none
Remote session/script with current user's credentials RRS feed

  • Question

  • Is it possible to start a remote session or invoke a command with the current user's credentials (without specifying username and password)?

    Paulo Morgado

    Monday, April 2, 2012 11:48 AM

Answers

  • Yes. As far as I could determine, there's a one-way trust relationship between domains.

    So I guess the answer to my original question is yes. It is possible but there are conditions to be met.


    Paulo Morgado

    Thursday, April 19, 2012 12:02 PM

All replies

  • If the user has sufficient rights to invoke a remote session, then, yes, all you do is leave off the -Credential parameter to enter the session with the current user's credentials.

    Grant Ward, a.k.a. Bigteddy

    What's new in Powershell 3.0 (Technet Wiki)

    Monday, April 2, 2012 11:51 AM
  • Imagine $remoteComputer is the name of the remote machine and $currentUser is the same domain user name and password as the current user.

    This works fine:

    Invoke-Command -ComputerName $remoteComputer -Credential $currentUser -ScriptBlock { get-date }

    But this:

    Invoke-Command -ComputerName $remoteComputer -ScriptBlock { get-date }

    gives this error:

    [<remote computer name here>] Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error oc
    cured while using Kerberos authentication: The network path was not found.
     Possible causes are:
      -The user name or password specified are invalid.
      -Kerberos is used when no authentication method and no user name are specified.
      -Kerberos accepts domain user names, but not local user names.
      -The Service Principal Name (SPN) for the remote computer name and port does not exist.
      -The client and remote computers are in different domains and there is no trust between the two domains.
     After checking for the above issues, try the following:
      -Check the Event Viewer for events related to authentication.
      -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
     Note that computers in the TrustedHosts list might not be authenticated.
       -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubles
    hooting Help topic.
        + CategoryInfo          : OpenError: (:) [], PSRemotingTransportException
        + FullyQualifiedErrorId : PSSessionStateBroken

    Probably something related to how the remote computer is accepting connections.


    Paulo Morgado

    Monday, April 2, 2012 12:06 PM
  • By the way, I'm on a different domain. But the domain where the remote computer belongs to trusts the domain my local computer and logged in account belongs to.

    Paulo Morgado

    Monday, April 2, 2012 12:07 PM
  • is $remotecomputer the FQDN?
     

    Justin Rich
    http://jrich523.wordpress.com
    PowerShell V3 Guide (Technet)
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Monday, April 2, 2012 12:31 PM
  • (if FDQN is fully qualified domain name) yes.

    And $currentUser is:

    $currentUser = Get-Credential 'domain\username'
    which requests for the password.

    Paulo Morgado

    Monday, April 2, 2012 12:36 PM
  • my gut is telling me its either not using kerb with -cred or that its not
    passing what you think its passing (ie the "current" token)
     
    maybe try specifying kerb when you use -cred to verify that it is really
    using kerb?
     
    im not sure how you'd check what its sending, maybe using the .net security
    principle, but im not sure that’s even what it uses...
     
     

    Justin Rich
    http://jrich523.wordpress.com
    PowerShell V3 Guide (Technet)
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Monday, April 2, 2012 12:52 PM
  • Using -Authentication Kerberos gives the exact same message.

    Paulo Morgado

    Monday, April 2, 2012 2:20 PM
  • yes but with both methods? with/without -cred
     

    Justin Rich
    http://jrich523.wordpress.com
    PowerShell V3 Guide (Technet)
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Monday, April 2, 2012 2:31 PM
  • Yes. First time (script in previous post) without and then with -Authentication Kerberos. Same error.

    Paulo Morgado

    Monday, April 2, 2012 2:58 PM
  • Hi,

    I would like suggest you refer to the below link:

    Create remote PowerShell session with the same rights than the local PS session

    http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/1742fcb5-ed07-4973-9e02-ab5514099502

    Best Regards,

    Yan Li

    TechNet Subscriber Support

    If you areTechNet Subscriptionuser and have any feedback on our support quality, please send your feedbackhere.


    Yan Li

    TechNet Community Support


    Thursday, April 5, 2012 8:50 AM
    Moderator
  • I get the exact same error. Why would that be any different?

    Paulo Morgado

    Thursday, April 5, 2012 9:15 AM
  • Stupid question, did you verify WinRM was setup on the remote machine and Kerberos was enabled in the WinRM configuration on both ends?  You can use

    winrm g winrm/config

    to see how it's configured.

    Thursday, April 5, 2012 4:19 PM
  • the default is to use Kerberos, so I don’t think that’s it...
     
    I did find something posted about cross domain things, in the case of the
    post it was a single way trust, but what he wrote didn’t go in to details,
    just that he had the problem and worked around it...
     
    so, it might be an issue with how trusts work?
     
    I pretty sure when using CredSSP you have to supply the creds, even if they
    are the same.. obviously not directly related, but perhaps there is
    something going on under the covers that is forcing you to do so... I
    suspect the problem has more to do with trusts and kerberos...
     
    might be worth while to try and ask more specifically about that in a
    AD/Server forum?
     
    sorry I cant be of more help
     

    Justin Rich
    http://jrich523.wordpress.com
    PowerShell V3 Guide (Technet)
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Thursday, April 5, 2012 6:21 PM
  • Russ,

    Kerberos seem to be enabled:

    Config
        MaxEnvelopeSizekb = 150
        MaxTimeoutms = 60000
        MaxBatchItems = 32000
        MaxProviderRequests = 4294967295
        Client
            NetworkDelayms = 5000
            URLPrefix = wsman
            AllowUnencrypted = false
            Auth
                Basic = true
                Digest = true
                Kerberos = true
                Negotiate = true
                Certificate = true
                CredSSP = false
            DefaultPorts
                HTTP = 5985
                HTTPS = 5986
            TrustedHosts = s-apm-*,l-0230138
        Service
            RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
            MaxConcurrentOperations = 4294967295
            MaxConcurrentOperationsPerUser = 15
            EnumerationTimeoutms = 60000
            MaxConnections = 25
            MaxPacketRetrievalTimeSeconds = 120
            AllowUnencrypted = false
            Auth
                Basic = false
                Kerberos = true
                Negotiate = true
                Certificate = false
                CredSSP = false
                CbtHardeningLevel = Relaxed
            DefaultPorts
                HTTP = 5985
                HTTPS = 5986
            IPv4Filter = *
            IPv6Filter = *
            EnableCompatibilityHttpListener = false
            EnableCompatibilityHttpsListener = false
            CertificateThumbprint
        Winrs
            AllowRemoteShellAccess = true
            IdleTimeout = 180000
            MaxConcurrentUsers = 5
            MaxShellRunTime = 2147483647
            MaxProcessesPerShell = 15
            MaxMemoryPerShellMB = 150
            MaxShellsPerUser = 5


    Paulo Morgado

    Monday, April 9, 2012 8:11 AM
  • Thanks, Justin. I'll try the AD/Server forum.

    Paulo Morgado

    Monday, April 9, 2012 8:11 AM
  • Have you enabled CredSSP as server and client yet on your two machines?  If you are using CredSSP, it doesnt appear that it is enabled (see your post output of WinRM config).  Check out this reference on enabling and configuring CredSSP

    http://technet.microsoft.com/en-us/library/dd819517.aspx

    Monday, April 9, 2012 12:41 PM
  • I've just enabled it both on the client:

    Enable-WSManCredSSP -Role Client -DelegateComputer *.domain -Force

    and on the server:

    Enable-WSManCredSSP -Role Server -Force
    But I'm still getting the same error.

    Paulo Morgado

    Monday, April 9, 2012 12:55 PM
  • What's your main purpose, to run Powershell or other kinds of commands?

    Have you tried Set-ExecutionPolicy?
    Using the Set-ExecutionPolicy Cmdlet
    http://technet.microsoft.com/en-us/library/ee176961.aspx


    Thanks
    Zero

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, April 10, 2012 11:53 AM
  • My main purpose is to invoke commands on a remote server with the credentials of the current user.

    On a previous post from (Monday, April 02, 2012 12:06 PM) I stated that I can successfully invoke the commands if I specify the credentials. I don’t think it’s an execution policy issue, do you?

    I’m guessing it’s an AD trust issue as the current user is on a different domain, although trus is setup and the current user belongs to the administrators group on the target machine.


    Paulo Morgado

    Tuesday, April 10, 2012 12:17 PM
  • Have you tried the same commands inside the domain to isolate if it's domain trust related?

    Thanks
    Zero

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, April 11, 2012 9:32 AM
  • Have you configured this step?

     HOW TO ENABLE REMOTING FOR ADMINISTRATORS IN OTHER DOMAINS
        ----------------------------------------------------------
            ERROR:  ACCESS IS DENIED
    
        When a user in another domain is a member of the Administrators group on
        the local computer, the user cannot connect to the local computer remotely
        with Administrator privileges. By default, remote connections from other
        domains run with only standard user privilege tokens. 
    
        However, you can use the LocalAccountTokenFilterPolicy registry entry to
        change the default behavior and allow remote users who are members of the
        Administrators group to run with Administrator privileges. 
    
        Caution: The LocalAccountTokenFilterPolicy entry disables user account
                 control (UAC) remote restrictions for all users of all affected
                 computers. Consider the implications of this setting carefully
                 before changing the policy.
        
        To change the policy, use the following command to set the value of the
        LocalAccountTokenFilterPolicy registry entry to 1.
    
            C:\PS> new-itemproperty -name LocalAccountTokenFilterPolicy -path `
                HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType `
                DWord -value 1


    Aleksandar Nikolić http://powershellers.blogspot.com http://twitter.com/alexandair

    Wednesday, April 11, 2012 10:38 PM
  • Aleksander,

    This is to be run on the server, right? Does it require a reboot?


    Paulo Morgado

    Thursday, April 12, 2012 3:53 PM
  • Yes, you need to run this on a remote computer. AFAIK, it doesn't require a restart.

    Aleksandar Nikolić http://powershellers.blogspot.com http://twitter.com/alexandair

    Thursday, April 12, 2012 4:04 PM
  • It was already set to 1.

    It's probably a cross domain issue.


    Paulo Morgado

    Thursday, April 12, 2012 4:12 PM
  • Then have you tried if it will work in the same domain?


    Thanks
    Zero

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, April 13, 2012 8:50 AM
  • I got the same error in a script i made some weeks ago.

    I got the error on random machines, i solved it by using the fullhost name of the remote machine.

    Friday, April 13, 2012 9:18 AM
  • If I'm logged on with an account of the same domain it all works fine.

    Paulo Morgado

    Tuesday, April 17, 2012 1:38 AM
  • I always use the fully qualified name to avoid these problems. But that is not my problem.

    Paulo Morgado

    Tuesday, April 17, 2012 1:38 AM
  • Check if the following information would be helpful to you:
    http://technet.microsoft.com/en-us/magazine/ff700227.aspx

    http://msdn.microsoft.com/en-us/library/windows/desktop/aa384372(v=vs.85).aspx

    http://technet.microsoft.com/en-us/library/dd347642.aspx


    Thanks
    Zero

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, April 17, 2012 11:36 AM
  • Nope. Allready gone through all that.


    Paulo Morgado

    Wednesday, April 18, 2012 11:23 AM
  • If you have just build a one-way trust relationship between domains (i.e. one domain trusts the other, but the domain you’re connecting to doesn’t trust it)?

    Since we have tested that it works fine in the same domain, I think it would be related with domain settings, I suggest that you can submit a new post to the Directory Service forum to check the domain related settings.

    Thanks.


    Thanks
    Zero

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Proposed as answer by kristofpaw Thursday, February 7, 2019 8:46 AM
    Thursday, April 19, 2012 11:41 AM
  • Yes. As far as I could determine, there's a one-way trust relationship between domains.

    So I guess the answer to my original question is yes. It is possible but there are conditions to be met.


    Paulo Morgado

    Thursday, April 19, 2012 12:02 PM
  • Yeah, we may say so.

    Thanks
    Zero

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, April 20, 2012 12:47 PM