRM ports.

I set my trusted hosts on my remote servers using:
winrm s winrm/config/client '@{TrustedHosts="MyComputerName"}'

I then came across this post on how to enable Remote PSSession over SSL. I have a wildcard certificate for my domain. Modifying the script ever so slightly, I ran the following to enable HTTPS and disable HTTP transport
winrm create winrm/config/listener?Address=*+Transport=HTTPS `@`{Hostname=`"MyCertificateIssuedTo`"`; CertificateThumbprint=`"MyCertificateThumbprint`"`}
netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" protocol=TCP dir=in localport=5986 action=allow
winrm set winrm/config/Listener?Address=*+Transport=HTTP `@`{Enabled=`"false`"`}
netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new enable=no

Now I get the following error:

Enter-PSSession : Connecting to remote server failed with the following error message : The server certificate on the destination computer (MyComputerName) has the following errors:
The SSL certificate contains a common name (CN) that does not match the hostname. For more information, see the about_Remote_Troubleshooting Help topic.


Aha! Progress! Now looking at the Securing WinRM thread, I try the -SkipCACheck and -SkipCNCheck Session Options as described. Now I get the following error:

Enter-PSSession : Cannot bind parameter 'SessionOption'. Cannot convert the "Microsoft.WSMan.Management.SessionOption" value of type "Microsoft.WSMan.Management.SessionOption" to type "System.Management.Automation.Remoting.PSSessionOption".


It looks like some types have changed since that thread was posted. So, I used the following instead

Enter-PSSession -ComputerName $computername -Credential $credential -UseSSL -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck)


Success!

4 comments:

  1. Exactly what I was looking for! Thanks for posting this! My use case was creating an Azure VM that is deployed into VNET and domain joined to our corporate network. Azure VMs are preconfigured for PS Remoting over SSL only, but I wanted to connect to them via the VPN and IP. The -SkipCACheck and -SkipCNCheck were the magic I neede. Thanks again.

    ReplyDelete
  2. Hi, i want to use wildcard certificat (*.domain.com), but it doesn't work :
    C:\>winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Hostname="*.domain.com"; CertificateThumbprint="308b44f3cc968dfe5c493eca031913689e76ab24"}

    WSManFault
    Message
    ProviderFault
    WSManFault
    Message = The function: "HttpSetServiceConfiguration" failed une
    xpectedly. Error=1312.

    Error number: -2147023584 0x80070520
    A specified logon session does not exist. It may already have been terminated.


    When I create a certificate with CN=computername, it works, but not with a wildcard certificate, how do you use it ?

    Thanks

    ReplyDelete
    Replies
    1. I am not sure. I am not an expert on winrm or anything else for that matter :-)
      Could it have to do with escaping special characters in your shell?
      Also, I found this, but I am not sure if it helps: http://support.microsoft.com/kb/981506

      Delete
  3. Thanks dude!!! That was it!

    ReplyDelete