Powershell远程PSSession失败-域管理员帐户
Powershell远程PSSession失败-域管理员帐户
提问于 2021-09-09 16:54:48
我正在解决一个问题,我的PRTG传感器没有收集Windows信息从我们的服务器之一。它使用WinRM和远程PowerShell命令来实现这一点。
服务器1-发行服务器
服务器2-工作服务器
当我尝试使用Enter-PSSession -ComputerName Server1或winrs -r:Server1 dir测试连接时,我总是会收到以下错误:
PS C:\WINDOWS\system32> winrs -r:Server1 dir
Winrs error:WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config.
PS C:\WINDOWS\system32> Enter-PSSession -ComputerName Server1
Enter-PSSession : Connecting to remote server Server1 failed with the following error message : WinRM cannot process the request. The
following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName Server1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Server1:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed如果我在任何其他服务器上运行该命令,连接就成功了,这是唯一给我带来麻烦的服务器。
如果我使用我的用户帐户运行带有Enter-PSSession开关的-Credential命令,我会得到相同的错误,但是如果我运行该命令并指定服务器的本地管理员帐户,它将连接。其他服务器正常工作。
PS C:\WINDOWS\system32> Enter-PSSession -ComputerName Server1 -Credential Server1\administrator
[Server1]: PS C:\Users\Administrator\Documents> exit
PS C:\WINDOWS\system32> Enter-PSSession -ComputerName Server1 -credential domain\myuser
Enter-PSSession : Connecting to remote server Server1 failed with the following error message : WinRM cannot process the request. The
following error with errorcode 0x80090322 occurred while using Negotiate authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName Server1 -credential alpenaw2k.local\kemp ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Server1:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
PS C:\WINDOWS\system32> Enter-PSSession -ComputerName Server2
[Server2]: PS C:\Users\user\Documents> exit
PS C:\WINDOWS\system32>如果我从本地服务器运行New-PSSession,我将得到相同的错误,除非我指定了-EnableNetworkAccess开关,然后它将连接。这让我很困惑。事件查看器为我提供与用户身份验证相关的事件ID 161,并为未能创建的会话提供错误142。
如果我从本地服务器和远程主机运行Test-WSMan,它将显示它正在运行。
下面是WinRM配置和侦听器配置:
PS C:\Windows\system32> winrm get winrm/config
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = 10.10.10.142
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 2147483647
MaxShellsPerUser = 2147483647
PS C:\Windows\system32> winrm enumerate winrm/config/listener
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 10.10.10.87, 127.0.0.1, ::1, fe80::4579:db85:c9cb:ead0%6我尝试过的其他事情:
times.
- Windows
- I对于WinRM没有GPO设置。
- 我删除并重新创建了侦听器。
- 我已经重置了用于公共、私有和域网络的WinRM的配置--几个WinRM高级防火墙已被禁用。
- 检查了
Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI权限,权限似乎还可以。H 221H 122我使用了IP地址而不是主机名,其结果是相同的。H 223H 124我已经将计算机添加到受信任的主机列表中,它不起作用。但是,这不应该是必要的,因为这两台计算机都在同一个域中。 运行了Enable-PSRemoting -Force (虽然这应该是不必要的,因为默认情况下WinRM是为服务器2012和转发启用的)。,我已经将我的用户添加到服务器上的本地管理员和远程管理用户中,没有任何运气。我已经调整了REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1的注册表,不管它的值如何。
H 134我已经重新引导并运行了D 35作为最后的努力。H 236F 237
服务器、工作站和我的用户的规范:
我的域帐户是域Administrator.
Server是Windows 2019 Standard.
Workstation是Windows 10 Pro.
PowerShell版本5两者都是。
两台计算机都在同一域中。
两台计算机都是最新的。
我可以使用本地管理员帐户轮询此信息并修复我的恐吓问题,但这不能解决根本问题。
编辑:
在远程服务器上,Windows远程管理日志中没有错误项,但在我的计算机上有以下内容:
错误事件ID - 142
WSMan operation Enumeration failed, error code 2150858909错误事件ID - 49
The WinRM protocol operation failed due to the following error: WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config..错误事件ID - 161
WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config.我可以很好地将RDP放到服务器上,这就是我一直在做的一些本地测试。
我测试了这两个命令:
gwmi win32_operatingsystem -ComputerName Server1通常在没有问题的情况下执行,即指定远程服务器和RDPing在本地运行。
Get-CimInstance win32_operatingsystem -ComputerName Server1我无法从我的工作站运行,但是如果我将RDP放入服务器并运行它,它将正常执行。
回答 1
Stack Overflow用户
发布于 2021-09-09 21:32:16
我已经解决了。
这是SPN的问题。HTTP/ server 1和HTTP/server 1域由一个以服务器命名的随机用户帐户使用。
在禁用帐户并将SPN移动到计算机对象之后,WinRM现在正在按其预期的方式工作。
This帮助我朝着赖特的方向前进。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/69122094
复制相关文章
相似问题
腾讯云开发者
