Moved My Blog

I have moved my blog to https://vikas15bhardwaj.wordpress.com/

Enable Powershell Remoting

Remote Script Run 

Power-shell allows to run power-shell scripts remotely. Following are the steps to enable it on servers Windows 2008 R2 servers 

Server Side Changes 

First step is to enable remoting on the server which we want to use as remote server. This step is required on each server you want to run script on remotely. 

Enable Power-shell Remoting on Server 

Run enable-psremoting in power-shell (run as admin) to enable remote script execution on a machine. This procedure allows users on other computers to establish remote connections and to run remote commands on the local computer. It also allows you to create a "loopback" connection on the local computer. 

PS C:\>enable-psremoting 

The output is shown below, Enter 'Y' on all Prompts 

WinRM Quick Configuration 

Running command "Set-WSManQuickConfig" to enable this machine for remote management through WinRM service. 

 This includes: 

    1. Starting or restarting (if already started) the WinRM service 

    2. Setting the WinRM service type to auto start 

    3. Creating a listener to accept requests on any IP address 

    4. Enabling firewall exception for WS-Management traffic (for http only). 

Do you want to continue? 

[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y 

WinRM already is set up to receive requests on this machine. 

WinRM has been updated for remote management. 

Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine. 

Confirm 

Are you sure you want to perform this action? 

Performing operation "Registering session configuration" on Target "Session configuration "Microsoft.PowerShell32" is 

not found. Running command "Register-PSSessionConfiguration Microsoft.PowerShell32 -processorarchitecture x86 -force" 

to create "Microsoft.PowerShell32" session configuration. This will restart WinRM service.". 

[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y 

To verify that remoting is configured correctly, run new-pssession test command such as the following command, which creates a remote session on the local computer. If remoting is configured correctly, the command will create a session on the local computer and return an object that represents the session. The output should resemble the following sample output: 

PS C:\>new-pssession 

  

Id Name        ComputerName    State    ConfigurationName 

-- ----        ------------    -----    ----- 

1  Session1    localhost       Opened   Microsoft.PowerShell 

If the command fails, see about_Remote_Troubleshooting for assistance. 

Double Hop Fix – Using Credential Delegation 

In case the remote server on which script is executing tries to connect to another remote server  then you may get 'access denied' e.g. if from a server A you are executing the script on remote server B and that script is trying to access server C shared folder then you may get 'access denied' error. This is due to network security and is referred as double hop issue. This happens because server B can not use your credentials to connect to server C due to network security. However there is sometimes justified need to do that, in such cases we can use CredSSP authentication to allow server B to connect to server C using your credential. In order to enable CredSSP on the remote server, server B in our example, we need to run following command from power-shell prompt using Admin user. 

PS C:\> enable-WSManCredSSP -Role Server 

CredSSP Authentication Configuration for WS-Management 

CredSSP authentication allows the server to accept user credentials from a remote computer. If you enable CredSSP 

authentication on the server, the server will have access to the user name and password of the client computer if the 

client computer sends them. For more information, see the Enable-WSManCredSSP Help topic. 

Do you want to enable CredSSP authentication? 

[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y 

 cfg               : http://schemas.microsoft.com/wbem/wsman/1/config/service/auth 

lang              : en-US 

Basic             : false 

Kerberos          : true 

Negotiate         : true 

Certificate       : false 

CredSSP           : true 

CbtHardeningLevel : Relaxed 

This step needs to be repeated on each remote server. 

Client Side Changes 

Now on your client/local computer execute the following from an elevated prompt (run as admin) for each remote computer you need credential delegation for: 

PS> Enable-WSManCredSSP –Role Client –DelegateComputer <computer_name> computer name will be ServerB 

If above command gives you an error then you can try adding this manually using group policy, the following instruction does that. 

OR 

Run gpedit.msc on client machine and navigate to Computer Configuration –> Administrative Templates –> System –> Credential Delegation 

Open up the “Allow Delegating Fresh Credentials” setting.  Enable the setting and then click on the “Show…” button to add a server to the list.  I added mine like so: 

WSMAN/ prefix is required 

Examples 

Running a power-shell Command from file using different username and password and CredSSP 

Invoke-Command -computername ServerB {dir \\ServerC\e$\} -Credential domain\id -Authentication CredSSP 

Running a script using CredSSP authentication 

Invoke-Command -computername ServerB-filepath Install.ps1 -Credential domain\id  -Authentication CredSSP 

Running script with out CredSSP 

Invoke-Command -computername ServerB {e:\} 

TroubleShoot 

Remote Sign Error 

Issue 

File \\..\script.ps1 cannot be loaded. The file \\..\script.ps1 is not digitally 

signed. The script will not execute on the system. Please see "get-help about_signing" for more details.. 

    + CategoryInfo          : NotSpecified: (:) [], PSSecurityException 

    + FullyQualifiedErrorId : RuntimeException 

    + PSComputerName        : ServerB 

The term 'Install' is not recognized as the name of a cmdlet, function, script file, or operable 

program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. 

    + CategoryInfo          : ObjectNotFound: (Install:String) [], CommandNotFoundException 

    + FullyQualifiedErrorId : CommandNotFoundException 

    + PSComputerName        : ServerB 

Fix 

Enable policy execution to unrestricted from group policy on server. 

Computer Configuration | Administrative Templates | Windows Components | Windows PowerShell and configure the Turn On Script Execution setting 

Enable and change the value to All Scripts 

Or run the following from power-shell elevated prompt: 

PS>Set-ExecutionPolicy Unrestricted 

by default it is RemoteSigned