Invoke command using local admin creds

Hi,

I’m after a bit of advice.

I’m trying to invoke a command scriptblock but need to use local creds rather that domain creds.

I’ve try to pass the creds using get-credential but i get the following error:

"WinRM cannot process the request, The following error with error code 0x80090311 occurred while using Kerberos Authentication "

Thanks in advance

Tom

Can you show the command you’re using? I’m guessing you’ve maybe hit the doublehop issue.

#LocalAdmin Account
$LAdmin = “$TimeServer\User”
$Password = $Password = Read-Host -AsSecureString “Enter Your Password:”
$Credential = new-object -typename System.Management.Automation.PSCredential -argumentlist $LAdmin, $Password

$TimeCreds = $Credential
$TimeServers = $servers
foreach ($TimeServer in $TimeServers ){
write-host “Resyncing time on $TimeServer” -ForegroundColor DarkYellow
Enter-PSSession -ComputerName $TimeServer
Invoke-Command -ComputerName $TimeServer -ScriptBlock {“w32tm /resync”} -Credential $TimeCreds -Verbose -Debug
Exit-PSSession
}

You’re using a bit strange method here. First you enter a PS remoting session, than you use Invoke-Command. That’s not the way to go. You can just use this if the server you connect to is domain joined:

Invoke-Command -ComputerName $TimeServer -ScriptBlock { w32tm /resync }

If that server is not domain joined, than you have to setup your configuration for this. Check this eBook for the details:

Enter-PSSession -ComputerName $TimeServer
Invoke-Command -ComputerName $TimeServer -ScriptBlock {“w32tm /resync”} -Credential $TimeCreds -Verbose -Debug

Here, the Enter-PSSession is redundant. Just remove that and the Exit-PSSession. Invoke-Command will then spin up a new session to the remote machine, and that new session will be spun up using the credentials you desire. What you’r currently doing is…

  1. Connecting from ComputerA to ComputerB, and delegating your ComputerA credentials

  2. Asking ComputerB to connect to ComputerC (which is in fact still ComputerB), using a set of specified credentials - this isn’t legal using Kerberos, which is the default authentication protocol

It might be worth reading up a bit on some of Remoting’s basics, so that you have a better feel for how sessions are used and managed. We have a free Remoting book (on our eBooks page) that goes over the foundations, if that helps.

Hi,

Thanks for the replies, i kinda knew what i was doing was wrong. But i was just testing different methods to see if i could get it working.

Anyway, if i remove the Enter-PSSession i still get the same issue. I need to pass the local Admin creds to allow me to run the command w32tm /resync.

Basically, the Domain Controllers are being aged (Date changed to the future) and i need to reysnc all the times as quickly as possible. I want to try to avoid having to log onto each server and run the command. So i need to use the local admin account rather than the domain account as this is blocked due to the time difference between host and DC.

Thanks

Tom

Ah.

So… I’m not actually sure that’ll work. At least not with Kerberos, and at least not how you’re doing it. You’re probably going to have to enable, and then use, Basic authentication. That’ll mean either implementing SSL on the DCs, or adding them to your local TrustedHosts list. Be aware that without SSL, you’re passing username/password in clear text.

The problem is that Kerberos doesn’t let you authenticate using non-Domain credentials. That’s more or less the point of it, in fact. So if the domain isn’t an option, then neither is Kerberos. Nothing else will be enabled on the DCs by default, though, so you’ll have to enable Basic or something else - possibly using a Group Policy, if possible, or manually if not.

Thanks for the advice.

I’m trying to get this working my enabling basic authentication and trustedhosts, but not having any joy.

I’ll keep trying tho, and post the answer once i’ve solved it.

Thanks for your time.

Tom

Yeah, PS Remoting can be a pain in the b*tt sometimes. I hope you’ll have success and are willing to share your efforts here.