none
Handling CIM Exceptions

    Question

  • Hello There,

    I am working with Windows Deployment Services and ultimately I was to disable a hosts capability to pxe boot after it has finished installing.  Currently I have a task sequence setup to run a powershell script that takes in domain credentials and then runs the Set-Wdsclient cmdlet to disable the pxe boot.  However I am constantly running into a Cim Exception.  I am not sure how to handle these errors.  I am running this command on the freshly installed host after importing the WDS module through a PSSession with the install server.

    Invoke-Command -Credential $(Get-Credential) -ComputerName $(our install server) -ScriptBlock { Set-WDSClient -Verbose -DeviceID $(mac address) -DeviceName $(device name) -Domain -DomainName $(domain name) -User $(domain account with creds) -JoinRights Full -ReferralServer $(our install server) -pxePromptPolicy Abort }
    The operation being requested was not performed because the user has not been authenticated.
        + CategoryInfo          : NotSpecified: (MSFT_WdsClient:root/cimv2/MSFT_WdsClient) [Set-WdsClient], CimException
        + FullyQualifiedErrorId : 0x4DC,Set-WdsClient
        + PSComputerName        : $(our install server)
     NotSpecified: (MSFT_WdsClient:root/cimv2/MSFT_WdsClient) [Set-WdsClient], CimException
    Has anyone every gotten a cim exception like this before? Any help would be greatly appreciated

    Thank You!

    ~Adam


    Thursday, July 12, 2018 3:08 PM

Answers

  • You cannot remotely access a remote computer. This is disallowed for security reasons. TO remote from remote system you must use CredSSP authentication.

    There is clearly no need to do what you are trying to do since the commands themselves an perform remote tasks from the local system.

    help credssp


    \_(ツ)_/

    • Marked as answer by MuckingFedic Friday, July 13, 2018 9:08 PM
    Friday, July 13, 2018 1:19 PM
    Moderator

All replies

  • You are not being authenticated.  Something is wrong with your account.

    Do it like this.  No variables can be used in the script block unless they are passed.

    $cred = Get-Credential domain/userid
    $sb = {
        Set-WDSClient -Verbose -DeviceID mac address -DeviceName device name -Domain -DomainName domain name -User domain account with creds -JoinRights Full -ReferralServer our install server -pxePromptPolicy Abort 
    }
    Invoke-Command -Credential $cred -ComputerName servername -ScriptBlock

    Don't use $() around everything.


    \_(ツ)_/


    Thursday, July 12, 2018 4:04 PM
    Moderator
  • I was using $() around everything because I was trying to hide details about our servers sorry :D I forgot that since this is powershell that could also mean a variable, my bad.  I still am having the same issue even with passing in a script block like you how did it.  Here is a much more verbose version of what I am doing.  Ill try and be more careful with the obfuscation this time though 

    PS C:\windows\system32> whoami
    company\domainadmin
    PS C:\windows\system32> hostname
    testhost
    PS C:\windows\system32> $cred = Get-Credential
    
    cmdlet Get-Credential at command pipeline position 1
    Supply values for the following parameters:
    Credential
    PS C:\windows\system32> Invoke-Command -Credential $cred -ComputerName "WDS00" -ScriptBlock { Write-Output "test" }
    test
    PS C:\windows\system32> get-module
    
    ModuleType Version    Name                                ExportedCommands
    ---------- -------    ----                                ----------------
    Manifest   3.1.0.0    Microsoft.PowerShell.Management     {Add-Computer, Add-Content, Checkpoint...
    Manifest   3.0.0.0    Microsoft.PowerShell.Security       {ConvertFrom-SecureString, ConvertTo-S...
    Manifest   3.1.0.0    Microsoft.PowerShell.Utility        {Add-Member, Add-Type, Clear-Variable,...
    Script     1.2        PSReadline                          {Get-PSReadlineKeyHandler, Get-PSReadl...
    Script     1.0        WDS                                 {Add-WdsDriverPackage, Approve-WdsClie...
    
    PS C:\windows\system32> $sb = { Set-WdsClient -Verbose -DeviceID "AA-BB-CC-DD-EE-FF" -DeviceName "testhost" -Domain -DomainName "company.com" -User "company\domainadmin" -JoinRights Full -ReferralServer "WDS00" -PxePromptPolicy Abort }
    PS C:\windows\system32> Invoke-Command -Credential $cred -ComputerName "WDS00" -ScriptBlock $sb
    The operation being requested was not performed because the user has not been authenticated.
        + CategoryInfo          : NotSpecified: (MSFT_WdsClient:root/cimv2/MSFT_WdsClient) [Set-WdsClient], CimException
        + FullyQualifiedErrorId : 0x4DC,Set-WdsClient
        + PSComputerName        : WDS00
    
    PS C:\windows\system32>

    This gets even more strange when I run this on the install server itself

    PS C:\windows\system32> whoami
    company\domainadmin
    PS C:\windows\system32> hostname
    WDS00
    PS C:\windows\system32> $cred = Get-Credential
    
    cmdlet Get-Credential at command pipeline position 1
    Supply values for the following parameters:
    Credential
    PS C:\windows\system32> Invoke-Command -Credential $cred -ComputerName "WDS00" -ScriptBlock { Write-Output "test" }
    test
    PS C:\windows\system32> get-module
    
    ModuleType Version    Name                                ExportedCommands
    ---------- -------    ----                                ----------------
    Manifest   3.1.0.0    Microsoft.PowerShell.Management     {Add-Computer, Add-Content, Checkpoint...
    Manifest   3.0.0.0    Microsoft.PowerShell.Security       {ConvertFrom-SecureString, ConvertTo-S...
    Manifest   3.1.0.0    Microsoft.PowerShell.Utility        {Add-Member, Add-Type, Clear-Variable,...
    Script     1.2        PSReadline                          {Get-PSReadlineKeyHandler, Get-PSReadl...
    Script     1.0        WDS                                 {Add-WdsDriverPackage, Approve-WdsClie...
    
    PS C:\windows\system32> $sb = { Set-WdsClient -Verbose -DeviceID "AA-BB-CC-DD-EE-FF" -DeviceName "testhost" -Domain -DomainName "company.com" -User "company\domainadmin" -JoinRights Full -ReferralServer "WDS00" -PxePromptPolicy Abort }
    PS C:\windows\system32> Invoke-Command -Credential $cred -ComputerName "WDS00" -ScriptBlock $sb
    The operation being requested was not performed because the user has not been authenticated.
        + CategoryInfo          : NotSpecified: (MSFT_WdsClient:root/cimv2/MSFT_WdsClient) [Set-WdsClient], CimException
        + FullyQualifiedErrorId : 0x4DC,Set-WdsClient
        + PSComputerName        : WDS00
    
    PS C:\windows\system32> New-WdsClient -Verbose -DeviceName "testhost02" -DeviceID "AA-Bb-cc-cc-cc-cc" -JoinRights Full -User "company\domainadmin" -ReferralServer "WDS00" -Domain "company.com"
    The operation being requested was not performed because the user has not been authenticated.
        + CategoryInfo          : NotSpecified: (MSFT_WdsClient:root/cimv2/MSFT_WdsClient) [New-WdsClient], CimException
        + FullyQualifiedErrorId : 0x4DC,New-WdsClient
        + PSComputerName        : WDS00
    

    So even our install server is saying that I am not authenticated both when executing the command through Invoke-Command or even locally.  Now this next bit is where I get the most confused.  From one of our terminal servers this works perfectly fine if the command is not executed from inside Invoke-Command.

    PS C:\windows\system32> whoami
    company\domainadmin
    PS C:\windows\system32> hostname
    terminalserver
    PS C:\windows\system32> $cred = Get-Credential
    
    cmdlet Get-Credential at command pipeline position 1
    Supply values for the following parameters:
    Credential
    PS C:\windows\system32> Invoke-Command -Credential $cred -ComputerName "WDS00" -ScriptBlock { Write-Output "test" }
    test
    PS C:\windows\system32> Get-Module
    
    ModuleType Version    Name                                ExportedCommands
    ---------- -------    ----                                ----------------
    Manifest   1.0.0.0    ActiveDirectory                     {Add-ADCentralAccessPolicyMember, Add-ADComputerServiceAccount, Add-ADDomainControllerPasswordReplicationPolicy, Add-AD...
    Manifest   3.1.0.0    Microsoft.PowerShell.Management     {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Content...}
    Manifest   3.0.0.0    Microsoft.PowerShell.Security       {ConvertFrom-SecureString, ConvertTo-SecureString, Get-Acl, Get-AuthenticodeSignature...}
    Manifest   3.1.0.0    Microsoft.PowerShell.Utility        {Add-Member, Add-Type, Clear-Variable, Compare-Object...}
    Script     1.0.0.0    PSDiagnostics                       {Disable-PSTrace, Disable-PSWSManCombinedTrace, Disable-WSManTrace, Enable-PSTrace...}
    Script     1.2        PSReadline                          {Get-PSReadlineKeyHandler, Get-PSReadlineOption, Remove-PSReadlineKeyHandler, Set-PSReadlineKeyHandler...}
    Manifest   1.0.0.0    TroubleshootingPack                 {Get-TroubleshootingPack, Invoke-TroubleshootingPack}
    
    PS C:\windows\system32> $sb = { Set-WdsClient -Verbose -DeviceID "AA-BB-CC-DD-EE-FF" -DeviceName "testhost" -Domain -DomainName "company.com" -User "company\domainadmin" -Join
    Rights Full -ReferralServer "WDS00" -PxePromptPolicy Abort }
    PS C:\windows\system32> Invoke-Command -Credential $cred -ComputerName "WDS00" -ScriptBlock $sb
    The operation being requested was not performed because the user has not been authenticated.
        + CategoryInfo          : NotSpecified: (MSFT_WdsClient:root/cimv2/MSFT_WdsClient) [Set-WdsClient], CimException
        + FullyQualifiedErrorId : 0x4DC,Set-WdsClient
        + PSComputerName        : WDS00
    
    PS C:\windows\system32> Set-WdsClient -Verbose -DeviceID "AA-BB-CC-DD-EE-FF" -DeviceName "testhost" -Domain -DomainName "company.com" -User "company\domainadmin" -JoinRights Full -ReferralServer "WDS00" -PxePromptPolicy Abort
    
    
    
    Architecture        :
    BootImagePath       :
    BootProgram         :
    DeviceID            : AA-BB-CC-DD-EE-FF
    DeviceName          : testhost
    DistinguishedName   : CN=testhost,OU=Computer,DC=company,DC=com
    Domain              : company.com
    Group               :
    JoinDomain          : True
    JoinRights          : Full
    PxePromptPolicy     : Abort
    ReferralServer      : WDS00
    RequestId           :
    Status              :
    User                : company\domainadmin
    WdsClientUnattend   :
    PSComputerName      :
    PendingClientStatus :
    DomainName          : company.com
    

    So I can not execute WDS commands locally or remotely on the testhost or WDS00 or when I do it remotely through terminalserver.  However if I just execute the command in of itself on the terminalserver, it will work. 








    Friday, July 13, 2018 1:11 PM
  • You cannot remotely access a remote computer. This is disallowed for security reasons. TO remote from remote system you must use CredSSP authentication.

    There is clearly no need to do what you are trying to do since the commands themselves an perform remote tasks from the local system.

    help credssp


    \_(ツ)_/

    • Marked as answer by MuckingFedic Friday, July 13, 2018 9:08 PM
    Friday, July 13, 2018 1:19 PM
    Moderator
  • Thank you for your help.  I will look into credssp and see if it helps.  The only reason why I am running the command remotely is because it needs to be run when the host is finished installing (be run as the last thing in the task sequence).  The testhost has to be able to tell the WDS server that it is finished installing so that the WDS server can then turn off netbooting.  Otherwise somebody can come by and just netboot the host and wipe the hard drive. 
    Friday, July 13, 2018 9:11 PM