Win2012 Ndes Service SPN breaks PS Remoting.

• Samstag, 2. März 2013 11:49

   

   
  

  0

  I've encountered an issue while setting up an Enterprise CA w/NDES on a Windows 2012 DC (all roles deployed on a single system).

  • Before configuring NDES, I've run "Enable-PSRemoting" on an Admin PS (logged as DC Admin), and I've answered Y to all the questions.
    

  Then I've followed the instructions published at the following address to configure the Ndes Account Service: http://technet.microsoft.com/en-us/library/hh831498.asp

  More specifically, after executing the following step:

  setspn -s http/CA1.cpandl.com cpandl\NdesService

  I noticed that launching the following (firewall OFF & NLA Domain Profile):

  enter-pssession localhost

  I received the following error:

  Enter-PSSession : Connecting to remote server localhost failed with the following message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Negotiate authentication: An unknown security error occurred.

  BUT, if I remove the NdesService SPN...

  setspn -D http/CA1.cpandl.com cpandl\NdesService

  PS Remoting works again.

  Further testing reveals that when I manually run:
  

  setspn -s http/CA1.cpandl.com cpandl\NdesService
  setspn -s WSMAN/CA1.cpandl.com CA1
  setspn -s WSMAN/CA1 CA1
  

  then
  

  enter-pssession localhost

  successfully logs me in.
  

  • Unfortunately, after a CA1 Reboot (even if the WSMAN SPNs are present - confirmed by launching "setspn -l CA1"), PS Remoting doesn't work.

  Anyone able to shed some light re the following (unwanted) behaviour?

  • Typ geändert K_evin ZhuMicrosoft Contingent Staff, Moderator Donnerstag, 14. März 2013 09:11
  •  
  • Antworten
  • Zitieren