Error when using Invoke-Command for some particular commands
-
Thursday, March 01, 2012 10:20 AM
I am using Windows 7 32-bit machine in the domain client.workdoman.com. I have aWindows 2008 Server R2 Standard 64-bit machine which isDC of mydomain.com which has Exchange server 2007 installed. The following commands are passed from my Windows 7 machine. 192.168.117.138 is the ip address of Windows 2008 Server.
When i pass the following command, i am able to get the correct output
invoke-command -computername 192.168.117.138 -credential $myuser -scriptblock {add-pssnapin Microsoft.Exchange.Management.PowerShell.Admin; get-pssnapin}
Name : Microsoft.PowerShell.Diagnostics
PSVersion : 2.0
Description : This Windows PowerShell snap-in contains Windows Eventing and Performance Counter cmdlets.
PSComputerName : 192.168.117.138Name : Microsoft.WSMan.Management
PSVersion : 2.0
Description : This Windows PowerShell snap-in contains cmdlets (such as Get-WSManInstance and Set-WSManInstance) tha
t are used by the Windows PowerShell host to manage WSMan operations.
PSComputerName : 192.168.117.138Name : Microsoft.PowerShell.Core
PSVersion : 2.0
Description : This Windows PowerShell snap-in contains cmdlets used to manage components of Windows PowerShell.
PSComputerName : 192.168.117.138Name : Microsoft.PowerShell.Utility
PSVersion : 2.0
Description : This Windows PowerShell snap-in contains utility Cmdlets used to manipulate data.
PSComputerName : 192.168.117.138Name : Microsoft.PowerShell.Host
PSVersion : 2.0
Description : This Windows PowerShell snap-in contains cmdlets (such as Start-Transcript and Stop-Transcript) that a
re provided for use with the Windows PowerShell console host.
PSComputerName : 192.168.117.138Name : Microsoft.PowerShell.Management
PSVersion : 2.0
Description : This Windows PowerShell snap-in contains management cmdlets used to manage Windows components.
PSComputerName : 192.168.117.138Name : Microsoft.PowerShell.Security
PSVersion : 2.0
Description : This Windows PowerShell snap-in contains cmdlets to manage Windows PowerShell security.
PSComputerName : 192.168.117.138Name : Microsoft.Exchange.Management.PowerShell.Admin
PSVersion : 1.0
Description : Admin Tasks for the Exchange Server
PSComputerName : 192.168.117.138but if i give this command, the following error is shown.
invoke-command -computername 192.168.117.138 -credential $myuser -scriptblock {add-pssnapin Microsoft.Exchange.Management.PowerShell.Admin; get-mailbox}
Active Directory operation failed on santron-ex1.mydomain.com. The supplied credential for 'MYDOMAIN\Administrator' on Bind
operation is invalid. Error Code: 0x31.
+ CategoryInfo : NotSpecified: (0:Int32) [Get-Mailbox], ADInvalidCredentialException
+ FullyQualifiedErrorId : D96ED9CC,Microsoft.Exchange.Management.RecipientTasks.GetMailboxI dont know why this error happens. The Exchange server snapin is installed and i can see the exchange commands if i pass get-command instead of get-mailbox in the last command i have used here.
- Santron Manibharathi.
All Replies
-
Thursday, March 01, 2012 10:32 AM
What happens when you execute other commands for example:
invoke-command -computername 192.168.117.138 -credential $myuser -scriptblock {add-pssnapin Microsoft.Exchange.Management.PowerShell.Admin; get-executionpolicy invoke-command -computername 192.168.117.138 -credential $myuser -scriptblock {add-pssnapin Microsoft.Exchange.Management.PowerShell.Admin; Get-ExchangeServer invoke-command -computername 192.168.117.138 -credential $myuser -scriptblock {add-pssnapin Microsoft.Exchange.Management.PowerShell.Admin; Test-ServiceHealth
This is to verify if the script only fails when you are executing Exchange cmdlets. Can you let me know what the results are?
-
Thursday, March 01, 2012 10:40 AM
Thanks for the reply Jaap. Here are the results.
> invoke-command -computername 192.168.117.138 -credential $myuser -scriptblock {add-pssnapin Microsoft.Exchange.Management.PowerShell.Admin;get-executionpolicy}
PSComputerName RunspaceId PSShowComputerName Value
-------------- ---------- ------------------ -----
192.168.117.138 edcfad86-4e3f-4215-ac93-b4... True RemoteSigned
> invoke-command -computername 192.168.117.138 -credential $myuser -scriptblock {add-pssnapin Microsoft.Exchange.Management.PowerShell.Admin;get-ExchangeServer}
Active Directory operation failed on santron-ex1.mydomain.com. The supplied credential for 'MYDOMAIN\Administrator' on Bind
operation is invalid. Error Code: 0x31.
