Hi,
I’m looking for some help at a problem to manage a couple of servers outside of our domain with powershell remoting.
I followed the guide “Secrets of PowerShell Remoting” and configured a https-listener and the listener works.
I can establish a connection via SSL with a local user:
PS C:\Users\adm_cbrumm\Documents> $session = New-PSSession -ComputerName server.fqdn -Credential "HBGERPV001\fct_psr_Admin" -UseSSL PS C:\Users\adm_cbrumm\Documents> Enter-PSSession -Session $session [server.fqdn]: PS C:\Users\fct_psr_ADMIN\Documents>
Then I created an user-cert and imported it in the Trusted People Store:
[server.fqdn]: PS C:\Users\fct_psr_ADMIN\Documents> Get-ChildItem Cert:\LocalMachine\TrustedPeople Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\TrustedPeople Thumbprint Subject ---------- ------- D77AC0C0E6AC433ADB822C7E82663638B730552C CN=psr_Admin Function, OU=QSC, OU=FCT, OU=ACCOUNTS, OU=CENTRAL, DC=***...
and I imported the cert of the issuing-ca:
[server.fqdn]: PS C:\Users\fct_psr_ADMIN\Documents> Get-ChildItem Cert:\LocalMachine\CA | where { $_.Subject -match 'PKP'} Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\CA Thumbprint Subject ---------- ------- 557A8CE0C284DDE39CB0B6724B07B0C0D83EE086 CN=***-***-CA, DC=***, DC=LAN
And enabled Certbased Auth:
[server.fqdn]: PS C:\Users\fct_psr_ADMIN\Documents> get-item -path WSMan:\localhost\Service\Auth\Certificate WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Service\Auth Type Name SourceOfValue Value ---- ---- ------------- ----- System.String Certificate true
I created a mapping (the wildcard in subject came in while debugging):
[server.fqdn]: PS C:\Users\fct_psr_ADMIN\Documents> Get-Item -Path WSMan:\localhost\ClientCertificate\ClientCertificate_479242521 | fl * PSPath : Microsoft.WSMan.Management\WSMan::localhost\ClientCertificate\ClientCertificate_479242521 PSParentPath : Microsoft.WSMan.Management\WSMan::localhost\ClientCertificate PSChildName : ClientCertificate_479242521 PSDrive : WSMan PSProvider : Microsoft.WSMan.Management\WSMan PSIsContainer : True Keys : {URI=*, Issuer=557A8CE0C284DDE39CB0B6724B07B0C0D83EE086, Subject=*} Name : ClientCertificate_479242521 TypeNameOfElement : Container Type : Container
and tried to connect …
PS C:\Users\adm_cbrumm\Documents> $session = New-PSSession -ComputerName server.fqdn -CertificateThumbprint D77AC0C0E6AC433ADB822C7E82663638B730552C New-PSSession : [server.fqdn] Connecting to remote server server.fqdn failed with the following error message : The WinRM client cannot process the request. The destination computer (server.fqdn:5986) returned an 'access denied' error. Specify one of the authentication mechanisms supported by the server. If Kerberos mechanism is used, verify that the client computer and the destination computer are joined to a domain. Possible authentication mechanisms reported by server: Negotiate Kerberos ClientCerts For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:12 + $session = New-PSSession -ComputerName server.fqdn -Certifi ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin gTransportException + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed
After a whole day of controlling every step I have no idea what to do next …
Thanks for your help!
Chris