Powershell remoting -策略不允许委派用户凭据
Powershell remoting -策略不允许委派用户凭据
提问于 2013-08-08 04:55:09
我是powershell的新手,在使用凭证委派时遇到了问题。我有以下脚本:
$session = New-PSSession myserver -Authentication CredSSP -Credential DOMAIN\Administrator
Invoke-Command -Session $session -ScriptBlock { <Some PowerShell Command> }在运行它之前,我执行了以下操作:
- 在myserver上运行
Enable-PSRemoting。 - 在myserver上运行
Enable-WSManCredSSP Server。 - 在myserver上运行
Restart-Service WinRM。 - 在客户机上运行
Enable-WSManCredSSP Client –DelegateComputer myserver。 - 已重新启动服务器和客户端。
但是一旦我运行这个脚本,我就会得到以下错误消息:
[myserver] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. A computer policy does not allow the delegation of
the user credentials to the target computer. Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delega
tion -> Allow Delegating Fresh Credentials. Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name "m
yserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionOpenFailed我检查了错误消息中提到的策略,但似乎一切正常。还有什么能阻止我呢?
回答 4
Stack Overflow用户
回答已采纳
发布于 2013-08-14 02:17:21
多亏了this page,我终于让它正常工作了。它提供了一个脚本,通过直接设置适当的注册表项来设置所需的凭据委派策略。一旦我使用管理员权限运行该脚本,我就能够成功地建立到myserver的CredSSP连接:
Enable-WSManCredSSP -Role client -DelegateComputer *.mydomain.com
$allowed = @('WSMAN/*.mydomain.com')
$key = 'hklm:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation'
if (!(Test-Path $key)) {
md $key
}
New-ItemProperty -Path $key -Name AllowFreshCredentials -Value 1 -PropertyType Dword -Force
$key = Join-Path $key 'AllowFreshCredentials'
if (!(Test-Path $key)) {
md $key
}
$i = 1
$allowed |% {
# Script does not take into account existing entries in this key
New-ItemProperty -Path $key -Name $i -Value $_ -PropertyType String -Force
$i++
}Stack Overflow用户
发布于 2013-12-06 05:51:34
在服务器上执行以下操作:
Enable-WSManCredSSP -Role Server在客户端上执行以下操作:
set-item wsman:localhost\client\trustedhosts -value *
Enable-WSManCredSSP -Role Client –DelegateComputer *在客户端上使用gpedit.msc启用将新凭据委派给WSMAN/*
展开Local Computer Policy,展开Computer Configuration,展开Administrative Templates,展开System,然后单击Credential Delegation.
- In
Settings窗格,双击Allow Delegating Fresh Credentials with NTLM-only Server Authentication.
- In
Settings对话框,执行following:- Click
Enabled. - In
Settings区域,单击Show.- In
Options,键入<Settings>d26Allow Delegating Fresh Credentials with NTLM-only Server Authentication >,然后单击<Options>D27System>。确保选择了Concatenate OS defaults with input above,然后单击OK.
- In
以下命令现在起作用(在出现密码提示后):
Invoke-Command { dir \\fileserver\devtools } -computer appserver01 -authentication credssp -credential domain\user参见MSDN forums。
请参阅TechNet
Stack Overflow用户
发布于 2018-02-02 05:25:57
我必须完全自动化我的解决方案,特别是让您进入GPO编辑器的解决方案中的部分。
1)启用远程PS
Enable-PSRemoting -force2)启用CredSSP
Enable-WSManCredSSP -Role Server -Force
Enable-WSManCredSSP -Role Client -DelegateComputer locahost -Force
Enable-WSManCredSSP -Role Client -DelegateComputer $env:COMPUTERNAME -Force
Enable-WSManCredSSP -Role Client -DelegateComputer $domain -Force
Enable-WSManCredSSP -Role Client -DelegateComputer "*.$domain" -Force
Set-Item -Path "wsman:\localhost\service\auth\credSSP" -Value $True -Force3)通过注册表启用NTLM新凭据:
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -Name AllowFreshCredentialsWhenNTLMOnly -Force
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly -Name 1 -Value * -PropertyType String只有在这之后,我才能够以本地管理员的身份启动powershell脚本,该脚本能够在PSSession中运行并执行AD操作。
$secpasswd = ConvertTo-SecureString $adPassword -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ("$domain\Admin", $secpasswd)
$adminSession = New-PSSession -Credential $credential -Authentication Credssp;
$sb = {
param($p1, $p2)
whoami
New-ADUser ....
}
Invoke-Command -Session $adminSession -Script $sb -ArgumentList $domain,$userPassword页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/18113651
复制相关文章
相似问题