I have moved my blog to https://vikas15bhardwaj.wordpress.com/
Vikas Bhardwaj
Tuesday, February 10, 2015
Thursday, July 17, 2014
Enable Powershell Remoting
Remote Script Run
Power-shell allows to run power-shell scripts remotely. Following are the steps to enable it on servers Windows 2008 R2 servers
Server Side Changes
First step is to enable remoting on the server which we want to use as remote server. This step is required on each server you want to run script on remotely.
Enable Power-shell Remoting on Server
Run enable-psremoting in power-shell (run as admin) to enable remote script execution on a machine. This procedure allows users on other computers to establish remote connections and to run remote commands on the local computer. It also allows you to create a "loopback" connection on the local computer.
PS C:\>enable-psremoting
The output is shown below, Enter 'Y' on all Prompts
WinRM Quick Configuration
Running command "Set-WSManQuickConfig" to enable this machine for remote management through WinRM service.
This includes:
1. Starting or restarting (if already started) the WinRM service
2. Setting the WinRM service type to auto start
3. Creating a listener to accept requests on any IP address
4. Enabling firewall exception for WS-Management traffic (for http only).
Do you want to continue?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y
WinRM already is set up to receive requests on this machine.
WinRM has been updated for remote management.
Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.
Confirm
Are you sure you want to perform this action?
Performing operation "Registering session configuration" on Target "Session configuration "Microsoft.PowerShell32" is
not found. Running command "Register-PSSessionConfiguration Microsoft.PowerShell32 -processorarchitecture x86 -force"
to create "Microsoft.PowerShell32" session configuration. This will restart WinRM service.".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y
To verify that remoting is configured correctly, run new-pssession test command such as the following command, which creates a remote session on the local computer. If remoting is configured correctly, the command will create a session on the local computer and return an object that represents the session. The output should resemble the following sample output:
PS C:\>new-pssession
Id Name ComputerName State ConfigurationName
-- ---- ------------ ----- -----
1 Session1 localhost Opened Microsoft.PowerShell
If the command fails, see about_Remote_Troubleshooting for assistance.
Double Hop Fix – Using Credential Delegation
In case the remote server on which script is executing tries to connect to another remote server then you may get 'access denied' e.g. if from a server A you are executing the script on remote server B and that script is trying to access server C shared folder then you may get 'access denied' error. This is due to network security and is referred as double hop issue. This happens because server B can not use your credentials to connect to server C due to network security. However there is sometimes justified need to do that, in such cases we can use CredSSP authentication to allow server B to connect to server C using your credential. In order to enable CredSSP on the remote server, server B in our example, we need to run following command from power-shell prompt using Admin user.
PS C:\> enable-WSManCredSSP -Role Server
CredSSP Authentication Configuration for WS-Management
CredSSP authentication allows the server to accept user credentials from a remote computer. If you enable CredSSP
authentication on the server, the server will have access to the user name and password of the client computer if the
client computer sends them. For more information, see the Enable-WSManCredSSP Help topic.
Do you want to enable CredSSP authentication?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y
lang : en-US
Basic : false
Kerberos : true
Negotiate : true
Certificate : false
CredSSP : true
CbtHardeningLevel : Relaxed
This step needs to be repeated on each remote server.
Client Side Changes
Now on your client/local computer execute the following from an elevated prompt (run as admin) for each remote computer you need credential delegation for:
PS> Enable-WSManCredSSP –Role Client –DelegateComputer <computer_name> computer name will be ServerB
If above command gives you an error then you can try adding this manually using group policy, the following instruction does that.
OR
Run gpedit.msc on client machine and navigate to Computer Configuration –> Administrative Templates –> System –> Credential Delegation
WSMAN/ prefix is required
Examples
Running a power-shell Command from file using different username and password and CredSSP
Invoke-Command -computername ServerB {dir \\ServerC\e$\} -Credential domain\id -Authentication CredSSP
Running a script using CredSSP authentication
Invoke-Command -computername ServerB-filepath Install.ps1 -Credential domain\id -Authentication CredSSP
Running script with out CredSSP
Invoke-Command -computername ServerB {e:\}
TroubleShoot
Remote Sign Error
Issue
signed. The script will not execute on the system. Please see "get-help about_signing" for more details..
+ CategoryInfo : NotSpecified: (:) [], PSSecurityException
+ FullyQualifiedErrorId : RuntimeException
+ PSComputerName : ServerB
The term 'Install' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
+ CategoryInfo : ObjectNotFound: (Install:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
+ PSComputerName : ServerB
Fix
Enable policy execution to unrestricted from group policy on server.
Computer Configuration | Administrative Templates | Windows Components | Windows PowerShell and configure the Turn On Script Execution setting
Enable and change the value to All Scripts
Or run the following from power-shell elevated prompt:
PS>Set-ExecutionPolicy Unrestricted
by default it is RemoteSigned
Subscribe to:
Posts (Atom)