4

I need to script some routine task to execute remotly from a serverA to many hosts but a couple of them fail to execute the script.

If i execute this:

$cred = Get-Credential myUser Invoke-Command -ComputerName serverB -ScriptBlock{gci d:\} -Credential $cred

or this:

Test-WSMan -ComputerName ServerB -Credential $cred -Authentication Negotiate

I get the following error

[SeverB] Connecting to remote server ServerB failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Negotiate authentication: An unknown security error occurred. Possible causes are: -The user name or password specified are invalid. -Kerberos is used when no authentication method and no user name are specified. -Kerberos accepts domain user names, but not local user names. -The Service Principal Name (SPN) for the remote computer name and port does not exist. -The client and remote computers are in different domains and there is no trust between the two domains. After checking for the above issues, try the following: -Check the Event Viewer for events related to authentication. -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport. Note that computers in the TrustedHosts list might not be authenticated. -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic. + CategoryInfo : OpenError: (serverB:String) [], PSRemotingTransportException + FullyQualifiedErrorId : -2144108387,PSSessionStateBroken

But when i used test-wsman alone:

Test-WSMan -ComputerName ServerB wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd ProductVendor : Microsoft Corporation ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0

I dont know where the problem could be. I had already tried using enable-psremote, winrm qc, checking firewall settings and user priviledge

Improve this question
4
  • do you mean enable-psremoting? Commented Oct 6, 2017 at 14:33
  • also, have you tried adding serverb to trustedhosts (temporarily, as a test)? Commented Oct 6, 2017 at 14:33
  • 1
    @mike shepard yes, i ll edit my question. And also yes i have already donde that Commented Oct 7, 2017 at 15:21
  • How about using IP address instead of server name ? Commented Oct 8, 2017 at 3:28

3 Answers 3

Reset to default
1

seems like an issue with exsting spn mapping issue , In powershell you can delete spn account and retry.

setspn -D HTTP/SERVERNAME <domain account> setspn -D HTTP/SERVERNAME.DOMAINAME.COM <domain account>

if the issue persists, you can check with using ip address (IPv4) instead of server name to bypass Kerberos error.

Source https://serverfault.com/questions/580411/windows-server-manager-kerberos-error-0x80090322

https://social.technet.microsoft.com/Forums/windows/en-US/a4c5c787-ea65-4150-8d16-2a19c569a589/enterpssession-winrm-cannot-process-the-request-kerberos-authentication-error-0x80090322?forum=winserverpowershell

Improve this answer
1

I solved my problem. There is a known issue between Kerberos Autentication, Remote Powershell and Intregation Service (the server is running that app). Info can be found here and here

I have to create an A record DNS to the server (serverB_alias) and set the HTTP spn for this server to the account specifyng the port that wsman tries to connect (5985).

setspn -s http/serverB domain\user setspn -s http/serverB.domain domain\user setspn -s http/serverB_alias:5985 domain\user setspn -s http/serverB_alias.domain:5985 domain\user

Finally, i add to server A trusted host list the alias DNS using:

$curValue = (get-item wsman:\localhost\Client\TrustedHosts).value set-item wsman:\localhost\Client\TrustedHosts -value "$curValue, serverB_alias"
Improve this answer
0

I faced this issue on VMWare and fixed it by following these steps

I removed both ServerA and ServerB from Active Directory Users and Computer.

I then changed Network-ID of both ServerA and ServerB from Domain to Workgroup

I then restarted both ServerA and ServerB and moved them back to Domain

I then run Enable-PSRemoting -force on both ServerA and ServerB if WinRM service is not running.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.