WinRM remoting server with local Adminnistrator account RRS feed

  • Question

  • I have a server Windows 2012R2 Standard in the domain. I can have a powershell remote session when i use a domain account. but it doesnt work using a local account. both client and server are in the same domain. both user accounts are in the administrators group

    I have already tried TrustedHosts="*"

    the following command is working fine. 

    New-PSSession -ComputerName myservername -Credential mydomainname\myusername1

    but the following command using a local account 

    New-PSSession -ComputerName myservername -Credential myservername\myusername2 

    raises the following error message:

    New-PSSession : [myservername] Connecting to remote server myservername failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential. Possible causes are: -The user name or password specified are invalid. -Kerberos is used when no authentication method and no user name are specified. -Kerberos accepts domain user names, but not local user names. -The Service Principal Name (SPN) for the remote computer name and port does not exist. -The client and remote computers are in different domains and there is no trust between the two domains. After checking for the above issues, try the following: -Check the Event Viewer for events related to authentication. -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport. Note that computers in the TrustedHosts list might not be authenticated. -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:1 + New-PSSession -ComputerName myservername -Credential my ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTran sportException + FullyQualifiedErrorId : AuthenticationFailed,PSSessionOpenFailed

    Tuesday, January 28, 2020 3:02 PM

All replies

  • Did you follow the instructions in teh error message?


    Tuesday, January 28, 2020 3:06 PM
  • Hi, Can you try this solution:

    "Vote or mark as answer if you think useful" "Marquer comme réponse les réponses qui ont résolu votre problème"

    Tuesday, January 28, 2020 3:36 PM
  • Hi, Can you try this solution:

    "Vote or mark as answer if you think useful" "Marquer comme réponse les réponses qui ont résolu votre problème"

    Please look at the date on that article.  It is almost 10 years ago and only applied to the earliest version of Vista with PowerSHell V2.  That has never been the issue since MS adjusted WinRM and Windows to not have that issue.

    It is a very bad idea to disable UAC.  It is also never necessary.   It also won't solve this issue.  The error copde does not match at all "0x80090311" for this issue and "0x80070005: for the old issue.  The "7005" is a stock access denied message,

    It is critical to read the complete error message and follow the instructions as displayed.

    I use remoting with local accounts all of the time and have since the first version of WinRM.  The issue in the 2012 article was resolved years ago. 

    Don't use old articles from third parties to resolve new issues.  Learn to read teh error messages and research them correctly.  

    Also both computers must be in a domain for this to work or CredSSP will be required.  This part of the request is unclear.


    • Edited by jrv Tuesday, January 28, 2020 4:16 PM
    Tuesday, January 28, 2020 4:15 PM
  • yes I did. I set * for the TrustedHosts . also I set CredSSP on. also i tried with fqdn. the only thing which is suspecious to me is that it says  "-Kerberos accepts domain user names, but not local user names." However I dont know how to check this.

    Thank you

    Tuesday, January 28, 2020 6:42 PM
  • You haven't told us if the computer is domain connected or workgroup.  That is the first issue to be resolved.  CredSSP is not useful in a domain and in a workgroup it requires special considerations.


    Tuesday, January 28, 2020 6:45 PM
  • both computers are in one domain.
    Tuesday, January 28, 2020 6:46 PM
  • Keep following the instructions in the error as there are another half dozen things you need to check.  SPN is one.

    Also the computer may have domain join issues or the AD it is using may have issues.

    You also have to state the OS you are connecting to.  B e sure the password does not have any characters that are considered illegal.  The authentication does NOT use kerberos for local accounts.   Local accounts are authenticated using NTLMv2.


    • Edited by jrv Tuesday, January 28, 2020 6:55 PM
    Tuesday, January 28, 2020 6:53 PM