In our domain environment, I’m having some problems getting remote scripting to work in combination with “Credssp” for several servers. Please allow me to explain the setup and issues at hand.
ServerA, we use as our client server to remotely execute PS scripts.
ServerB, is one of our servers to which we connect with a Pssession command (actually several servers with the same behaviour).
ServerC, another server also used to connect to with a Pssession command (again actually several servers with also the same behaviour).
Both Servers B and C share the same Active Directory OU, thus have the same policies applied to them.
We have had the PSsessions working on both B and C, but recently something has changed and no longer we can create a Pssession to Server B. yet Server C still functions perfectly.
Now when we try to connect to Server B using the following commands, the next error appears:
$Credential = (Get-Credential -Credential $env:USERNAME) $PSSession = New-PSSession "ServerB" -Authentication Credssp -Credential $Credential -ErrorAction Continue Invoke-Command -Session $PSSession -FilePath "D:\Some-Script.ps1";"" Error: New-PSSession : [ServerB] Connecting to remote server Server B failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:14 + $PSSession = New-PSSession "ServerB" -Authentication Credssp -Credential ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed
When I try the same thing, from the same client, but this time for ServerC, everything works fine.
Now ofcourse I did some research myself and allready checked the following steps:
Is my account member of the local Admin Group?
Yes, although through another group which resides in the Local admin group on both Server B and C
Also tried adding my account explicitly on the LocalAdmin group, no change.
Is the Firewall setup correctly
Yes, for both ServerA as ServerB the same rules are applied
I’ve added ServerB as a delegate computer on the client (ServerA) with this command
Enable-WSManCredSSP -Role Client -DelegateComputer ServerB and even Enable-WSManCredSSP -Role Client -DelegateComputer *.ourdomain
- Other Powershell commands I tried:
Enable-PSRemoting -force Enable-WSManCredSSP -Role Server -Force Set-WSManQuickConfig Get-WSManCredSSP The machine is not configured to allow delegating fresh credentials. This computer is configured to receive credentials from a remote client computer.
Now the funny thing is, New-PSSession in combination with Kerberos authentication DOES work!
Sadly in our environment we require Credssp.
Like mentioned before, we did have some changes with OU’s and policies and also a .net update.
It’s hard to pinpoint when exactly it stopped working on ServerB.
Does anyone here have a clue on where to look? Thanks in advance!