Get-WmiObject HRESULT: 0x80070005 (E_ACCESSDENIED) but the credentials are correct

Let's imagine the above architecture. And suppose from your computer you need "Get-WmiObject -class Win32_Service". Suppose you configure everything ok, and final try to send the following command:

$server = "pc01.xxxx.yyy"
$User = "$server\admin_pc01"
$PWord = ConvertTo-SecureString -String "p4ssw0rd" -AsPlainText -Force
$Credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $User, $PWord
Get-WmiObject -class Win32_Service -ComputerName $server -Credential $Credential

But you receive: Get-WmiObject : Access denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Why ?

I do some research and in the Event Viewer of pc01.xxxx.yyy I found three events: 4776,4672,4624 with the credential request, credential validation and the access. Code error: 0x0 => no error, credential valid. On the Event Id 4624 on the network information I found my Workstation name, my IP e my tcp source port: (ex: 17380)

Nice .. but even mad!

Then I deep dive into firewall (part of the green Routing Circle) and found a funny things.

From my PC I have two connection: 1) from mypc to 192.168.1.1 to port 135 from port 17380 2) from mypc to 10.10.10.1 to port 135 from port 17381

Hahaha...then I understood!!!

Mypc is on the same domain zzzz.nnn of pc01.zzzz.nnn When I send the command Get-WmiObject open an auth session (source port 17380) with pc01.xxxx.yyy (and all work good) but after that Get-WmiObject open another port to transimit the data (source port 17381) but in this case the command NOT USE THE FQDN but ONLY the Hostname!!!! This means Get-WmiObject send command to pc01, my computer add the default domain for dns resolution (zzzz.nnn) and...et volià...it send the second request to 10.10.10.1 !!!!

Obviously if on my hosts file I add the row pc01 192.168.1.1 the Get-WmiObject request work.

But this not is an acceptable solution for me.