Invoke-Command in PSSession

deadly-bagel · May 25, 2016, 5:14am

We have almost 300 servers running in a shared storage setup that requires some delicate management. Intensive disk use on more than a few servers at a time causes performance issues, but that’s what PowerShell is for right?

Unfortunately I’ve hit a snag, it’s most flexible to run this from within a PSSession on a central server, but then I cannot run Invoke-Command. In fact I can’t create any new sessions at all, local or remote, just getting the following error:

[(server)] Connecting to remote server (server) failed with the following error message
: WinRM cannot process the request. The following error with errorcode 0x8009030d occurred while using Negotiate
authentication: A specified logon session does not exist. It may already have been terminated.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more
information, see the about_Remote_Troubleshooting Help topic.

I can only assume this is because you can’t create a session from within a session, but I can’t find any documentation on it or anything online. I’m aware of the double-hop dilemma and am pretty sure it’s not what is happening, I’m providing credentials and the command runs perfectly fine when run outside a session.

Easily replicated with:

Enter-PSSession localhost
Invoke-Command  -Credential  -scriptblock { $env:computername }

Is there any way to allow this? I’d rather not need to set it up in a scheduled task with a database or something.

donj · May 25, 2016, 7:54am

Welcome to double-hop authentication problems, or “you can’t do that by default.” That is in fact what’s happening. Have a look at “Secrets of PowerShell Remoting” on our eBooks page. It covers this.

You’re providing a credential, but you’re not doing the other things needed for this to work - such as specifying -UseSSL or forcing Basic authentication and using TrustedHosts. The problem is that because there’s no authentication context, the machine initiating the second connection can’t authenticate the identity of the third machine.

donj · May 25, 2016, 12:22pm

And, incidentally, the only reason Enter-PSSession localhost works so consistently is that there’s a hardcoded authentication exception for localhost. It’s always considered a trusted connection.

donj · May 25, 2016, 12:23pm

And, incidentally, the only reason Enter-PSSession localhost works so consistently is that there’s a hardcoded authentication exception for localhost. It’s always considered a trusted connection.

deadly-bagel · May 31, 2016, 7:19am

Ahh I see, once I eventually got hold of it (I guess with the site move the ebooks are temporarily offline? EDIT: Now working but Google links are still busted) The Secrets Of PowerShell Remoting almost got me there. I found I additionally had to enable “Allow Delegation of Fresh Credentials with NTLM-only server authentication” and add the destination in there, and as these servers are not on a domain the credential is [server]\Administrator, and now it’s going through nicely.

Thank you for your assistance.

mark-prior · May 31, 2016, 9:45am

I experienced this allot when i first started, below is not the safest way but works (at least until you can look at the books)

$Username = "Domain\Username"
$Password = ConvertTo-SecureString "Pasword" -AsPlainText -Force
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password


invoke-command -computername "{FQDN Computername} or {IP Address} double quotes not needed"  -Authentication credssp -Credential $Cred {

Stuff goes here
}

Topic		Replies	Views
invoke-command to access non-joined server PowerShell Help	4	180	May 8, 2017
Remote powershell to a VM in a different domain/network PowerShell Help	5	3217	September 13, 2021
Remoting to my own VM PowerShell Help	2	149	September 9, 2014
Invoke command using local admin creds PowerShell Help	8	172	September 8, 2016
Executing a script remotely on non-domain Target from server on Domain PowerShell Help	1	174	May 9, 2017

Invoke-Command in PSSession

Related Topics