+ CategoryInfo : NotSpecified: (0:Int32) [Get-ExchangeServer], ADInvalidCredentialException
+ FullyQualifiedErrorId : 5286CE7D,Microsoft.Exchange.Management.SystemConfigurationTasks.GetExchangeServer> invoke-command -computername 192.168.117.138 -credential $myuser -scriptblock {add-pssnapin Microsoft.Exchange.Management.PowerShell.Admin;Test-ServiceHealth}
PSComputerName : 192.168.117.138
RunspaceId : c4a442ea-7c8b-46e9-9955-aca6ca0f8f33
PSShowComputerName : True
Role : Mailbox Server Role
RequiredServicesRunning : True
ServicesNotRunning : {}
ServicesRunning : {IISAdmin, MSExchangeADTopology, MSExchangeIS, MSExchangeMailboxAssistants...}PSComputerName : 192.168.117.138
RunspaceId : c4a442ea-7c8b-46e9-9955-aca6ca0f8f33
PSShowComputerName : True
Role : Client Access Server Role
RequiredServicesRunning : True
ServicesNotRunning : {}
ServicesRunning : {IISAdmin, MSExchangeADTopology, MSExchangeFDS, MSExchangeIMAP4...}PSComputerName : 192.168.117.138
RunspaceId : c4a442ea-7c8b-46e9-9955-aca6ca0f8f33
PSShowComputerName : True
Role : Unified Messaging Server Role
RequiredServicesRunning : True
ServicesNotRunning : {}
ServicesRunning : {MSExchangeADTopology, MSExchangeFDS, MSExchangeUM, MSSpeechService}PSComputerName : 192.168.117.138
RunspaceId : c4a442ea-7c8b-46e9-9955-aca6ca0f8f33
PSShowComputerName : True
Role : Hub Transport Server Role
RequiredServicesRunning : True
ServicesNotRunning : {}
ServicesRunning : {MSExchangeADTopology, MSExchangeEdgeSync, MSExchangeTransport, MSExchangeTransportLogSearch}
- Santron Manibharathi.
- Edited by Santron Manibharathi Thursday, March 01, 2012 10:41 AM
-
Thursday, March 01, 2012 12:35 PM
This looks like it could be a "second hop" /credssp issue:
It looks like the snapin is getting loaded (it didn't complain about get-mailbox cmdlet not being found), but AD is not liking the credentials being used when it goes to access the directory at the DC.
[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
- Edited by mjolinorMicrosoft Community Contributor Thursday, March 01, 2012 12:37 PM
- Proposed As Answer by Yan Li_Microsoft Contingent Staff, Moderator Friday, March 02, 2012 4:31 AM
- Marked As Answer by Santron Manibharathi Monday, March 05, 2012 11:54 AM
- Unmarked As Answer by Santron Manibharathi Friday, March 09, 2012 7:20 AM
-
Friday, March 02, 2012 5:19 AMModerator
Hi,
In addition, I would like suggest you remote to the server and run those commands to check out the result.
If there are still occuring the error, it seems like that the issue is related with the user permission, please refer to the below Exchange forum for more information:
Exchange Server
http://social.technet.microsoft.com/Forums/en/category/exchangeserver
Best Regards,
Yan Li
Yan Li
TechNet Community Support
-
Friday, March 02, 2012 6:17 AM
invoke-command -computername 192.168.117.138 -credential $myuser -scriptblock {add-pssnapin Micosoft.Exchange.Management.PowerShell.Admin;get-ExchangeServer} -Auth CredSSPThis looks like it could be a "second hop" /credssp issue:
It looks like the snapin is getting loaded (it didn't complain about get-mailbox cmdlet not being found), but AD is not liking the credentials being used when it goes to access the directory at the DC.
[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
[192.168.117.138] Connecting to remote server failed with the following error message : The WinRM client cannot process
the request. A computer policy does not allow the delegation of the user credentials to the target computer because th
e computer is not trusted. The identity of the target computer can be verified if you configure the WSMAN service to us
e a valid certificate using the following command: winrm set winrm/config/service '@{CertificateThumbprint="<thumbprint
>"}' Or you can check the Event Viewer for an event that specifies that the following SPN could not be created: WSMAN/
<computerFQDN>. If you find this event, you can manually create the SPN using setspn.exe . If the SPN exists, but Cred
SSP cannot use Kerberos to validate the identity of the target computer and you still want to allow the delegation of t
he user credentials to the target computer, use gpedit.msc and look at the following policy: Computer Configuration ->
Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentic
ation. Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a ta
rget computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.dom
ain.com. Try the request again after these changes. For more information, see the about_Remote_Troubleshooting Help top
ic.
+ CategoryInfo : OpenError: (:) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionStateBroken
I get the above error after configuring CredSSP in both the machines.- Santron Manibharathi.
.png)
