powershell invoke-command error

DevSupport
DevSupport used Ask the Experts™
on
Hi Experts,

I am using a invoke-command to authenticate using domain admin credentials which are stored using read-host command.

It works flawlessly on most servers but it does not work on a bunch of servers with same permission levels as the ones which work ok.

The error message:

[servername] Connecting to remote server servername failed with the following error
message : WinRM cannot process the request. The following error with errorcode
0x80090322 occurred while using Kerberos authentication: An unknown security
error occurred.
 Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are
specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does
not exist.
  -The client and remote computers are in different domains and there is no
trust between the two domains.
 After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM
TrustedHosts configuration setting or use HTTPS transport.
 Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command:
winrm help config. For more information, see the about_Remote_Troubleshooting
Help topic.
    + CategoryInfo          : OpenError: (vtimeqa:String) [], PSRemotingTransp
   ortException


There is largely no difference between the server which works and the one which doesn't work.

I think my issue is similar to what is written here:
https://community.spiceworks.com/topic/1066827-isolated-psremote-issue

I tried to connect with IP address but still doesnt work.

No firewalls in the server which I'm trying to connect.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
Login to the server(s) generating the error and run Test-WSMan.  If that is successful try looking into conflicting SPNs.  A cursory inspection of this article seems to fit the behavior you're experiencing:

http://www.gsx.com/blog/bid/86453/how-to-resolve-a-powershell-kerberos-issue
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
Can you authenticate with something else, like a file share etc.?

Author

Commented:
@Shaun

I can authenticate with everything else, open fileshare login to the remote server and do all admin tasks, except when I do Invoke-Command or

Enter-PSSession -Computer computername

I get this error:

towards the end it says:

At line:1 char:1
+ Enter-PSSession -Computer compname
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (compname:String) [Enter-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

Author

Commented:
@Jason,

setspn -D http/servername username

When I run the command  I get

Failed to remove SPN on account 'CN=user,OU=Users-SpecialPurposeAccounts,DC=
domain,DC=com', error 0x2098/8344 -> Insufficient access rights to perform the op
eration.

I think I dont have domain admin access. I will check with our admins and get back.

Thanks
DevSupport

Author

Commented:
What I did:

setspn -D http/servername username

using domain admin credentials and it removed the existing spn.

After that I was able to connect.!

It did not work when I tried setspn -A and tried to add it back.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial