invoke-command to access non-joined server

Hi everyone, please forgive the newbie question and thank you for all your help.

I’m trying to access a non-joined server from a workstation joined to a domain. When using powershell in Administrator mode I try this code:

$S = New-PSSession -Credential 'IP-PKI-ROOT\administrator' -Authentication Negotiate -ComputerName 'IP-PKI-ROOT'
Invoke-Command -Session $S -ScriptBlock {$p = Get-Process PowerShell}

I have tried changing the -Authentication value to everything listed get many different errors. CredSSP and Negotiate errors listed below.

New-PSSession : [IP-PKI-ROOT] Connecting to remote server IP-PKI-ROOT failed with the following error message : The WinRM client cannot process the request. CredSSP
authentication is currently disabled in the client configuration.

New-PSSession : [IP-PKI-ROOT] Connecting to remote server IP-PKI-ROOT failed with the following error message : WinRM cannot process the request. The following error
with error code 0x8009030e occurred while using Negotiate authentication: A specified logon session does not exist.

For CredSSP give that the server needs to stay secure and out of remote access i’m not sure if enabling CredSSP on the server compromises security.

What is the best way to access the server and run commands remotely on that server.

I really do think you all for your knowledge and help.

You don’t have a shared authentication space. I’d suggest setting up the endpoint to use HTTPS rather than HTTP, and using Basic authentication. Negotiate is going to try CredSSP first, and the error is indicating that the far end doesn’t have it enabled.

Consider reading “Secrets of PowerShell Remoting” (it’s on our eBooks menu). Lots of good information.

You should be able to connect from a domain joined to workgroup machine if you configure the WS-Management Client TrustedHosts list properly as Administrator.

Search for “Modifying the TrustedHosts List” in our eBook “Secrets of PowerShell Remoting” in the chapter “Access Remote Computers” -

TrustedHosts list config:

Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value 'IP-PKI-ROOT' -Force

Connection script:

# The Authentication parameter for New-PSSession isn't required. Negotiate is the default which will fallback to NTLM for workgroup machines
$S = New-PSSession -Credential 'IP-PKI-ROOT\administrator' -ComputerName 'IP-PKI-ROOT'
Invoke-Command -Session $S -ScriptBlock {$p = Get-Process PowerShell}

I hope above works for you.

  • Daniel

Hi Daniel,
Thanks for the advice, I tried what you suggested and even tried setting up the HTTPS connection, both settings still get errors.
I’m thinking that the fact the PKI-Root server is not a member of Workgroup but a member of PKI workgroup, still technically a workgroup but maybe different enough to prevent remote calls. I know that when I do a RDP I have to use the IP address or add an entry in my host file.
I’m now trying to do this all from the PKI-Root server out to the other 2 domain joined servers.
I’ve added the domain joined servers to the WSMan trustedhosts and still not having any luck.
heres the error:
New-PSSession : [IP-PKI-CRL-01] Connecting to remote server IP-PKI-CRL-01 failed with the following error message : The
WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client
computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the
TrustedHosts configuration setting.

What do you get if you use the IP address of the PKI root server instead? It shouldn’t matter if the workgroup is called WORKGROUP or PKI.