3

I am trying to connect PowerShell remotely to an Exchange server. This is to a separate AD Domain. (Connecting domainA to domainB) I can connect from domainA to servers on other domains just fine. I receive the following error:

PS Y:\Personal\scripts> $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://server1.domainB.tld/PowerShell/ -Authentication Kerberos -Credential $cred New-PSSession : [server1.domainB.tld] Connecting to remote server server1.domainB.tld failed with the following error message : The user name or password is incorrect. For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:12 + $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri ht ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException + FullyQualifiedErrorId : LogonFailure,PSSessionOpenFailed

This isn't specific to this server, I get the same results to two other servers in the same domain.

My username is in UPN format [email protected] If I use domainB\me I get the following error:

PS Y:\Personal\scripts> $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://server1.domainB.tld/PowerShell/ -Authentication Kerberos -Credential $cred New-PSSession : [server1.domainB.tld] Connecting to remote server server1.domainB.tld failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: There are currently no logon servers available to service the logon request. Possible causes are: -The user name or password specified are invalid. -Kerberos is used when no authentication method and no user name are specified. -Kerberos accepts domain user names, but not local user names. -The Service Principal Name (SPN) for the remote computer name and port does not exist. -The client and remote computers are in different domains and there is no trust between the two domains. After checking for the above issues, try the following: -Check the Event Viewer for events related to authentication. -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport. Note that computers in the TrustedHosts list might not be authenticated. -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:12 + $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri ht ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException + FullyQualifiedErrorId : AuthenticationFailed,PSSessionOpenFailed

I've also tried connecting to domainB from other domains and receive the same results. I assume there is a permission somewhere that needs to be set, but I'm not sure what.

wsman:\localhost\client\trustedhosts is set to the correct values

I can RDP in with the same credentials no problem, so I know my credentials are valid. I'm also a domain admin. Servers are Windows 2012 R2.

PSRemoting is enabled

[PS] D:\>Enable-PSRemoting -Force WinRM is already set up to receive requests on this computer. WinRM is already set up for remote management on this computer.

PSSessionConfiguration

Name : microsoft.powershell PSVersion : 4.0 StartupScript : RunAsUser : Permission : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed Name : microsoft.powershell.workflow PSVersion : 4.0 StartupScript : RunAsUser : Permission : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed Name : microsoft.powershell32 PSVersion : 4.0 StartupScript : RunAsUser : Permission : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed Name : microsoft.windows.servermanagerworkflows PSVersion : 3.0 StartupScript : RunAsUser : Permission : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed

In addition, I tried remoting from a server in domainB to server1.domainB and it works fine. So it has something to do with connecting from outside of the domain.

Test auth in IIS works fine

Removing -Authentication Kerberos or using Negotiate also results in errors

wsman trustedhosts - Added FQDN of client to server. Added FQDN and IP of server to client. No change.

What do I need to fix to be able to remote in here?

Improve this question
3
  • Are the domains in the same forest, or is there just a trust between them? Commented May 11, 2017 at 14:59
  • Neither I believe, but I am using credentials in the target domain. Commented May 11, 2017 at 18:42
  • I tried from a domain that DOES have trust, and I can get connected using domainB\user, but authenticating via UPN results in the same error Commented May 11, 2017 at 19:20

2 Answers 2

Reset to default
0

If it was a privileges issue, the error would say something like 'access denied'.

Somehow the server actually doesn't know your user (or the PW is incorrect).

You said that you are trying to connect 'from DomainA to DomainB'. That sounds like your user is located in DomainA, but you are telling the server that your user is located in DomainB.

Try connecting with [email protected] or me\domainA.

Improve this answer
7
  • The user I'm connecting with is indeed in domainB Commented May 11, 2017 at 7:07
  • Ok...did you run Enable-PSRemoting -Force on the server? Also, Get-PSSessionConfiguration could give some hints. Commented May 11, 2017 at 13:09
  • Yes. Added some additional information to the question Commented May 11, 2017 at 18:52
  • Strange. What does Get-Item wsman:\localhost\client\trustedhosts show on your client machine? Commented May 11, 2017 at 19:41
  • It is blank on the client. It's set to 10.34.5.106,10.35.33.86,10.35.33.87 on the server Commented May 11, 2017 at 19:54
0

Have you tried removing the -Authentication Kerberos from your New-PSSession? I have similar scripts for managing trusted domain exchange servers, but I do not specify the authentication type.

$session = New-PSSession -ConnectionUri "https://mail.server.com/Powershell" -ConfigurationName Microsoft.Exchange -Credential $cred
Improve this answer
2
  • Same result unfortunately :( PS Y:\Personal\scripts> $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://******/PowerShell/ -Credential $cred New-PSSession : [******] Connecting to remote server ***** failed with the following error message : The user name or password is incorrect. Also there is no trust between the domains, so I'm using the UPN as the username Commented May 11, 2017 at 19:26
  • I am using DOMAIN\User in all of my scripts, but my instances are all trusted domains. Commented May 11, 2017 at 19:30

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.