DevSupport
asked on
powershell invoke-command error
Hi Experts,
I am using a invoke-command to authenticate using domain admin credentials which are stored using read-host command.
It works flawlessly on most servers but it does not work on a bunch of servers with same permission levels as the ones which work ok.
The error message:
[servername] Connecting to remote server servername failed with the following error
message : WinRM cannot process the request. The following error with errorcode
0x80090322 occurred while using Kerberos authentication: An unknown security
error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are
specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does
not exist.
-The client and remote computers are in different domains and there is no
trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM
TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command:
winrm help config. For more information, see the about_Remote_Troubleshooti
Help topic.
+ CategoryInfo : OpenError: (vtimeqa:String) [], PSRemotingTransp
ortException
There is largely no difference between the server which works and the one which doesn't work.
I think my issue is similar to what is written here:
https://community.spiceworks.com/topic/1066827-isolated-psremote-issue
I tried to connect with IP address but still doesnt work.
No firewalls in the server which I'm trying to connect.
I am using a invoke-command to authenticate using domain admin credentials which are stored using read-host command.
It works flawlessly on most servers but it does not work on a bunch of servers with same permission levels as the ones which work ok.
The error message:
[servername] Connecting to remote server servername failed with the following error
message : WinRM cannot process the request. The following error with errorcode
0x80090322 occurred while using Kerberos authentication: An unknown security
error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are
specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does
not exist.
-The client and remote computers are in different domains and there is no
trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM
TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command:
winrm help config. For more information, see the about_Remote_Troubleshooti
Help topic.
+ CategoryInfo : OpenError: (vtimeqa:String) [], PSRemotingTransp
ortException
There is largely no difference between the server which works and the one which doesn't work.
I think my issue is similar to what is written here:
https://community.spiceworks.com/topic/1066827-isolated-psremote-issue
I tried to connect with IP address but still doesnt work.
No firewalls in the server which I'm trying to connect.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Shaun Vermaak
Can you authenticate with something else, like a file share etc.?
ASKER
@Shaun
I can authenticate with everything else, open fileshare login to the remote server and do all admin tasks, except when I do Invoke-Command or
Enter-PSSession -Computer computername
I get this error:
towards the end it says:
At line:1 char:1
+ Enter-PSSession -Computer compname
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (compname:String) [Enter-PSSession], PSRemotingTransportExcepti
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
I can authenticate with everything else, open fileshare login to the remote server and do all admin tasks, except when I do Invoke-Command or
Enter-PSSession -Computer computername
I get this error:
towards the end it says:
At line:1 char:1
+ Enter-PSSession -Computer compname
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (compname:String) [Enter-PSSession], PSRemotingTransportExcepti
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
ASKER
@Jason,
setspn -D http/servername username
When I run the command I get
Failed to remove SPN on account 'CN=user,OU=Users-SpecialP
domain,DC=com', error 0x2098/8344 -> Insufficient access rights to perform the op
eration.
I think I dont have domain admin access. I will check with our admins and get back.
Thanks
DevSupport
setspn -D http/servername username
When I run the command I get
Failed to remove SPN on account 'CN=user,OU=Users-SpecialP
domain,DC=com', error 0x2098/8344 -> Insufficient access rights to perform the op
eration.
I think I dont have domain admin access. I will check with our admins and get back.
Thanks
DevSupport
ASKER
What I did:
setspn -D http/servername username
using domain admin credentials and it removed the existing spn.
After that I was able to connect.!
It did not work when I tried setspn -A and tried to add it back.
setspn -D http/servername username
using domain admin credentials and it removed the existing spn.
After that I was able to connect.!
It did not work when I tried setspn -A and tried to add it back.