我是powershell的新手,在使用凭证委派时遇到了问题。我有以下脚本:
$session = New-PSSession myserver -Authentication CredSSP -Credential DOMAIN\Administrator
Invoke-Command -Session $session -ScriptBlock { <Some PowerShell Command> }
在运行它之前,我执行了以下操作:
Enable-PSRemoting
。Enable-WSManCredSSP Server
。Restart-Service WinRM
。Enable-WSManCredSSP Client –DelegateComputer myserver
。但是一旦我运行这个脚本,我就会得到以下错误消息:
[myserver] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. A computer policy does not allow the delegation of
the user credentials to the target computer. Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delega
tion -> Allow Delegating Fresh Credentials. Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name "m
yserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionOpenFailed
我检查了错误消息中提到的策略,但似乎一切正常。还有什么能阻止我呢?
发布于 2013-08-14 02:17:21
多亏了this page,我终于让它正常工作了。它提供了一个脚本,通过直接设置适当的注册表项来设置所需的凭据委派策略。一旦我使用管理员权限运行该脚本,我就能够成功地建立到myserver的CredSSP连接:
Enable-WSManCredSSP -Role client -DelegateComputer *.mydomain.com
$allowed = @('WSMAN/*.mydomain.com')
$key = 'hklm:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation'
if (!(Test-Path $key)) {
md $key
}
New-ItemProperty -Path $key -Name AllowFreshCredentials -Value 1 -PropertyType Dword -Force
$key = Join-Path $key 'AllowFreshCredentials'
if (!(Test-Path $key)) {
md $key
}
$i = 1
$allowed |% {
# Script does not take into account existing entries in this key
New-ItemProperty -Path $key -Name $i -Value $_ -PropertyType String -Force
$i++
}
发布于 2013-12-06 05:51:34
在服务器上执行以下操作:
Enable-WSManCredSSP -Role Server
在客户端上执行以下操作:
set-item wsman:localhost\client\trustedhosts -value *
Enable-WSManCredSSP -Role Client –DelegateComputer *
在客户端上使用gpedit.msc
启用将新凭据委派给WSMAN/*
展开Local Computer Policy
,展开Computer Configuration
,展开Administrative Templates
,展开System
,然后单击Credential Delegation
.
Settings
窗格,双击Allow Delegating Fresh Credentials with NTLM-only Server Authentication
.Settings
对话框,执行following:Enabled
.Settings
区域,单击Show
.Options
,键入<Settings
>d26Allow Delegating Fresh Credentials with NTLM-only Server Authentication >,然后单击<Options
>D27System>。确保选择了Concatenate OS defaults with input above
,然后单击OK
.以下命令现在起作用(在出现密码提示后):
Invoke-Command { dir \\fileserver\devtools } -computer appserver01 -authentication credssp -credential domain\user
参见MSDN forums。
请参阅TechNet
发布于 2018-02-02 05:25:57
我必须完全自动化我的解决方案,特别是让您进入GPO编辑器的解决方案中的部分。
1)启用远程PS
Enable-PSRemoting -force
2)启用CredSSP
Enable-WSManCredSSP -Role Server -Force
Enable-WSManCredSSP -Role Client -DelegateComputer locahost -Force
Enable-WSManCredSSP -Role Client -DelegateComputer $env:COMPUTERNAME -Force
Enable-WSManCredSSP -Role Client -DelegateComputer $domain -Force
Enable-WSManCredSSP -Role Client -DelegateComputer "*.$domain" -Force
Set-Item -Path "wsman:\localhost\service\auth\credSSP" -Value $True -Force
3)通过注册表启用NTLM新凭据:
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -Name AllowFreshCredentialsWhenNTLMOnly -Force
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly -Name 1 -Value * -PropertyType String
只有在这之后,我才能够以本地管理员的身份启动powershell脚本,该脚本能够在PSSession中运行并执行AD操作。
$secpasswd = ConvertTo-SecureString $adPassword -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ("$domain\Admin", $secpasswd)
$adminSession = New-PSSession -Credential $credential -Authentication Credssp;
$sb = {
param($p1, $p2)
whoami
New-ADUser ....
}
Invoke-Command -Session $adminSession -Script $sb -ArgumentList $domain,$userPassword
https://stackoverflow.com/questions/18113651
复制相似问题