1

From an elevated Powershell session on either source or receiver, I can successfully run:

dfsrdiag backlog /smem:source /rmem:receiver /rgname:"Group" /rfname:"Folder"

However, from a PowerShell Remote session results in an access denied error:

Enter-PSSession -ComputerName source

dfsrdiag backlog /smem:source /rmem:receiver /rgname:"Group" /rfname:"Folder"

It fails with:

[ERROR] Failed to get LSA domain information for computer:receiver, Error 5 (0x5)

Similarly,

Enter-PSSession -ComputerName receiver;

dfsrdiag backlog /smem:source /rmem:receiver /rgname:"Group" /rfname:"Folder"

fails with:

[ERROR] Failed to get LSA domain information for computer:source, Error 5 (0x5)

source and receiver are in the same domain and my account is in the administrators group on both.

Any ideas?

PowerShell Get-DFSRBacklog fails in a similar manner when executed from a PSSession.

Improve this question

1 Answer 1

Reset to default
1

have you taken a look at the "double hop problem" yet?

PowerShell Remoting Kerberos Double Hop Solved Securely | Microsoft Learn

https://learn.microsoft.com/en-us/archive/blogs/ashleymcglone/powershell-remoting-kerberos-double-hop-solved-securely

Improve this answer
2
  • It does look like a Kerberos double-hop issue. I tried creating a configuration (register-pssession) containing freshly prompted admin credentials, and then connecting with that configuration, but no luck. Commented Oct 28 at 14:17
  • @dividius -- it looks like "Resource-based Kerberos constrained delegation" is your best bet. if that is not available, then some other form of "constrained delegation" will be needed. Commented Oct 28 at 20:14

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.