Connecting to remote server failed with the following error message : The user name or password is incorrect

1

I am trying to connect PowerShell remotely to an Exchange server. This is to a separate AD Domain. (Connecting domainA to domainB) I can connect from domainA to servers on other domains just fine. I receive the following error:

PS Y:\Personal\scripts> $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://server1.domainB.tld/PowerShell/ -Authentication Kerberos -Credential $cred
New-PSSession : [server1.domainB.tld] Connecting to remote server server1.domainB.tld failed with the following error message : The user name or password is incorrect. For more 
information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12
+ $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri ht ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : LogonFailure,PSSessionOpenFailed

This isn't specific to this server, I get the same results to two other servers in the same domain.

My username is in UPN format me@domainB.tld If I use domainB\me I get the following error:

PS Y:\Personal\scripts> $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://server1.domainB.tld/PowerShell/ -Authentication Kerberos -Credential $cred
New-PSSession : [server1.domainB.tld] Connecting to remote server server1.domainB.tld failed with the following error message : WinRM cannot process the request. The following 
error with errorcode 0x80090311 occurred while using Kerberos authentication: There are currently no logon servers available to service the logon request.  
 Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
 After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
 Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12
+ $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri ht ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : AuthenticationFailed,PSSessionOpenFailed

I've also tried connecting to domainB from other domains and receive the same results. I assume there is a permission somewhere that needs to be set, but I'm not sure what.

wsman:\localhost\client\trustedhosts is set to the correct values

I can RDP in with the same credentials no problem, so I know my credentials are valid. I'm also a domain admin. Servers are Windows 2012 R2.

PSRemoting is enabled

[PS] D:\>Enable-PSRemoting -Force
WinRM is already set up to receive requests on this computer.
WinRM is already set up for remote management on this computer.

PSSessionConfiguration

Name          : microsoft.powershell
PSVersion     : 4.0
StartupScript : 
RunAsUser     : 
Permission    : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed

Name          : microsoft.powershell.workflow
PSVersion     : 4.0
StartupScript : 
RunAsUser     : 
Permission    : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed

Name          : microsoft.powershell32
PSVersion     : 4.0
StartupScript : 
RunAsUser     : 
Permission    : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed

Name          : microsoft.windows.servermanagerworkflows
PSVersion     : 3.0
StartupScript : 
RunAsUser     : 
Permission    : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed

In addition, I tried remoting from a server in domainB to server1.domainB and it works fine. So it has something to do with connecting from outside of the domain.

Test auth in IIS works fine

Removing -Authentication Kerberos or using Negotiate also results in errors

wsman trustedhosts - Added FQDN of client to server. Added FQDN and IP of server to client. No change.

What do I need to fix to be able to remote in here?

exchange
powershell
asked on Server Fault May 10, 2017 by ElectronicDrug • edited May 16, 2017 by ElectronicDrug

2 Answers

0

If it was a privileges issue, the error would say something like 'access denied'.

Somehow the server actually doesn't know your user (or the PW is incorrect).

You said that you are trying to connect 'from DomainA to DomainB'. That sounds like your user is located in DomainA, but you are telling the server that your user is located in DomainB.

Try connecting with me@domainA.tld or me\domainA.

answered on Server Fault May 10, 2017 by 30000MONKEYS • edited May 10, 2017 by 30000MONKEYS
0

Have you tried removing the -Authentication Kerberos from your New-PSSession? I have similar scripts for managing trusted domain exchange servers, but I do not specify the authentication type.

$session = New-PSSession -ConnectionUri "https://mail.server.com/Powershell" -ConfigurationName Microsoft.Exchange -Credential $cred
answered on Server Fault May 11, 2017 by Cory Knutson

User contributions licensed under CC BY-SA 3.0