Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
PSsession remote access across domain trust

Unanswered PSsession remote access across domain trust

  • Thursday, July 01, 2010 1:52 PM
     
     
    Sign In to Vote
    0

    Hello all thanks for your help in advance, below is the current script we have in our env for connecting to hyper v hosts & determing values on running vm's, the trick here is getting it to function across 2 domains which include a 1 way non transitive trust relationship.

    Domain A) Domain functional level - Server 2003

    Domain B) Domain fucntiona level - Server 2008 

    In this setup Domain A has a 1 way non transitive trust w/ Domain B.

     

    $VMHost = "hypervhost"
    $Session = New-PSSession $VMHost -credential ( Get-Credential )

    Invoke-Command -Session $Session -ScriptBlock `
        {
        $Env = "environment"
        CD D:\PSt\Scripts\
        . .\hyperv.ps1
        Get-VM $Env*
        }

    Remove-PSSession $Session

     

    The script runs fine for domain B, but as logins for domain A is used we ge the following error.

    Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found. 

     Possible causes are:

      -The user name or password specified are invalid. Doubtful, we know the login works for the 2nd domain.

      -Kerberos is used when no authentication method and no user name are specified. No Authentication method is mentioned,

      -Kerberos accepts domain user names, but not local user names. We’re using domain accounts, so N/A.

      -The Service Principal Name (SPN) for the remote computer name and port does not exist. No idea.

      -The client and remote computers are in different domains and there is no trust between the two domains. There is a 1 way non transitive trust from domain A to domain B (accounts in domin B can access domain A resources, but not vice versa).

     

    The even logs don't really help, either for the target machine or the client.

     

    I can fully understand if this query is determed to be in the wrong forum, but it uses PS & my thoughts were that perhaps another admin has experience w/ this scenario & what the resolution is, thanks.

     

     

All Replies

  • Thursday, July 01, 2010 7:04 PM
     
     
    Sign In to Vote
    0
    i guess the first thing is, are you sure that winrm is setup correctly on all systems?
    the other thing is your network? do you have a firewall between the domains?
     
    i guess what im getting at is what have you done to prove its a domain problem?
     
     
  • Thursday, July 01, 2010 8:06 PM
     
     
    Sign In to Vote
    0

    The only system I am, at least for the moment, concerned with remotely administrating via powershell is the hyper V host & it has the following output from winrm quickconfig.

    "WinRM already is set up to receive requests on this machine.
    WinRM already is set up for remote management on this machine."

    I am not concered w/ the client having receive requests, so what other systems do you mean, Domain controllers?

    Not sure on the firewall between the domains, it might be the case, but my domain A credentials work for interactive logons for the hyper V host.

    If it is a domain problem, where shall I proceed to resolve the issue?

     
  • Tuesday, July 06, 2010 2:52 PM
     
     
    Sign In to Vote
    0
    based on your original message, can you connect to a machine in domain A from a machine in domain A?
     
     
    if you have, its pretty safe to say its either a firewall issue or a account/trust problem.
     
    to see if the firewall is a problem do a telnet from A to B over port 5985
     
    telnet Server 5985
     
    it should show a cursor and if you hit CTRL+C it will spit out Bad Request
     
    that means you can connect to the winrm service just fine, and that its then a security issue.
     
    Im not sure what winrm uses by default for a security mechinism but iyou can specify it with the enter-pssession
     
     
    from this point on im not sure how helpful i can be, but mabye the "default" is just not supported via your trust (ie older domain). it would be nice if it told you what the "default" was but try a few of those options. Im thinking Kerberos or Negotiate would be the two best options?
     
    the other thing you might want to try is give an account from Domain A RDP access to a machine in Domain B and see if it lets you login ok just to prove the trust is ok..
     
    give those things a try and see how it goes... good luck.
     
     
    Justin
     
  • Tuesday, July 06, 2010 7:03 PM
     
     
    Sign In to Vote
    0

    can you connect to a machine in domain A from a machine in domain A?

     

    Yes, I tried from multiple machines (non DC’s in Domain A though), so I suspect FW is likely the culprit. Telnet on that port wasn't able to access, however I am not sure what the FW settings are between the domains, so this is inconclusive.

     

    I am not certain, but with server 2008 I think the authentication it defaults to use is different from server 2003, but I am skeptical this being the case as the logons work over a regualr rdc session, so it's odd that a pssession would fail.

     

    Thanks for your hrelp Justin.

     

     
  • Tuesday, July 06, 2010 7:16 PM
     
     
    Sign In to Vote
    0
    If the telnet didnt work, then there is a problem with connectivity, and not security.
     
    if the Telnet takes a long time to fail (20 sec or more) then it cant get to the host at all. if it fails quickly (5 sec or less) then it gets to the host but the attempt is rejected (because the ports not open or the system actively refuses it
     
    does it fail quickly or does it take a min?
     
     

    can you connect to a machine in domain A from a machine in domain A?

     

    Yes, I tried from multiple machines (non DC�??s in Domain A though), so I suspect FW is likely the culprit. Telnet on that port wasn't able to access, however I am not sure what the FW settings are between the domains, so this is inconclusive.

     

    I am not certain, but with server 2008 I think the authentication it defaults to use is different from server 2003, but I am skeptical this being the case as the logons work over a regualr rdc session, so it's odd that a pssession would fail.

     

    Thanks for your hrelp Justin.

     

     
  • Tuesday, August 17, 2010 6:38 PM
     
     
    Sign In to Vote
    0

    FYI I'm having the same issue within the same domain on Exchange 2007 on Windows 2008 x64.
    This is with no virtual machines and coming off the same subnet.

    Trying to connect with a Windows 7 workstation.

     

    The full error is

    [webmail.xxx.org] Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.
     Possible causes are:
      -The user name or password specified are invalid.
      -Kerberos is used when no authentication method and no user name are specifie
    d.
      -Kerberos accepts domain user names, but not local user names.
      -The Service Principal Name (SPN) for the remote computer name and port does
    not exist.
      -The client and remote computers are in different domains and there is no tru
    st between the two domains.
     After checking for the above issues, try the following:
      -Check the Event Viewer for events related to authentication.
      -Change the authentication method; add the destination computer to the WinRM
    TrustedHosts configuration setting or use HTTPS transport.
     Note that computers in the TrustedHosts list might not be authenticated.
       -For more information about WinRM configuration, run the following command:
    winrm help config. For more information, see the about_Remote_Troubleshooting H
    elp topic.
        + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:Re
       moteRunspace) [], PSRemotingTransportException
        + FullyQualifiedErrorId : PSSessionOpenFailed

     
  • Thursday, January 20, 2011 5:21 PM
     
     
    Sign In to Vote
    0

    Did you ever find a resolution for this?  I'm running into the same issue.

     

    [xxx.xxx.com] Connecting to remote server failed with the following error mes
    sage : WinRM cannot process the request. The following error occured while using Kerberos a
    uthentication: The network path was not found. 

     
  • Thursday, January 20, 2011 5:36 PM
     
     
    Sign In to Vote
    0

    you'll want to do some standard network troubleshooting first.

    what have you done so far?