Pssession credssp issue

PowerShell Help
1

Hi all,

In our domain environment, I’m having some problems getting remote scripting to work in combination with “Credssp” for several servers. Please allow me to explain the setup and issues at hand.

ServerA, we use as our client server to remotely execute PS scripts.
ServerB, is one of our servers to which we connect with a Pssession command (actually several servers with the same behaviour).
ServerC, another server also used to connect to with a Pssession command (again actually several servers with also the same behaviour).

Both Servers B and C share the same Active Directory OU, thus have the same policies applied to them.
We have had the PSsessions working on both B and C, but recently something has changed and no longer we can create a Pssession to Server B. yet Server C still functions perfectly.

Now when we try to connect to Server B using the following commands, the next error appears:

$Credential = (Get-Credential -Credential $env:USERNAME)
$PSSession = New-PSSession "ServerB" -Authentication Credssp -Credential $Credential -ErrorAction Continue
Invoke-Command -Session $PSSession -FilePath "D:\Some-Script.ps1";""

Error:
New-PSSession : [ServerB] Connecting to remote server Server B failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:14
+ $PSSession = New-PSSession "ServerB" -Authentication Credssp -Credential  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed

When I try the same thing, from the same client, but this time for ServerC, everything works fine.
Now ofcourse I did some research myself and allready checked the following steps:

  • Is my account member of the local Admin Group?
    Yes, although through another group which resides in the Local admin group on both Server B and C
    Also tried adding my account explicitly on the LocalAdmin group, no change.

  • Is the Firewall setup correctly
    Yes, for both ServerA as ServerB the same rules are applied

  • I’ve added ServerB as a delegate computer on the client (ServerA) with this command

Enable-WSManCredSSP -Role Client -DelegateComputer ServerB

and even

Enable-WSManCredSSP -Role Client -DelegateComputer *.ourdomain
  • Other Powershell commands I tried:
Enable-PSRemoting -force

Enable-WSManCredSSP -Role Server -Force

Set-WSManQuickConfig

Get-WSManCredSSP
The machine is not configured to allow delegating fresh credentials. 
This computer is configured to receive credentials from a remote client computer.

Now the funny thing is, New-PSSession in combination with Kerberos authentication DOES work!
Sadly in our environment we require Credssp.
Like mentioned before, we did have some changes with OU’s and policies and also a .net update.
It’s hard to pinpoint when exactly it stopped working on ServerB.

Does anyone here have a clue on where to look? Thanks in advance!

T.O. out

2

You’ve done everything I think I would have tried, to troubleshoot this. It may be that something is broken, as opposed to merely misconfigured. I’ve seen a few instances where “something” in Remoting or WS-Man just gets screwed up. What versions of Windows and WMF are you dealing with?

3

Hey Don,

Thanks a million for looking into this.
Our environment is Windows 2008 R2 and we recently upgraded to WMF 3.0, in order to use Powershell 4.0

Ofcourse it could simply be broken, but this isn’t just one server. It’s about a dozen servers that suddenly showed this behavior.
All the other servers in our setup are still working as they used to. So personally I was thinking more in line of a stale registry entry that causes the problems, but that’s because I don’t know where to look anymore.

Thanks again, and if someone might have a hunch, please let me know!

T.O.

4

There’s not actually much living in the registry.

So, some troubleshooting.

Can you directly remote to these broken machines? Without the hop in the middle? As a test? Using an account you know has local Administrator privileges on them.

Can you make CIM connections (Get-CimInstance) to these machines?

On an affected machine, run Get-PSSessionConfiguration | fl * to confirm the access control list on the default microsoft.powershell Remoting endpoint.

BTW, WMF4.0 is what PowerShell 4.0 comes in. It might be worth checking $PSVersionTable to make sure you know what version you’re running.

5

Did you make sure net framework 4.0 was installed before wmf4? The wmf4 installer doesn’t check and you end up with a partially broken powershell.

6

Sorry for the delay, but here is the extra info:

Name Value

PSVersion 4.0
WSManStackVersion 3.0
SerializationVersion 1.1.0.1
CLRVersion 4.0.30319.42000
BuildVersion 6.3.9600.16406
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0}
PSRemotingProtocolVersion 2.2

Versions are the same on the working servers.

The autorisations are fine, even tried with my own account added to the ACL.
Connecting with Kerberos works fine, just the CredSSP parameter that gives the “Access Denied”.
Also CIM connections seem to work fine.

@TomBaker
I’m not sure which hotfix I installed first. If it would be a case of a partially broken PS, are there any other problems/signs that might show if that’s true? Besides the CredSSP issues, I haven’t experienced any other issues while using PS on the affected servers.

Thanks again all.
T.O.

7

something i have hit before is FQDN is the PSsession command

try,

$PSSession = New-PSSession "ServerB.domain.name.com" -Authentication Credssp -Credential $Credential -ErrorAction Continue
8

Were you able to resolve the issue? If so would it be possible for you to shed some light on how this issue was resolved in your environment?