Thursday, July 17, 2014

Enable Powershell Remoting

Remote Script Run 
Power-shell allows to run power-shell scripts remotely. Following are the steps to enable it on servers Windows 2008 R2 servers 

Server Side Changes 
First step is to enable remoting on the server which we want to use as remote server. This step is required on each server you want to run script on remotely. 

Enable Power-shell Remoting on Server 
Run enable-psremoting in power-shell (run as admin) to enable remote script execution on a machine. This procedure allows users on other computers to establish remote connections and to run remote commands on the local computer. It also allows you to create a "loopback" connection on the local computer. 

PS C:\>enable-psremoting 
The output is shown below, Enter 'Y' on all Prompts 
WinRM Quick Configuration 
Running command "Set-WSManQuickConfig" to enable this machine for remote management through WinRM service. 
 This includes: 
    1. Starting or restarting (if already started) the WinRM service 
    2. Setting the WinRM service type to auto start 
    3. Creating a listener to accept requests on any IP address 
    4. Enabling firewall exception for WS-Management traffic (for http only). 
Do you want to continue? 
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y 
WinRM already is set up to receive requests on this machine. 
WinRM has been updated for remote management. 
Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine. 
Confirm 
Are you sure you want to perform this action? 
Performing operation "Registering session configuration" on Target "Session configuration "Microsoft.PowerShell32" is 
not found. Running command "Register-PSSessionConfiguration Microsoft.PowerShell32 -processorarchitecture x86 -force" 
to create "Microsoft.PowerShell32" session configuration. This will restart WinRM service.". 
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y 

To verify that remoting is configured correctly, run new-pssession test command such as the following command, which creates a remote session on the local computer. If remoting is configured correctly, the command will create a session on the local computer and return an object that represents the session. The output should resemble the following sample output: 
PS C:\>new-pssession 
  
Id Name        ComputerName    State    ConfigurationName 
-- ----        ------------    -----    ----- 
1  Session1    localhost       Opened   Microsoft.PowerShell 

If the command fails, see about_Remote_Troubleshooting for assistance. 

Double Hop Fix – Using Credential Delegation 
In case the remote server on which script is executing tries to connect to another remote server  then you may get 'access denied' e.g. if from a server A you are executing the script on remote server B and that script is trying to access server C shared folder then you may get 'access denied' error. This is due to network security and is referred as double hop issue. This happens because server B can not use your credentials to connect to server C due to network security. However there is sometimes justified need to do that, in such cases we can use CredSSP authentication to allow server B to connect to server C using your credential. In order to enable CredSSP on the remote server, server B in our example, we need to run following command from power-shell prompt using Admin user. 

PS C:\> enable-WSManCredSSP -Role Server 

CredSSP Authentication Configuration for WS-Management 
CredSSP authentication allows the server to accept user credentials from a remote computer. If you enable CredSSP 
authentication on the server, the server will have access to the user name and password of the client computer if the 
client computer sends them. For more information, see the Enable-WSManCredSSP Help topic. 
Do you want to enable CredSSP authentication? 
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y 
lang              : en-US 
Basic             : false 
Kerberos          : true 
Negotiate         : true 
Certificate       : false 
CredSSP           : true 
CbtHardeningLevel : Relaxed 

This step needs to be repeated on each remote server. 

Client Side Changes 
Now on your client/local computer execute the following from an elevated prompt (run as admin) for each remote computer you need credential delegation for: 

PS> Enable-WSManCredSSP –Role Client –DelegateComputer <computer_name> computer name will be ServerB 
If above command gives you an error then you can try adding this manually using group policy, the following instruction does that. 
OR 
Run gpedit.msc on client machine and navigate to Computer Configuration –> Administrative Templates –> System –> Credential Delegation 
Open up the “Allow Delegating Fresh Credentials” setting.  Enable the setting and then click on the “Show…” button to add a server to the list.  I added mine like so: 


WSMAN/ prefix is required 

Examples 
Running a power-shell Command from file using different username and password and CredSSP 

Invoke-Command -computername ServerB {dir \\ServerC\e$\} -Credential domain\id -Authentication CredSSP 
Running a script using CredSSP authentication 
Invoke-Command -computername ServerB-filepath Install.ps1 -Credential domain\id  -Authentication CredSSP 
Running script with out CredSSP 
Invoke-Command -computername ServerB {e:\} 

TroubleShoot 
Remote Sign Error 
Issue 
File \\..\script.ps1 cannot be loaded. The file \\..\script.ps1 is not digitally 
signed. The script will not execute on the system. Please see "get-help about_signing" for more details.. 
    + CategoryInfo          : NotSpecified: (:) [], PSSecurityException 
    + FullyQualifiedErrorId : RuntimeException 
    + PSComputerName        : ServerB 

The term 'Install' is not recognized as the name of a cmdlet, function, script file, or operable 
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. 
    + CategoryInfo          : ObjectNotFound: (Install:String) [], CommandNotFoundException 
    + FullyQualifiedErrorId : CommandNotFoundException 
    + PSComputerName        : ServerB 

Fix 
Enable policy execution to unrestricted from group policy on server. 
Computer Configuration | Administrative Templates | Windows Components | Windows PowerShell and configure the Turn On Script Execution setting 
Enable and change the value to All Scripts 
Or run the following from power-shell elevated prompt: 
PS>Set-ExecutionPolicy Unrestricted 
by default it is RemoteSigned 


No comments: