Unable to do PowerShell remoting - plz guide.

PowerShell Help
1
Hello Team,
As per my thread title, I am unable to remote a 2016 DC. Following is the scenario;
My current forest structure is like site1.childdomain.parentdomain.com.
I am remoting through parentdomain.com. There is not trust between them. Its different entity, for testing purpose only.
So I added *.childdomain.parentdomain.com in trustedhost list. And then I was able to remote a site1.childdomain.parentdomain.com DC using its specif credential.
But I am unable to remote at site2.childdomain.parentdomain.com dcs.
I checked, IPv6 was Disable, Firewall was disabled, WSman running, its server 2016, yet I executed enable-psremoting, winrm qc. But no luck.
Following is the error when I use ICM {gps} -cn DC02.site2.childdomain.parentdomain.com.
[pre]Connecting to remote server DC02.site2.childdomain.parentdomain.com failed with the following error message : A specified
logon session does not exist. It may already have been terminated. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (DC02.site2.childdomain.parentdomain.com:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : 1312,PSSessionStateBroken
[/pre]
Following is the output of Test-wsman -cn DC02.site2.childdomain.parentdomain.com -Authentication Negotiate -Credential $cred
[pre]Test-WSMan : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="5" Machine="mypc.parentdomain.com"><f:Message>Access
is denied. </f:Message></f:WSManFault>
At line:1 char:1
+ Test-WSMan -cn "DC02.site2.childdomain.parentdomain.com" -Authentication Negotiate - ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (DC02.site2.childdomain.parentdomain.com:String) [Test-WSMan], InvalidOperationException
+ FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.TestWSManCommand
[/pre]
Finally, I did mstsc to the DC02.site1.childdomain.parentdomain.com, and use enter-pssession DC02.site2.childdomain.parentdomain.com. Now it worked.
I got frustrated. What is the issue then? Is any thing wrong with trusted host? I am suspecting this one, but as per logic it shouldn't be the issue.
Could anyone point me out.
Thank you.
Roy.
2

I m sorry team, did some formatting / tag mistake. Its looks bit wired for error messages. Only single line placed under pre tag. I m really sorry.

3

Have you looked at Secrets of PowerShell Remoting?

4

[quote quote=142911]Have you looked at Secrets of PowerShell Remoting?

[/quote]
Thanks for the reference, I ll definitely read that. For now could you plz suggest me where should I check without referring entire book.

5

This is an environmental thing on your side, and since we are not in your environment, we’d be guessing.

There are many things that can cause Access Denied. This is not specific to PS.

How do you enable PSRemoting, on the destination?
What account are you trying to use for this remoting session?
What exactly are you trying to do? (many cmdlets / actions require you be a local admin on the target.)

Adding something to trusted host is a PSRemoting workgroup confit, not domain. Even so there are settings, when in workgroup mode the you must set for it to work.

In a domain model, there should be little reason to do this. Which means you have a misunderstanding about what PSRemoting should work. Thus the suggestion of reading the eBook, or one like it is prudent so that can approach this as defined.

Windows authentication boundaries will prevent removing as well as the dreaded double hop Auth issues.

Resolve Double-Hop Issue in PowerShell Remoting
https://www.codeproject.com/Tips/847119/Resolve-Double-Hop-Issue-in-PowerShell-Remoting

Enabling Multihop Remoting

Enable PowerShell Double-Hop Remoting

PowerShell Remoting Kerberos Double Hop Solved Securely

Windows firewalls or other security gateways between source and destination can choke out what thigs as well.

What port does PowerShell remoting use?

6

[quote quote=143015]This is an environmental thing on your side, and since we are not in your environment, we’d be guessing.

There are many things that can cause Access Denied. This is not specific to PS.

How do you enable PSRemoting, on the destination?

What account are you trying to use for this remoting session?

What exactly are you trying to do? (many cmdlets / actions require you be a local admin on the target.)

Adding something to trusted host is a PSRemoting workgroup confit, not domain. Even so there are settings, when in workgroup mode the you must set for it to work.

In a domain model, there should be little reason to do this. Which means you have a misunderstanding about what PSRemoting should work. Thus the suggestion of reading the eBook, or one like it is prudent so that can approach this as defined.

Windows authentication boundaries will prevent removing as well as the dreaded double hop Auth issues.

Resolve Double-Hop Issue in PowerShell Remoting

https://www.codeproject.com/Tips/847119/Resolve-Double-Hop-Issue-in-PowerShell-Remoting

Enabling Multihop Remoting

Enabling Multihop Remoting
<iframe class="wp-embedded-content" title="" src="https://devblogs.microsoft.com/scripting/enabling-multihop-remoting/embed/#?secret=D9hCAnVaJe" width="600" height="649" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" sandbox="allow-scripts" data-secret="D9hCAnVaJe" data-mce-fragment="1"></iframe>

Enable PowerShell Double-Hop Remoting

https://www.travisgan.com/2014/03/enable-powershell-double-hop-remoting.html

PowerShell Remoting Kerberos Double Hop Solved Securely

https://blogs.technet.microsoft.com/ashleymcglone/2016/08/30/powershell-remoting-kerberos-double-hop-solved-securely

Windows firewalls or other security gateways between source and destination can choke out what thigs as well.

What port does PowerShell remoting use?

https://blogs.technet.microsoft.com/christwe/2012/06/20/what-port-does-powershell-remoting-use

[/quote]
Thanks for detail guide. I know its a env issue. But for now I was unable to think where to start.

As I mentioned earlier, if I mstsc to site1 server and then do psremote to site2 server, its working. But when I m doing psremoting from parent domain using trusted host, where trust is not available, there I get the access denied issue.

If its account level issue it should block everytime. Thats why I m suspecting trusted host. I already start reading the book, I hope I’ll manage something. In the mean time, if you think I should check … areas, plz let me know.

In trusted host list I added *.childdomain.parentdomain.com. Plz confirm me that should allow me to psremote all the servers under same namespace, Or I have to add each server.

Thanks again.

Roy.

7

Don’t use mstsc as any indicator of relevance of what you are seeing / using in PowerShell. Both have their own port/protocol/Comms requirements.

mstsc (uses RDP) and PSRemoting (uses WinRM/WMI/DCOM/CIM) are two entirely different things.

If you cannot to basic WMI / DCOM / CIM calls to that target, then you are being blocked by something, in upstream, or it’s a configuration issue on the target(s).

Secondly, don’t do this… *.childdomain.parentdomain.com —
Put the specific host name, into TrustedHosts. Configure the remote machine to have an HTTPS listener - the SSL certificate you’ll install will make the mutual authentication happen.

See also: