locked
Access the Exchange Management Shell from a Different Untrusted Domain RRS feed

  • Question

  • I'm attempting to access the exchange management shell from an untrusted domain. I can access them fine from a non-exchange server within the domain. I've set up psremoting properly. From the untrusted domain, I can get a regular remote powershell session to the exchange box using the -computername parameter with a New-PSSession. But trying to access the -connectionuri of http://<exchangeCASFQDN>/Powershell I get an error. I understand that Kerberos auth won't work across untrusted domains so I'm using Negotiate expecting it to fall back to NTLM.

    The error I'm getting is: The WinRM client cannot process the request. It cannot determine the content type of the HTTP response from the destination computer. The content type is absent or invalid.

    Is it even possible to access the Exchange Management Shell from an untrusted domain?

    Friday, February 14, 2020 1:56 AM

Answers

  • You have to use CredSSP.  NTLM will never work as All authentication in a domain requires Kerberos.  CredSSP allows the remote system to aut5henticate you with Kerberos in the domain.  Without Kerberos credentials Exchange cannot authenticate you the same way you cannot do a second hop connection.


    \_(ツ)_/

    • Marked as answer by Dan_Walters Friday, February 14, 2020 3:24 AM
    Friday, February 14, 2020 2:17 AM

All replies

  • You have to use CredSSP.  NTLM will never work as All authentication in a domain requires Kerberos.  CredSSP allows the remote system to aut5henticate you with Kerberos in the domain.  Without Kerberos credentials Exchange cannot authenticate you the same way you cannot do a second hop connection.


    \_(ツ)_/

    • Marked as answer by Dan_Walters Friday, February 14, 2020 3:24 AM
    Friday, February 14, 2020 2:17 AM
  • OK I got CredSSP set up. I can do regular powershell remoting to the computername using credssp authentication now and I can just load up the exchange snap-in so I can kind of access it. But I'm still getting the same error when I attempt to connect directly to the Exchange Powershell URI. Any ideas? 

    • Edited by Dan_Walters Friday, February 14, 2020 3:23 AM
    Friday, February 14, 2020 2:43 AM
  • With Exchange the endpoint needs to be configured for CredSSP also.  Exchange handles things much differently.

    Post in  Exchange forum for assistance setting up Exchange endpoint for access via CredSSP.  You may also have firewall issues.

    You will also have to use SSL with CredSSP.


    \_(ツ)_/

    Friday, February 14, 2020 6:49 PM
  • You will also have to use SSL with CredSSP.


    \_(ツ)_/

    Is the SSL requirement just for Exchange? I got regular remoting to the computername working with credssp over http.

    Saturday, February 15, 2020 5:20 AM
  • You will also have to use SSL with CredSSP.


    \_(ツ)_/

    Is the SSL requirement just for Exchange? I got regular remoting to the computername working with credssp over http.

    I can suggest posting in the Exchange forum.  Someone there might recognize the issue and provide the missing pieces.  I don't have a way to set up you conditions.  Exchange online does not require any special setup. but does require using HTTPS for the  connection although UseSSL is not a required switch.  Also online does not require enabling CredSSP because it uses BASIC authentication over HTTPS. 


    \_(ツ)_/

    Saturday, February 15, 2020 3:17 PM