1

The error:

New-PSSession : [{Public IP of my remote server}] Connecting to remote server
{Public IP of my remote server} failed with the following error message :
Access is denied. For more information, see the about_Remote_Troubleshooting
Help topic.
At C:\Scripts\Test.ps1:24 char:12
+ $Session = New-PSSession -Computer $target -Authentication Credssp -C ...
+            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed

The "about_Remote_Troubleshooting" seems to be referring to this post which I've tried to follow along, but without luck.

I have a scripting server (Server A) that I'm trying to have manage a remote DC with a different hosting company.

DISCLAIMER: Since I've been failing miserably so far, I'm trying to set my configuration to be as wide-open as possible (AKA: temporarily unsecure), so that I can just see it working and then work backwards, tightening my security - as much as I can given that I'm being tasked with CredSSP in the first place... Also, I'm way over my head in this and very new to Powershell. With that in mind...

Configuration I've done on Server A:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value * -Force
Set-Item WSMan:\localhost\Shell\MaxMemoryPerShellMB -Value 0 -Force
Enable-PSRemoting
Set-ExecutionPolicy Unrestricted
Enable-WSManCredSSP –Role Client –DelegateComputer *

Configuration I've done on Server B:

Enable-PSRemoting
Enable-WSManCredSSP –Role Server

And for kicks, on both machines, I've run gpedit and went under Local Computer Policy → Computer Configuration → Administrative Templates → System → Credentials Delegation... enabled "Allow delegating fresh credentials" and "Allow delegating fresh credentials with NTLM-only server authentication" and added * and wsman/* to the servers list (and a few other possible combinations of IP or computer names for good measure).

So, I can send remote commands to Server B without CredSSP:

This works:

$cred = New-Object System.Management.Automation.PSCredential $username, $securePassword

Invoke-Command -ComputerName $target -Credential $cred -ScriptBlock {
    Write-Host $env:computername | Select-Object
}

(Outputs name of Server B)

But if I pass that same $cred into a New-PSSession with CredSSP, that is where the error above occurs.

$Session = New-PSSession -Computer $target -Authentication Credssp -Credential $cred

Server A is able to use CredSSP with a different Domain Controller (in the same network/hosting company). Every article I've gone through seems to lead me to believe that what I've done should work in both cases... What am I missing?

Ansgar Wiechers
  • 193,178
  • 25
  • 254
  • 328
justanotherguy
  • 506
  • 2
  • 4
  • 18
  • Side question, could the recent [CredSSP Patch](https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018) be the issue? If you have a combination of unpatched and patched servers, it will explicitly block CredSSP from unpatched servers. – HAL9256 Sep 11 '19 at 15:50

0 Answers0