16

This is just crazy, I am starting on PowerShell. And of course I need to do Admin work remotely.

A simple

dir \\server\share\folder

Just refuses to work, I get this error

Get-ChildItem : Cannot find path '\\server\share\folder' because it does not exist.
    + CategoryInfo          : ObjectNotFound: (\\server\share\folder:String) [Get-ChildItem], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

To me it is pretty obvious it is an access rights issue. And we do have a domain here at the company. I am logged in to the server, with the exact same user account, on VNC and I can see the UNC path. But whenever I try to just copy a file from my desktop with the remote connection. It just won't work!!!!

I can do many other things so I am positive I am connected.

Arturo Hernandez
  • 2,749
  • 3
  • 28
  • 36
  • in a dos shell command 'dir \\server\share\folder' give no error?? – CB. Dec 02 '11 at 20:29
  • That is correct. Maybe I should write "dir \\MyServer\MyShare\MyFolder". I did find out I need to setup CredSSP, I did and I still get a timeout followed by Enable-WSManCredSSP : This command cannot be executed because the setting cannot be enabled. This can happen if no network connection is present. – Arturo Hernandez Dec 02 '11 at 23:55
  • By now, I used gpedit.msc to allow for fresh credentials on BOTH computers. I set the fresh credentials policy and I use the `enable-wsmancredssp -role client -delegatecomputer computer1.domain.com` and `enable-wsmancredssp -role server` commands. For status I execute 'Get-WSManCredSSP' and I get **The machine is configured to allow delegating fresh credentials to the following target(s): wsman/computer1.domain.com,wsm an/*.domain.com. This computer is configured to receive credentials from a remote client computer.** I can't find anytheing else to do and it is still not working! – Arturo Hernandez Dec 05 '11 at 17:36

2 Answers2

17

To get this to work, you must configure both your local and remote computers.

On the remote server, run the following command:

 Enable-WSManCredSSP -Role server

You'll know things are confgured correctly if you run the Get-WSManCredSSP cmdlet and get the following output:

The machine is not configured to allow delegating fresh credentials. This computer is configured to receive credentials from a remote client computer.

On your local computer, from an Administrative PowerShell prompt, you need to allow credential delegation in PowerShell. Run the following command:

 Enable-WSManCredSSP -Role Client -DelegateComputer <REMOTE_COMPUTER_NAME>

You can enable all servers by using * for REMOTE_COMPUTER_NAME.

You'll know this is configured correctly when you run Get-WSManCredSSP and get the following output:

The machine is configured to allow delegating fresh credentials to the following target(s): wsman/REMOTE_SERVER_NAME
This computer is not configured to receive credentials from a remote client computer.

On your local machine, update Group Policy to allow your credentials to be delegated to the remote server.

  1. Open gpedit.msc and browse to Computer Configuration > Administrative Templates > System > Credentials Delegation.
  2. Double-click "Allow delegating fresh credentials with NTLM-only Server Authentication".
  3. Enable the setting and add the build server to the server list as WSMAN/BuildServerName. (You can enable all servers by entering WSMAN/*.)

Then, when you need to run your command on the remote server, you can't use any of the *-PSSession commands because CredSSP can't use cached credentials. You have to start the session using Invoke-Command, and use CredSSP as the value to the Authentication parameter, like so:

Invoke-Command -ScriptBlock { # remote commands here } `
               -ComputerName <REMOTE_COMPUTER_NAME> `
               -Authentication CredSSP `
               -Credential <USERNAME>
Aaron Jensen
  • 25,861
  • 15
  • 82
  • 91
  • 1
    Great answer and lots of good info thanks! Unfortuantely, I still have a problem. I've made the changes in the group policy but when I run the following in an elevated PS window: "Enable-WSManCredSSP -role Client -DelegateComputer d-vasbiz01 -force" I get the following error: "Enable-WSManCredSSP : This command cannot be executed because the setting cannot be enabled" any ideas? – Rob Bowman Aug 02 '12 at 11:01
  • I found it! Problem was within the group policy editor I needed to prefix the name of the server I'm delegating to with "wsman/". This is as stated by the answer, but I missed it! Many thanks for the answer. – Rob Bowman Aug 02 '12 at 11:13
  • 1
    I did not have to do the "group policy" steps just the enable "client" and enable "server" roles on the correct computers. – rob Feb 27 '14 at 14:20
0

Powershell also uses Internet Explorer security settings on running remote scripts.

I have found that, for whatever machine you are trying to have run a remote script, if I add the unc path of the remote machine to my trusted intrAnet sites, I can run scripts then (assuming my execution policy in posh is set to remotesigned...."set-executionpolicy remotesigned").

I do a ton of administration for multiple servers with and without SQL, and I've never done anything with Enable-WSManCredSSP.

Emo
  • 486
  • 4
  • 9
  • 19