Cross Domain PowerShell Remoting [Fail]
I tried to run our PowerShell environment configuration scripts today and got hit with a nasty error. I double checked my credentials so I know that wasn’t the issue. The scripts worked just a month ago, but we did have some stupid security software installed on our workstations that may be adjusting how remoting works. Let’s see if I can get around it before I open a ticket and start complaining.
Here is the error. This results from a simple call to New-PSSession. The other server is in another domain, but like I said this has been working just fine.
New-PSSession : [agpjaxd1pciapp1] Connecting to remote server agpjaxd1pciapp1 failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: There are currently no logon servers available to service the logon request. Possible causes are: -The user name or password specified are invalid. -Kerberos is used when no authentication method and no user name are specified. -Kerberos accepts domain user names, but not local user names. -The Service Principal Name (SPN) for the remote computer name and port does not exist. -The client and remote computers are in different domains and there is no trust between the two domains. After checking for the above issues, try the following: -Check the Event Viewer for events related to authentication. -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport. Note that computers in the TrustedHosts list might not be authenticated. -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
After I read this, I just stared at this for about 5 minutes; deer in the head lights.
I found some hope on the PowerShell Scripter’s friend, “Hey Scripting Guy” blog – http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/29/remoting-week-non-domain-remoting.aspx.
Anyway, the solution from Honorary Scripting Guy, Richard Siddaway was to add the computer I am connecting to the the trusted host list. The trusted host list basically tells your computer, “Hey, you can trust this computer, go ahead and share my sensitive and private credentials with the.” So, be careful with this.
You can view the trusted host list with this PowerShell command.
Get-Item -Path WSMan:\localhost\Client\TrustedHosts
You can add a computer to the trusted list with this command.
Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value 'computerNameOfRemoteComputer' [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y
Now, I run the configuration script and I am deer in the head lights again.
New-PSSession : Opening the remote session failed with an unexpected state. State Broken.
Such a helpful error message. Stackoverflow – http://stackoverflow.com/questions/30617304/exchange-remote-powershell-gets-sporadic-broken-state. Looks like it may be a timeout, and I’m feeling that because the script sat on “Creating Session” forever (why so long is probably the next question). I update my script to increase timeout.
$so = New-PSSessionOption -IdleTimeout 600000 $Session = New-PSSession -ComputerName $node.ComputerName -Credential $credential -SessionOption $so;
10 minute timeout is good right? So, I try again and State is still Broken. Not mission critical at the moment so I will investigate further later.
You can read more about possible solutions at the links above.
ever figure this out??
I did not. I moved on to another job before I could revisit it.