Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, May 14, 2020 7:14 AM
Source:
/en-us/archive/blogs/ashleymcglone/powershell-remoting-kerberos-double-hop-solved-securely
Info:
localhost = Windows 10
ServerA = Server 2012 R2
ServerB = Server 2016
Windows firewall is turned off for all machines.
$user is localadmin on all machines.
TCP 5985 and TCP 5986 is opened up and allowed on ServerA and ServerB from localhost.
WinRM-service is started on ServerA and ServerB.
Part of script (the end-result is to do a kerberos double-hop securely without using CredSSP):
# Set up variables for reuse
$ServerA = $env:COMPUTERNAME
$ServerB = Get-ADComputer -Identity ServerA
$ServerC = Get-ADComputer -Identity ServerB
# Capture a credential
$user = whoami
$usercred = Get-Credential $user
# Notice the StartName property of the WinRM Service: NT AUTHORITY\NetworkService
# This looks like the ServerB computer account when accessing other servers over the network.
$test = Get-WmiObject -Class Win32_Service -Filter 'Name="winrm"' -ComputerName "$($ServerB.name).domain.local" | fl *
also tried this
$test = Get-WmiObject -Class Win32_Service -Filter 'Name="winrm"' -ComputerName $ServerB.name | fl *
Still get this error though:
Get-WmiObject : The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
Any ideas?
Best Regards
All replies (4)
Thursday, May 14, 2020 7:22 AM
The firewall on one end is blocking the call. Both ends of a link must allow the call.,
WMI cannot do a double hop. I also see no way that you are doing a double hop and most of the code posted does nothing.
Why create credentials and never use them?
\(ツ)_/
Thursday, May 14, 2020 7:26 AM
The firewall on one end is blocking the call. Both ends of a link must allow the call.,
WMI cannot do a double hop. I also see no way that you are doing a double hop and most of the code posted does nothing.
Why create credentials and never use them?
\(ツ)_/
If you read this > "Part of script" < then you understand why some variables do nothing and I am not saying that WMI does a kerberos double hop.
Check the source link.
I am testing that out but stuck at the beginning of the script due to the WinRM-error.
Also I clearly wrote that Windows firewall is turned off and controlled through AWS SecurityGroups instead (the servers are AWS EC2-servers).
Outgoing is allowed on all servers and inbound has the whitelistings specified in my original post.
Thursday, May 14, 2020 7:44 AM
Why post a bunch of code that has nothing to do with your problem. It just makes your request more difficult to understand.
Why haven't you posted the complete error message. It tells you the whole issue.
Nothing you have written or posted has anything at all to do with remoting and the article you posted is only asking you to check one parameter on a service to be sure it is set as required.
Start a new PowerShell console and run the following two commands.
ping <server b name>
Get-WmiObject Win32_Service -Filter 'Name="winrm"' -ComputerName <server B name> | fl *
Next run the following commands:
Get-WmiObject Win32_BIOS -ComputerName <server B name>
Get-CimInstance Win32_BIOS -ComputerName <server B name>
Notice what happens in each case.
\(ツ)_/
Thursday, May 14, 2020 9:58 AM
Check this:
HKLM:\Software\Microsoft\Ole :: EnableDCOM (should be "Y")