none
Error when using Invoke-Command for some particular commands

    Question

  • I am using Windows 7 32-bit machine in the domain client.workdoman.com. I have aWindows 2008 Server R2 Standard 64-bit machine which isDC of mydomain.com which has Exchange server 2007 installed. The following commands are passed from my Windows 7 machine. 192.168.117.138 is the ip address of Windows 2008 Server.

    When i pass the following command, i am able to get the correct output

    invoke-command -computername 192.168.117.138 -credential $myuser -scriptblock {add-pssnapin Microsoft.Exchange.Management.PowerShell.Admin; get-pssnapin}

    Name           : Microsoft.PowerShell.Diagnostics
    PSVersion      : 2.0
    Description    : This Windows PowerShell snap-in contains Windows Eventing and Performance Counter cmdlets.
    PSComputerName : 192.168.117.138

    Name           : Microsoft.WSMan.Management
    PSVersion      : 2.0
    Description    : This Windows PowerShell snap-in contains cmdlets (such as Get-WSManInstance and Set-WSManInstance) tha
                     t are used by the Windows PowerShell host to manage WSMan operations.
    PSComputerName : 192.168.117.138

    Name           : Microsoft.PowerShell.Core
    PSVersion      : 2.0
    Description    : This Windows PowerShell snap-in contains cmdlets used to manage components of Windows PowerShell.
    PSComputerName : 192.168.117.138

    Name           : Microsoft.PowerShell.Utility
    PSVersion      : 2.0
    Description    : This Windows PowerShell snap-in contains utility Cmdlets used to manipulate data.
    PSComputerName : 192.168.117.138

    Name           : Microsoft.PowerShell.Host
    PSVersion      : 2.0
    Description    : This Windows PowerShell snap-in contains cmdlets (such as Start-Transcript and Stop-Transcript) that a
                     re provided for use with the Windows PowerShell console host.
    PSComputerName : 192.168.117.138

    Name           : Microsoft.PowerShell.Management
    PSVersion      : 2.0
    Description    : This Windows PowerShell snap-in contains management cmdlets used to manage Windows components.
    PSComputerName : 192.168.117.138

    Name           : Microsoft.PowerShell.Security
    PSVersion      : 2.0
    Description    : This Windows PowerShell snap-in contains cmdlets to manage Windows PowerShell security.
    PSComputerName : 192.168.117.138

    Name           : Microsoft.Exchange.Management.PowerShell.Admin
    PSVersion      : 1.0
    Description    : Admin Tasks for the Exchange Server
    PSComputerName : 192.168.117.138

    but if i give this command, the following error is shown.

    invoke-command -computername 192.168.117.138 -credential $myuser -scriptblock {add-pssnapin Microsoft.Exchange.Management.PowerShell.Admin; get-mailbox}

    Active Directory operation failed on santron-ex1.mydomain.com. The supplied credential for 'MYDOMAIN\Administrator' on Bind
    operation is invalid. Error Code: 0x31.
        + CategoryInfo          : NotSpecified: (0:Int32) [Get-Mailbox], ADInvalidCredentialException
        + FullyQualifiedErrorId : D96ED9CC,Microsoft.Exchange.Management.RecipientTasks.GetMailbox

    I dont know why this error happens. The Exchange server snapin is installed and i can see the exchange commands if i pass get-command instead of get-mailbox in the last command i have used here.


    - Santron Manibharathi.

    Thursday, March 01, 2012 10:20 AM

All replies

  • What happens when you execute other commands for example:

    invoke-command -computername 192.168.117.138 -credential $myuser -scriptblock {add-pssnapin Microsoft.Exchange.Management.PowerShell.Admin; get-executionpolicy
    
    invoke-command -computername 192.168.117.138 -credential $myuser -scriptblock {add-pssnapin Microsoft.Exchange.Management.PowerShell.Admin; Get-ExchangeServer 
    
    invoke-command -computername 192.168.117.138 -credential $myuser -scriptblock {add-pssnapin Microsoft.Exchange.Management.PowerShell.Admin; Test-ServiceHealth

    This is to verify if the script only fails when you are executing Exchange cmdlets. Can you let me know what the results are?

    Thursday, March 01, 2012 10:32 AM
  • Thanks for the reply Jaap. Here are the results.

