Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, January 2, 2014 12:58 PM
Hi, i have an application where if i need to do some maintenance it needs to be done using a local account.
I want to automate some tasks so i need to be able to run a command as the local user remotely.
I tried with:
$username = '$server\localuser'
$password = 'Password'
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList @($username,(ConvertTo-SecureString -String $password -AsPlainText -Force))
Invoke-Command -ComputerName $server -Credential $cred -ScriptBlock {cmd C:\scripts\restore.bat}
But i got an error:
[server] Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: There are currently no logon servers
available to service the logon request.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (:) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionStateBroken
Both servers are in the same Domain so i guess i can't use $cred with local user? (-Kerberos accepts domain user names, but not local user names.)
Is there a way to do it?
Thanks
All replies (6)
Thursday, January 2, 2014 1:27 PM ✅Answered | 2 votes
You will still need to configure a HTTPS listener for WinRM since you're using local accounts. I recommend reading Secrets of Powershell Remoting by Don Jones and Tobias Weltner:
http://powershell.org/wp/2012/08/06/ebook-secrets-of-powershell-remoting/
Thursday, January 2, 2014 2:59 PM ✅Answered | 1 vote
You don't technically have to use HTTPS here, though it's a good idea, since it authenticates the remote machine, something that would otherwise be missing if you're not using Kerberos. Using an HTTP listener here would create the possibility of a "man in the middle" attack, if someone manages to spoof your target machine.
However, to get around the error you're experiencing, all you really need to do is specify a different authentication mechanism; in this case, Negotiate is most appropriate. Edit: If you're using an HTTP connection, you would also need to add the remote computer to the Trusted Hosts list on the client, for the reasons mentioned already. This process is detailed in the ebook.
Invoke-Command -ComputerName $server -Credential $cred -Authentication Negotiate -ScriptBlock {cmd C:\scripts\restore.bat}
If your remote computer has User Account Control enabled, you may also run into the problem described in this KB article; the article mentions a registry key that you can use to get around it (though the preferred solution is to use domain accounts instead of local accounts wherever possible): http://support.microsoft.com/kb/951016/en-us
Sunday, January 5, 2014 2:48 PM ✅Answered
Hi Slowscripter,
In addition, to add the TrustedHosts, please refer to below:
Set-Item wsman:\localhost\client\trustedhosts *
To restrict computers that can connect, you could also replace the * with a comma-separated list of IP addresses or computer names.
For detiled information, please also refer to this article:
How to Run PowerShell Commands on Remote Computers
I hope this helps.
Thursday, January 2, 2014 1:04 PM | 1 vote
If you output $username is should write "$server\localuser" since you're using an apostrophe to define the value. By doing this it will not use the variable value, but the text-string as it is.
Change the to quotation marks and it should work, ie.
$username = "$server\localuser"
Thursday, January 2, 2014 1:09 PM
Thanks for the reply.
I changed it, but i still get the same error.
Regards
Thursday, January 2, 2014 1:51 PM
I'll see if i can find a solution there, thanks