16

Some of ours servers (W2K8 R2) were moved to the cloud last week, once done that my powerswhell script started to fail (was working fine before), the exception is thrown on the line where the connection is trying to be established, 

$ExSession = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri     "http://$g_strExchangeServer/PowerShell" `
-Credential $Credentials –Authentication Kerberos

With the following message, 

[subd.staging.com] Connecting to remote server failed with the following error message : 
**WinRM cannot process the request**. The following error occured while using Kerberos authentication: There are currently no logon servers available to service the logon request.  
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help onfig. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionOpenFailed

this happens only if I try to target our testing domain, if I point the script to our production domain then it works.

The same error is displayed on all the servers that were already moved to cloud.

Notice that all the servers which have not already moved to cloud are able to run the script on both domains without any problem.

I've tried the following, but no luck.

//Add the destination computer to the WinRM TrustedHosts configuration setting. 
c:\>WinRM set winrm/config/client @{TrustedHosts="stagingserver"} 


//Confirm that WinRM is properly configured.  
c:\>Winrm quickconfig  

//Make sure that the remote server allows commands from any machine. 
PS c:\>Set-item wsman:localhost\client\trustedhosts -value *

Using Powershell v2 and WinRM v2

Any comments are welcome.

g3n1t0
  • 161
  • 1
  • 1
  • 3
  • Likely, it is this: "-The client and remote computers are in different domains and there is no trust between the two domains." Try using CredSSP. Here is how to enable it: http://technet.microsoft.com/en-us/library/hh849872.aspx – user1578107 Aug 17 '13 at 17:46
  • @user1578107, I tried but no luck, c:\>enable-wsmancredssp -role client -delegatecomputer stagingserver. The command was properly executed because I did not get any error from PS however the script is still failing with the same error message. Thanks. – g3n1t0 Aug 19 '13 at 00:52
  • i'm not sure if enable-wsmancredssp allows forwarding of fresh credentials. You can try to enable it manually (see http://msdn.microsoft.com/en-us/library/windows/desktop/ee309365(v=vs.85).aspx ) – user1578107 Aug 24 '13 at 06:36

1 Answers1

30

Run these commands on the client machine, then try to reach a remote host:

First we need to check TrustedHosts on the client machine:

PS C:\> WinRM get winrm/config/client
Client
    NetworkDelayms = 5000
    URLPrefix = wsman
    AllowUnencrypted = false
    Auth
        Basic = true
        Digest = true
        Kerberos = true
        Negotiate = true
        Certificate = true
        CredSSP = false
    DefaultPorts
        HTTP = 5985
        HTTPS = 5986
    TrustedHosts

If it's empty as in the example, run the command below on the client machine:

PS C:> Set-item wsman:localhost\client\trustedhosts -value *

This will write * in TrustedHosts parameter which will allow client machine to connect to any host, or you can configure this value with ip and/or hostname of the target server.

PS C:\> WinRM get winrm/config/client
Client
    NetworkDelayms = 5000
    URLPrefix = wsman
    AllowUnencrypted = false
    Auth
        Basic = true
        Digest = true
        Kerberos = true
        Negotiate = true
        Certificate = true
        CredSSP = false
    DefaultPorts
        HTTP = 5985
        HTTPS = 5986
    TrustedHosts = *
Alexander.Iljushkin
  • 4,519
  • 7
  • 29
  • 46
Alok
  • 301
  • 3
  • 3
  • This command is not working...Can you please let me know whether we need to restart the machine after executing this command – vinay Feb 18 '15 at 11:15
  • 7
    It may be helpful to note that this command needs to be executed on the client machine, i.e. the one making the connection - not on the targeted host. WinRM service might need to be restarted afterwards. – w128 Mar 01 '16 at 15:56
  • 2
    Need to use Powershell as an admin for the second command (right-click, "Run as administrator"). – jzhang22 Feb 27 '17 at 12:59