When trying to connect to “server1” I receive the error below. The, for me, strange part: connecting to “server2” works without issue.
Both servers have PowerShell 5 installed, and I ran Enable-PSRemoting.
The only difference I am aware of: server1 is Windows Server 2012, and server2 is Windows Server 2012 R2
Checked the SPNs (results below, same between servers)
Checked the results of “WinRM get winrm/config/client” (result below, same between servers)
Checked if there could be an firewall issue (results below, same between servers)
Ran Test-WSMan, for server1 that resulted in an error. (results below)
So the big question: What would it take to get PSRemoting working on server1? Prefferable without CredSSP.
PS U:> Enter-PSSession : Connecting to remote server server1 failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An
unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
- Enter-PSSession ‘server1’ -Credential:‘mydomain\me’
-
+ CategoryInfo : InvalidArgument: (server1:String) [Enter-PSSession], PSRemotingTransportException + FullyQualifiedErrorId : CreateRemoteRunspaceFailed
PS U:> setspn -l server1
Registered ServicePrincipalNames for CN=server1,OU=Servers,DC=mydomain,DC=com:
WSMAN/server1.mydomain.com
WSMAN/server1
TERMSRV/server1.mydomain.com
TERMSRV/server1
RestrictedKrbHost/server1
HOST/server1
RestrictedKrbHost/server1.mydomain.com
HOST/server1.mydomain.com
PS U:> setspn -l server2
Registered ServicePrincipalNames for CN=server2,OU=Servers,DC=mydomain,DC=com:
TERMSRV/server2
TERMSRV/server2.mydomain.com
WSMAN/server2.mydomain.com
WSMAN/server2
RestrictedKrbHost/server2
HOST/server2
RestrictedKrbHost/server2.mydomain.com
HOST/server2.mydomain.com
On both servers:
PS C:\Windows\system32> WinRM get winrm/config/client
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts
PS U:> Test-NetConnection -ComputerName server1 -Port 5985 | Select TcpTestSucceeded
TcpTestSucceeded
True
PS U:> Test-NetConnection -ComputerName server1 -Port 5986 | Select TcpTestSucceeded
WARNING: TCP connect to server1:5986 failed
TcpTestSucceeded
False
PS U:> Test-NetConnection -ComputerName server2 -Port 5985 | Select TcpTestSucceeded
TcpTestSucceeded
True
PS U:> Test-NetConnection -ComputerName server2 -Port 5986 | Select TcpTestSucceeded
WARNING: TCP connect to server2:5986 failed
TcpTestSucceeded
False
PS U:\> Test-WSMan -ComputerName server1 -Authentication Kerberos
Test-WSMan : WinRM cannot process the
request. The following error with errorcode 0x80090322 occurred while using Kerberos
authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two
domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts
configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config.
At line:1 char:1
- Test-WSMan -ComputerName server1 -Authentication Kerberos
-
+ CategoryInfo : InvalidOperation: (server1:String) [Test-WSMan], InvalidOperatio nException + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.TestWSManCommand
PS U:> Test-WSMan -ComputerName server2 -Authentication Kerberos
wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor : Microsoft Corporation
ProductVersion : OS: 6.3.9600 SP: 0.0 Stack: 3.0