    > invoke-command -computername 192.168.117.138 -credential $myuser -scriptblock {add-pssnapin Microsoft.Exchange.Management.PowerShell.Admin;get-executionpolicy}

    PSComputerName                RunspaceId                               PSShowComputerName Value
    --------------                ----------                               ------------------ -----
    192.168.117.138               edcfad86-4e3f-4215-ac93-b4...                          True RemoteSigned


    > invoke-command -computername 192.168.117.138 -credential $myuser -scriptblock {add-pssnapin Microsoft.Exchange.Management.PowerShell.Admin;get-ExchangeServer}
    Active Directory operation failed on santron-ex1.mydomain.com. The supplied credential for 'MYDOMAIN\Administrator' on Bind
     operation is invalid. Error Code: 0x31.
        + CategoryInfo          : NotSpecified: (0:Int32) [Get-ExchangeServer], ADInvalidCredentialException
        + FullyQualifiedErrorId : 5286CE7D,Microsoft.Exchange.Management.SystemConfigurationTasks.GetExchangeServer

    > invoke-command -computername 192.168.117.138 -credential $myuser -scriptblock {add-pssnapin Microsoft.Exchange.Management.PowerShell.Admin;Test-ServiceHealth}


    PSComputerName          : 192.168.117.138
    RunspaceId              : c4a442ea-7c8b-46e9-9955-aca6ca0f8f33
    PSShowComputerName      : True
    Role                    : Mailbox Server Role
    RequiredServicesRunning : True
    ServicesNotRunning      : {}
    ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeIS, MSExchangeMailboxAssistants...}

    PSComputerName          : 192.168.117.138
    RunspaceId              : c4a442ea-7c8b-46e9-9955-aca6ca0f8f33
    PSShowComputerName      : True
    Role                    : Client Access Server Role
    RequiredServicesRunning : True
    ServicesNotRunning      : {}
    ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeFDS, MSExchangeIMAP4...}

    PSComputerName          : 192.168.117.138
    RunspaceId              : c4a442ea-7c8b-46e9-9955-aca6ca0f8f33
    PSShowComputerName      : True
    Role                    : Unified Messaging Server Role
    RequiredServicesRunning : True
    ServicesNotRunning      : {}
    ServicesRunning         : {MSExchangeADTopology, MSExchangeFDS, MSExchangeUM, MSSpeechService}

    PSComputerName          : 192.168.117.138
    RunspaceId              : c4a442ea-7c8b-46e9-9955-aca6ca0f8f33
    PSShowComputerName      : True
    Role                    : Hub Transport Server Role
    RequiredServicesRunning : True
    ServicesNotRunning      : {}
    ServicesRunning         : {MSExchangeADTopology, MSExchangeEdgeSync, MSExchangeTransport, MSExchangeTransportLogSearch}


    - Santron Manibharathi.


    Thursday, March 01, 2012 10:40 AM
  • This looks like it could be a "second hop" /credssp issue:

      http://blogs.msdn.com/b/powershell/archive/2008/06/05/credssp-for-second-hop-remoting-part-i-domain-account.aspx

    It looks like the snapin is getting loaded (it didn't complain about get-mailbox cmdlet not being found), but AD is not liking the credentials being used when it goes to access the directory at the DC.


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "


    Thursday, March 01, 2012 12:35 PM
  • Hi,

    In addition, I would like suggest you remote to the server and run those commands to check out the result.

    If there are still occuring the error, it seems like that the issue is related with the user permission, please refer to the below Exchange forum for more information:

    Exchange Server

    http://social.technet.microsoft.com/Forums/en/category/exchangeserver

    Best Regards,

    Yan Li


    Yan Li

    TechNet Community Support

    Friday, March 02, 2012 5:19 AM
    Moderator
  • This looks like it could be a "second hop" /credssp issue:

      http://blogs.msdn.com/b/powershell/archive/2008/06/05/credssp-for-second-hop-remoting-part-i-domain-account.aspx

    It looks like the snapin is getting loaded (it didn't complain about get-mailbox cmdlet not being found), but AD is not liking the credentials being used when it goes to access the directory at the DC.


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "


    invoke-command -computername 192.168.117.138 -credential $myuser -scriptblock {add-pssnapin Micosoft.Exchange.Management.PowerShell.Admin;get-ExchangeServer} -Auth CredSSP
    [192.168.117.138] Connecting to remote server failed with the following error message : The WinRM client cannot process
     the request. A computer policy does not allow the delegation of the user credentials to the target computer because th
    e computer is not trusted. The identity of the target computer can be verified if you configure the WSMAN service to us
    e a valid certificate using the following command: winrm set winrm/config/service '@{CertificateThumbprint="<thumbprint
    >"}'  Or you can check the Event Viewer for an event that specifies that the following SPN could not be created: WSMAN/
    <computerFQDN>. If you find this event, you can manually create the SPN using setspn.exe .  If the SPN exists, but Cred
    SSP cannot use Kerberos to validate the identity of the target computer and you still want to allow the delegation of t
    he user credentials to the target computer, use gpedit.msc and look at the following policy: Computer Configuration ->
    Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentic
    ation.  Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a ta
    rget computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.dom
    ain.com. Try the request again after these changes. For more information, see the about_Remote_Troubleshooting Help top
    ic.
        + CategoryInfo          : OpenError: (:) [], PSRemotingTransportException
        + FullyQualifiedErrorId : PSSessionStateBroken

    I get the above error after configuring CredSSP in both the machines.

    - Santron Manibharathi.

    Friday, March 02, 2012 6:17 AM