I have a server Windows 2012R2
in the domain. This server has no domain user access, only local admin user. I can RDC into this machine using admin account, but cannot have a PSSession
, so Enter-PSSession
or Invoke-Command
or New-PSSession
does not work.
I have set the Trustedhosts value to '*' already. Still does not work.
The example:
$cred = Get-Credential # username: Aministrator, password: secret123
Enter-PSSession -computername SVR1 -Credential $cred
Immediately I get error:
Enter-PSSession : Connecting to remote server SVR1 failed with the following error message : The user name or password is incorrect. For more information, see the about_Remote_Troubleshooting Help topic.
Why I cannot login to the server with local admin acount?
EDIT:
After the comment below, I have tried, SVR1\ADMINISTRATOR as username, then I go a different error message:
Enter-PSSession : Connecting to remote server SVR1 failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains. After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport. Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
Here's a guide: https://4sysops.com/archives/enable-powershell-remoting-on-a-standalone-workgroup-computer/
And a summary of the main points:
-SkipNetworkProfileCheck
when you enabled psremoting.winrm set winrm/config/client @{TrustedHosts="10.0.2.33"}
at an elevated command prompt (make sure to change that IP to the one in your environment).0x80090311 occurred while using Kerberos authentication
You can get this specific error when you connect to a standalone computer because Kerberos is only available for domain members.
Please check on both computers that you have a common authentication method.
On the client computer:
Get-ChildItem -Path WSMan:\localhost\Client\Auth
On the target computer:
Get-ChildItem -Path WSMan:\localhost\Service\Auth
Typically you may want to use CredSPP when connecting to standalone computers, though this is not the most secure method.
If the target is a domain member, you may have disabled something in the Kerberos configuration somewhere (check your GPOs)
User contributions licensed under CC BY-SA 3.0