Solved

PowerShell problems when using invoke-command

Posted on 2014-02-16
11
4,782 Views
Last Modified: 2014-02-22
Within a PowerShell window, when trying to use "invoke-command" on my local host, I am able to execute a script when using "localhost" in the ComputerName parameter it works ok, but when I use my IP address instead of localhost, it fails. This happens both on my local host (Windows 8) and on another server (Windows 2008 R2). I checked and winrm service is running and configured:
PS C:\Users\mirit.VENOTION\Desktop> winrm quickconfig
WinRM service is already running on this machine.
WinRM is already set up for remote management on this computer.

invoke-command -ComputerName localhost -FilePath test.ps1 : works well

invoke-command -ComputerName 192.168.0.135 -Credential <username> -UseSSL -FilePath test.ps1:
[192.168.0.98] Connecting to remote server 192.168.0.98 failed with the following error message : The client cannot
connect to the destination specified in the request. Verify that the service on the destination is running and is
accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most
commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to
analyze and configure the WinRM service: "winrm quickconfig". For more information, see the
about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (192.168.0.98:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : CannotConnect,PSSessionStateBroken
0
Comment
Question by:Miritm
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 11

Expert Comment

by:Technodweeb
ID: 39862868
I do not know for certain but it appears by the message that if you use the -ComputerName parameter it tries to do a lookup on the name to get the IP address. LocalHost is a TCP constant that will always resolve to 127.0.0.1 or similar. To test this theory try these two things...
1. run the command : invoke-command -ComputerName 127.0.0.1 -Credential <username> -UseSSL -FilePath test.ps1
If you get the same error message, then I am right in my lookup theory...
2. run it this way: invoke-command -ComputerName <YOUR ACTUAL COMPUTER NAME> -Credential <username> -UseSSL -FilePath test.ps1
Again, if this works, you must specify a DNS or NetBios name that can be resolved for the -ComputerName parameter to be used.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 39863021
In addition, you will have to make sure DNS can reverse-resolve the IP address (!) to a name, and that name is correct. It is a documented (?) "feature" - DNS resolution is tried even with IP addresses.
0
 
LVL 2

Expert Comment

by:c_kedar
ID: 39864101
Even if winrm is running on destination server, it may not be accessible on given IP due to some firewall/network connectivity settings.

Run 'netstat -anb' to find which port winrm is running on.

Then try to connect to that port from your localhost
You can use 'telnet <ipaddr> <port>' command on localhost if telnet utility is available on your machine. Else see http://stackoverflow.com/questions/9566052/how-to-check-network-port-access-and-display-useful-message.
0
 

Author Comment

by:Miritm
ID: 39864365
tried netstat -anb but it did not list winrm at all, although 'winrm quickconfig' says that winrm is already running.
Using 127.0.0.1 or the machine name worked just like localhost - without credentials it works, when I try to add the credentials it prompts me for a username/password and then fails with the above message. So far I wasn't able to work around it. It seems to be related to the credentials but so far wasn't able to find out how.
0
 
LVL 2

Expert Comment

by:c_kedar
ID: 39864553
As error message says "The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests."
I think it is issue of connectivity rather than credential at this point of time.

WinRM runs on either 3190 or 5985.
Find out where it is running using "winrm enumerate winrm/config/listener".
Do try connectivity check using telnet or TcpClient.

Hopefully this will help identify issue, else share the result of above command and connectivity test.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:Miritm
ID: 39864589
Thanks for the help so far.

WinRM runs on 5985
Output of winrm enumerate winrm/config/listener:

Listener
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 127.0.0.1, 169.254.88.184, 169.254.105.188, 192.168.0.135, ::1, fe80::5efe:192.168.0.135%16, fe80::fff
f:ffff:fffe%17, fe80::b8f9:ca25:9d88:58b8%15, fe80::c460:7e24:e9cf:69bc%13, fe80::ccca:4a37:1dc6:d85b%12

It responds to telnet to this port and opens a session.

It all works ok when I use localhost or the host name, and does not require authentication. But when I'm using the ip address it requires authentication, and when I provide it it then fails with the message that I specified.
0
 
LVL 11

Expert Comment

by:Technodweeb
ID: 39865525
keep in mind that authentication may be in the format of <machineName>\<UserName> or <DomainName>\<UserName> if on a windows domain. The username will be for a user account on the remote machine that has permission to run the script locally.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 39865542
Kerberos authentication does not work with IP addresses, it needs names (and domain membership). That might be another reason you get an authentication request.
And remember you have set the -UseSSL switch - you are using HTTPS, not HTTP.
0
 
LVL 16

Expert Comment

by:cantoris
ID: 39875426
Not seeking points here but I wanted to up-vote what Qlemo just said about Kerberos not working via IP address.
0
 
LVL 2

Accepted Solution

by:
c_kedar earned 500 total points
ID: 39875679
As you are using -UseSSL, client will try to connect to WinRM server over HTTPS transport on port 5986.
Your WinRM service on destination is not configured to listen on this transport/port.
That is the reason for error message: The client cannot connect to the destination specified in the request.

You can either configure WinRM to listen on HTTPS or alternatively you can add your computer as trusted host in WinRM configuration on destination machine.
Configuring HTTPS listener is little involved, as you have to ensure hostname is set right and right certificate is available etc.
On my machine, the command "winrm create winrm/config/listener?Address=*+Transport=HTTPS" gave error "cannot find the certificate that was requested".

Even when HTTPS listener is properly configured on destination, I feel using HTTPS with numeric IP address will inherently have issues in verifying the host as certificate presented will be on a domain name and not numeric IP address.

Easier way is to add your machine as trusted host in WinRM configuration on destination machine.
Command is:
winrm set winrm/config/client '@{TrustedHosts="192.168.0.100"}'

Open in new window

Replace 192.168.0.100 by ip address of your machine.
And then use invoke-command without -UseSSL switch.
0
 

Author Closing Comment

by:Miritm
ID: 39879474
Thanks! this solved my problem and explained why I get the connectivity error message - due to the different port used with SSL.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now