Enter-PSSession fails to Windows server 2012

When trying to connect to “server1” I receive the error below. The, for me, strange part: connecting to “server2” works without issue.
Both servers have PowerShell 5 installed, and I ran Enable-PSRemoting.
The only difference I am aware of: server1 is Windows Server 2012, and server2 is Windows Server 2012 R2

Checked the SPNs (results below, same between servers)
Checked the results of “WinRM get winrm/config/client” (result below, same between servers)
Checked if there could be an firewall issue (results below, same between servers)
Ran Test-WSMan, for server1 that resulted in an error. (results below)

So the big question: What would it take to get PSRemoting working on server1? Prefferable without CredSSP.

PS U:> Enter-PSSession : Connecting to remote server server1 failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An
unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1

  • Enter-PSSession ‘server1’ -Credential:‘mydomain\me’
  •   + CategoryInfo          : InvalidArgument: (server1:String) [Enter-PSSession], PSRemotingTransportException
      + FullyQualifiedErrorId : CreateRemoteRunspaceFailed
    
    
    

PS U:> setspn -l server1
Registered ServicePrincipalNames for CN=server1,OU=Servers,DC=mydomain,DC=com:
WSMAN/server1.mydomain.com
WSMAN/server1
TERMSRV/server1.mydomain.com
TERMSRV/server1
RestrictedKrbHost/server1
HOST/server1
RestrictedKrbHost/server1.mydomain.com
HOST/server1.mydomain.com

PS U:> setspn -l server2
Registered ServicePrincipalNames for CN=server2,OU=Servers,DC=mydomain,DC=com:
TERMSRV/server2
TERMSRV/server2.mydomain.com
WSMAN/server2.mydomain.com
WSMAN/server2
RestrictedKrbHost/server2
HOST/server2
RestrictedKrbHost/server2.mydomain.com
HOST/server2.mydomain.com

On both servers:
PS C:\Windows\system32> WinRM get winrm/config/client
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts

PS U:> Test-NetConnection -ComputerName server1 -Port 5985 | Select TcpTestSucceeded

TcpTestSucceeded

        True

PS U:> Test-NetConnection -ComputerName server1 -Port 5986 | Select TcpTestSucceeded
WARNING: TCP connect to server1:5986 failed

TcpTestSucceeded

       False

PS U:> Test-NetConnection -ComputerName server2 -Port 5985 | Select TcpTestSucceeded

TcpTestSucceeded

        True

PS U:> Test-NetConnection -ComputerName server2 -Port 5986 | Select TcpTestSucceeded
WARNING: TCP connect to server2:5986 failed

TcpTestSucceeded

       False



	   PS U:\> Test-WSMan -ComputerName server1 -Authentication Kerberos

Test-WSMan : WinRM cannot process the
request. The following error with errorcode 0x80090322 occurred while using Kerberos
authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two
domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts
configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config.

At line:1 char:1

  • Test-WSMan -ComputerName server1 -Authentication Kerberos
  •   + CategoryInfo          : InvalidOperation: (server1:String) [Test-WSMan], InvalidOperatio 
     nException
      + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.TestWSManCommand
    
    
    

PS U:> Test-WSMan -ComputerName server2 -Authentication Kerberos

wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor : Microsoft Corporation

ProductVersion : OS: 6.3.9600 SP: 0.0 Stack: 3.0

Because the failure is on port 5986 check the certificate used. see http://social.technet.microsoft.com/wiki/contents/articles/17324.error-details-0x80090322-the-target-principal-name-is-incorrect.aspx

Hi Jonathan,

Thanks for your (prompt) response!
I checked the link, but I’ll need a bit more help to get that translated to my situation.

I have not setup any certificates on server1, nor on server2. If I understand it correctly, the Test-WSMan command does not use SSL (unless explicitly specifying it).

Hugo

Are any Kerberos Error or failure events generated in the System or Security event logs? One possibility is that you have a large Kerberos Token due to many group memberships. One server could be configured with a larger max token size than the other.

Hi Curtis,

Many thanks for the suggestion. I took a look and can rule this out. I don’t see errors as a result of my logon attempts.

Hugo

Another possibility is that the SPN may not be registered to the computer account there are times when other services may have registered the SPN to a domain account. I have seen it a lot with SQL and there is IIS can cause the issue with wsman see https://social.technet.microsoft.com/Forums/windows/en-US/a4c5c787-ea65-4150-8d16-2a19c569a589/enterpssession-winrm-cannot-process-the-request-kerberos-authentication-error-0x80090322?forum=winserverpowershell