Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, June 2, 2016 6:53 AM
Hi
I've got this ugly error "errorcode 0x80090322" when accessing one specific remote system:
Enter-PSSession : Connecting to remote server myserver failed with the following error message : WinRM cannot process
the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown
security error occurred.
i've tryed:
- Connecting with Credential (UPN and User DNS Name)
- Resetting DNS cache (ipconfig /flushdns)
- Resetting NetBios cache (NBTStat –R)
- Resetting Kerberos Tickets (KList purge)
- Checking Trusted hosts (Get-Item wsman:localhost\client\trustedhosts) -> * on source and target system
- Checking for duplicate SPN entries (setspn -X)
- Checking for existance of http SPN entries (setspn -L)
- Enable-PSRemoting
- and: there are no entries in Application, System or Security logs that would explain the error
Everything seems to be OK. Latley, I was able to enter a pssession on this machine, now it is not possible anymore (unfortunatley, we have no change history for this server, because it is not productive)
Here my spn's:
PS C:\ setspn -L myserver
Registered ServicePrincipalNames for CN=myserver,OU=Dev_WP-SC,OU=Dev_WP,OU=Dev_Res,OU=Dev,DC=mydomain,DC=ch:
MSOMHSvc/myserver
MSOMHSvc/myserver.mydomain.ch
MSSQLSvc/myserver.mydomain.ch:1433
MSSQLSvc/myserver.mydomain.ch
TERMSRV/myserver
TERMSRV/myserver.mydomain.ch
WSMAN/myserver
WSMAN/myserver.mydomain.ch
RestrictedKrbHost/myserver
HOST/myserver
RestrictedKrbHost/myserver.mydomain.ch
HOST/myserver.mydomain.ch
And here what i see in Wireshark:
Request: POST /wsman?PSVersion=5.0.10586.117 HTTP/1.1\r\n
Returns: KRB Error: KRB5KRB_AP_ERR_MODIFIED
Any Ideas?
Thomas
All replies (3)
Friday, June 3, 2016 1:02 PM ✅Answered
Problem solved!
Installation of "Microsoft BitLocker Administration and Monitoring" has broken PS Remoting.
Solution: https://social.technet.microsoft.com/Forums/en-US/cb71e431-5c4d-4597-b035-2380580a1a95/mbam-25-spn-issue-with-dns-alias-and-reporting?forum=mdopmbam -\> Created a DNS Alias for MBAM
Reason for the problem:
SPN has been registered to the user from th MBAM Application Pool:
setspn -l DOMAIN\USER
->http/myserver
->http/myserver.mydomain.ch
Thomas
Friday, June 3, 2016 9:15 AM
Hi Thomas,
Thanks for posting here.
Please try to use: winrm quickconfig command to configure the winrm related settings to see if it helps.
Besides, please try to manually specify the credentials for the remote connection. enter-possession -computername -credential
In addition, you could use winrm get winrm/config command to query the client&server kerbeors authentication is true.
Using winrm -r command to try to connect to the target server to see if it helps or prompts some errors.
You could also try to re-join the domain to see if it helps.
Best regards,
Andy_Pan
Friday, June 10, 2016 1:20 AM
Hi Thomas,
>>Installation of "Microsoft BitLocker Administration and Monitoring" has broken PS Remoting.
Thanks for your feedback and sharing.
This solution will help others who has encountered the similar issue.
Thanks again for posting here.
Best regards,
Andy_Pan