4
Windows 8.1 Enterprise 64 비트 및 Powershell 4.0을 사용합니다.오류 세션 및 CredSSP를 사용한 PSRemoting
PowerShell Remoting을 실행하고 인증 CredSSP를 사용하고 싶습니다.
콘솔 Powershell을 열고 관리자 권한으로 실행하고 Enter-PSSession 명령을 실행하여 원격 컴퓨터에 연결하십시오.
하지만 연결에 대해 오류가 발생합니다.
PS C:\Documents and Settings\kiquenet> Enter-PSSession -ComputerName DC -credential devrsg.com\Administrator
어쨌든 Windows XP 및 Windows 7에서 명령을 테스트하고 연결이 정상입니다.
PS C:\Documents and Settings\kiquenet> Enter-PSSession -ComputerName DC -credential devrsg.com\Administrator
[dc]: PS C:\Users\Administrator\Documents> exit
이제 Windows 8.1에서 테스트합니다.
나는 명령 을 테스트을 psremoting 활성화 및 I 오류 얻을 : 명령 을 사용하여PS C:\Windows\system32> Enable-PSRemoting -force
WinRM ya está configurado para recibir solicitudes en este equipo.
WinRM has been updated to receive requests.
Set-WSManQuickConfig : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2"
Machine="localhost"><f:Message><f:ProviderFault provider="Config provider"
path="%systemroot%\system32\WsmSvc.dll"><f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault"
Code="2" Machine="MYCOMPUTERW8.mycompany.net"><f:Message>Unable to check the status of the firewall.
</f:Message></f:WSManFault></f:ProviderFault></f:Message></f:WSManFault>
En línea: 69 Carácter: 17
+ Set-WSManQuickConfig -force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Set-WSManQuickConfig], InvalidOperationException
+ FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.SetWSManQuickConfigCommand
같은 오류를 사용-PSRemoting -force -SkipNetworkProfileCheck합니다.
나는 명령 에서 WinRM의은 QuickConfig을 테스트하고 나는 오류 :
PS C:\Windows\system32> winrm quickconfig -force
WinRM service is already running on this machine.
WSManFault
Message
ProviderFault
WSManFault
Message = Unable to check the status of the firewall.
Nº de error: -2147024894 0x80070002
The system cannot find the file specified.
제안 사항?
갱신 :
내가 테스트하는 commads :PS C:\> Enable-PSRemoting -SkipNetworkProfileCheck -Force
PS C:\>Set-NetFirewallRule –Name "WINRM-HTTP-In-TCP-PUBLIC" –RemoteAddress Any
하지만 난 얻을 오류 :
PS C:\Windows\system32> Set-NetFirewallRule -Name "WINRM-HTTP-In-TCP-PUBLIC" -RemoteAddress Any
Set-NetFirewallRule : No se encontraron objetos MSFT_NetFirewallRule cuya propiedad 'InstanceID' sea igual a
'WINRM-HTTP-In-TCP-PUBLIC'. Compruebe el valor de la propiedad e inténtelo de nuevo.
En línea: 1 Carácter: 1
+ Set-NetFirewallRule -Name "WINRM-HTTP-In-TCP-PUBLIC" -RemoteAddress Any
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (WINRM-HTTP-In-TCP-PUBLIC:String) [Set-NetFirewallRule], CimJobException
+ FullyQualifiedErrorId : CmdletizationQuery_NotFound_InstanceID,Set-NetFirewallRule
참조 : http://technet.microsoft.com/en-us/library/hh849694.aspx
업데이트 2
이제 Net stop MPSSVC (Windows 방화벽 서비스)를 실행하면이 오류가 발생합니다.
Enter-PSSession -ComputerName DC -credential dersg.com\Administrator
Enter-PSSession : Connecting to remote server DC failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
En línea: 1 Carácter: 1
+ Enter-PSSession -ComputerName DC -credential devrsg.com\Administrator
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (DC:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
업데이트 3.
