PS Remoting - Windows to Linux with Domain Authentication

Good afternoon,

I am trying to get RHEL Linux boxes in our environment configured to allow PS remote connectivity, but am falling flat on my face. Out Linux servers are all domain joined, and SSH is configured and working with domain based credentials, but trying to connect via PowerShell is yielding Access is denied

For our test bed, the following has been done (Client: Windows 10, Server: RHEL 8)

  1. PowerShell 7 is install on both client and server
  2. OMI is installed on the server
  3. PSRP is installed on the server
  4. Port 5986 is allowed to pass through the firewall on the server
We then configure an options variable, and try to connect to the server:

$options = New-PSSessionOption -SkipCACheck -SkipRevocationCheck -SkipCNCheck

Enter-PSSession -ComputerName testhost.domain.com -Authentication Kerberos -UseSSL

Which yields:

Enter-PSSession: Connecting to remote server testhost.domain.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.

We get the same error when trying to configure a credentials variable to pass: $creds = Get-Credential (using user@DOMAIN.COM and the same password) and changing the connection string to use -Credential $creds instead of -Authentication.

Has anyone else struggled like this with domain authentication for PSRemoting from Windows to Linux?

Are you working from this guide?

You assigned the $options variable, but it doesn’t look like you actually implemented it in your Enter-PSSession command.

What result do you get when do:

Test-NetConnection -Computername 192.168.34.13 -Port 5986

Test-NetConnection yields the following on the Linux server:

ComputerName : Computer1
RemoteAddress : Linux server IP
RemotePort : 5986
InterfaceAlias : Ethernet0
SourceAddress : Windows server IP
TcpTestSucceeded : True

I have tried the following connection strings:

Enter-PSSession -ComputerName Computer1 -Authentication Kerberos -SessionOptions $Options
Enter-PSSession -ComputerName Computer1 -Credentials $Creds -SessionOptions $Options

Both of these are showing the same error message when connecting.

Hmm, so your network configuration seems good up to the port on the server, so most likely an account/authentication issue.

What happens if you use -HostName rather than -ComputerName as in Example 6?
This should open an ssh session to the server in PowerShell, rather than a PSRemote session.

I have tried a bunch of different combinations trying to get SSH to work, and honestly SSH would be easier to deploy to our Linux servers versus getting WSMan installed.

I am seeing access denied using this method as well. I am attempting to use domain authentication, which works via Putty or other SSH client. I have tried the following formats:

<username>
<username>:DOMAIN.COM
DOMAIN.COM&lt;username>
<username>:DOMAIN.COM@<servername>

With whatever username I put in, it prompts for a password with @<servername>. I have also tried putting these formats into a variable with Get-Credential, all of which yield the same thing.

Thank you for your time!

One other method I tried was to just use -HostName. The format for the username it pulled was domain&lt;username>@<server>. When I entered my password at this prompt I was returned: Enter-PSSession: The background process reported an error with the following message: The SSH client session has ended with error message: subsystem request failed on channel 0.

Just to be sure I understand correctly:

  • You can establish an SSH session with domain credentials from Windows to Linux using a third-party client such as Putty.
  • You cannot establish a PSRemote session with domain credentials from Windows to Linux using PowerShell (-ComputerName option)
  • You cannot establish an SSH session with domain credentials from Windows to Linux using PowerShell (-HostName option)

So…

  1. What happens when you attempt to authenticate to the Linux server with a local (Linux) account rather than a domain account?
  2. Have you added a subsystem entry for PowerShell to sshd_config as per Step 3?
  3. When you attempt to establish the session via SSH in PowerShell, does a PowerShell host process get created on the Linux system as described in the overview?

Authenticating with a local account yields the same error:
Enter-PSSession: The background process reported an error with the following message: The SSH client session has ended with error message: subsystem request failed on channel 0.

I must have looked over this part for the sshd config on the target Linux box at least 10 times. Adding the subsystem allowed me to connect with both local and domain user accounts.

I am still getting access denied trying to use -Authentication Kerberos, but this is likely more tweaking that I need to do in the sshd_config file. It also would have been nice to get the WSMan service up and working, but this will meet my needs and provide less work for the Linux team.

Thank you for focusing my brain!

 

You’re welcome, glad I could help. If you do get the Kerberos authentication working, please update! This forum comes up in Google search results fairly often, so your problem solving may help someone else.