locked
Powershell remoting from a host outside the domain in Windows Server 2008 R2 RRS feed

  • Question

  • Hello!
    This is my first post, I hope this is the right Forum section to ask.
    I'm running Windows Server 2008 R2 (Service Pack 1) as a Domain Controller in a LAN. It runs Powershell 5.1. Powershell remote access to the server is granted for any other host of the Domain inside the same LAN (even without password, if I previously logged in the host as MyDomain\Administrator).

    The Domain controller has access to internet through a router. I forwarded the Domain controller ports 5985 and 5986 to two random ports in the router public interface, which has a public IP address. I would like, from an external Windows 10 host running Powershell 5.1, to access the Domain controller by connecting to this public IP address. Is this possible? If yes, how?

    The external host does not belong to MyDomain, of course.

    Till now, in the external host, I tried:

    PS C:\> WinRm qc

    (to activate the remoting service and create the Firewall rules).

    PS C:\> Set-Item wsman:\localhost\client\trustedhosts <router_IP>:<external_port_mapped_to_5985>
    

    and it shows up as a TrustedHost. Also,

    PS C:\> Test-WsMan <router_IP> -port <external_port_mapped_to_5985>

    works. But then, if I try:

    PS C:\> Enter-PSSession -Computername <router_IP> -port <external_port_mapped_to_5985> -Credential MyDomain\Administrator

    it fails. It states that a host, if it does not belong to the domain, must use https to enter a PS session. But if I try

    PS C:\> Set-Item wsman:\localhost\client\trustedhosts <router_IP>:<external_port_mapped_to_5986>

    PS C:\> Test-WsMan <router_IP> -port <external_port_mapped_to_5986>

    it fails. Maybe the https service must be activated on the server? Maybe should I also use the server certificate (which is a self-signed certificate)? I have at this point some confusion about the services that must be enabled and the steps that I should follow.

    Thanks for having read!

    Willard

    Saturday, October 26, 2019 8:35 AM

Answers

  • To use remoting from a non-domain source you muse enable CredSSP. There is no need to make changes to the registry or firewall. The setup for CredSSP will do all necessary changes.

    Search for articles on enabling and configuring CredSSP.


    \_(ツ)_/

    • Marked as answer by Willard Kane Monday, October 28, 2019 11:22 AM
    Saturday, October 26, 2019 6:55 PM

All replies

  • To use remoting from a non-domain source you muse enable CredSSP. There is no need to make changes to the registry or firewall. The setup for CredSSP will do all necessary changes.

    Search for articles on enabling and configuring CredSSP.


    \_(ツ)_/

    • Marked as answer by Willard Kane Monday, October 28, 2019 11:22 AM
    Saturday, October 26, 2019 6:55 PM
  • Thank you so much. The configuration, as you anticipated, is pretty simple. If anyone is interested, here are the steps that I followed.

    Server

    PS C:\> Enable-PSRemoting
    PS C:\> Enable-WSManCredSSP -Role Server
    In Get-WSManCredSSP, it is important that "This computer is configured to receive credentials from a remote client computer".


    Client

    PS C:\> Enable-PSRemoting
    PS C:\> Set-Item WSMan:\localhost\Client\TrustedHosts <router_public_IP_address>

    (do not use the notation IP:port of the original question; specify instead only the IP address here)

    PS C:\> Test-WSMan <router_public_IP_address> -Port <external_port_mapped_to_5985>

    (specify the port now)

    PS C:\> Enable-WSManCredSSP -Role Client -DelegateComputer *

    (The argument of DelegateComputer is the hostname of the remote server you want to log in. You can specify something more restricted: host.mydomain.com, or *.mydomain.com. See the documentation for more examples)

    In Get-WSManCredSSP, it is important that "The machine is configured to allow delegating fresh credentials".

    PS C:\> $session1 = New-PSSession -ComputerName <router_public_IP_address> -Port <external_port_mapped_to_5985> -Credential MyDomain\Administrator
    PS C:\> Enter-PSSession $session1
    Monday, October 28, 2019 11:22 AM