Enable-WSManCredSSP -Role Server –Force
Enable-WSManCredSSP -Role Client -DelegateComputer * -Force
는 내가 명령을 실행하고 모든 나는 서버와 클라이언트에서의 CredSSP 수 있도록 지금
PS C:\Documents and Settings\kiquenet> Enter-PSSession -ComputerName DC -credential devrsg.com\Administrator
[dc]: PS C:\Users\Administrator\Documents> exit
OK입니다, 이제이 명령 (https://stackoverflow.com/a/22816386/206730)
Set-PSSessionConfiguration -ShowSecurityDescriptorUI -Name Microsoft.PowerShell
을 실행
이제 CredSSP를 사용하여 명령을 테스트합니다.
$serverName = "DC"
$username = "devrsg\Administrator"
$password = "xxxxxx"
$adjPwd = $password | ConvertTo-SecureString -asPlainText -Force
$testCred = (New-Object System.Management.Automation.PSCredential($username,$adjPwd))
$scriptBlock = {
Write-Host ("hello, world: {0}, {1}" -f $env:USERNAME, (hostname))
}
Invoke-Command $scriptBlock -computername $serverName -credential $testCred -Authentication Credssp
나는 오류 얻을 :
PS C:\> .\testRemoteCredSSP.ps1
[DC] Error de conexión al servidor remoto DC. Mensaje de error: El cliente WinRM no puede procesar la solicitud. Una
directiva de equipo no permite delegar credenciales de usuario en el equipo de destino porque éste no es de confianza.
La identidad del equipo de destino se puede comprobar si configura el servicio WSMAN para usar un certificado válido
con el siguiente comando: winrm set winrm/config/service '@{CertificateThumbprint="<huellaDigital>"}' O bien puede
comprobar en el Visor de eventos si hay un evento que especifique que no se pudo crear el siguiente SPN:
WSMAN/<FQDNdelEquipo>. Si encuentra este evento, puede crear manualmente el SPN con setspn.exe . Si el SPN existe,
pero CredSSP no puede usar Kerberos para validar la identidad del equipo de destino y desea permitir la delegación de
credenciales de usuario en el equipo de destino, use gpedit.msc y mire la siguiente directiva: Configuración del
equipo -> Plantillas administrativas -> Sistema -> Delegación de credenciales -> Permitir credenciales nuevas con
autenticación solo NTLM de servidor. Compruebe que esté habilitada esta opción y configurada con el correspondiente
SPN para el equipo de destino. Por ejemplo, para un nombre de equipo de destino "miservidor.dominio.com", el SPN puede
ser alguno de los siguientes: WSMAN/miservidor.dominio.com o WSMAN/*.dominio.com. Pruebe de nuevo la solicitud después
de realizar estos cambios. Para obtener más información, consulte el tema de la Ayuda about_Remote_Troubleshooting.
+ CategoryInfo : OpenError: (DC:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : -2144108124,PSSessionStateBroken
영어 메시지 :
Enter-PSSession : Connecting to remote server failed with the following error me
ssage : The WinRM client cannot process the request.
A computer policy does not allow the delegation of the user credentials to the target computer because the computer is not trusted. The identity of the target computer can be verified if you configure the WSMAN service to use a valid certificate using the following command: winrm set winrm/config/service '@{CertificateThumbprint="<thumbprint>"}'
Or you can check the Event Viewer for an event that specifies that the following SPN could not be created: WSMAN/<computerFQDN>. If you find this event, you can manually create the SPN using setspn.exe .
If the SPN exists, but CredSSP can not use Kerberos to validate the identity of the target computer and you still want to allow the delegation of the user credentials to the target computer, use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication.
Verify that it is enabled and configured with an SPN appropriate for the target computer.
For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com.
Try the request again after these changes.
For more information, see the about_Remote_Troubleshooting Help topic.