Credential working for Get-WmiObject but not Invoke-Command for a computer on a different domain?

2

I have a PowerShell script meant to do two things: check for the Last Checked value of Windows Update, and Enumerate all drives and check remaining space on those drives, for a remote server.

The expected output of the function is:

servername
----------
Last Checked for Windows Update:
01/18/2021 08:12:46

Disk    Size    Free    %Free
C:      501.46  238.06  47.47%
E:      300.00  140.15  46.72%

The script works exactly as expected when running against a computer on the same domain as me. However, we have a handful of computers that are not on the same domain, and use a local administrator account for access. When running the script against one of those computers, the Windows Update portion fails but the Disk Space portion runs successfully.

The two portions of the script share the same PsCredential, but the Disk Space portion is a Get-WmiObject function using the parameters -ComputerName and -Credential whereas the Windows Update portion is inside of an Invoke-Command function with -ComputerName and -Credential

I'm not sure why the same PsCredential would work for one and fail for the other, perhaps a different authentication route?

The error I get from the Windows Update portion is:

[servername] Connecting to remote server servername failed with the following error message : WinRM cannot process the
request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: We can't sign you
in with this credential because your domain isn't available. Make sure your device is connected to your organization's
network and try again. If you previously signed in on this device with another credential, you can sign in with that
credential.
 Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
 After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
 Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more
information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (servername:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : AuthenticationFailed,PSSessionStateBroken

The script is:

$server = "servername"
$adminaccount = $server + "\localadminaccount"
$PASSWORD = ConvertTo-SecureString "localadminpassword" -AsPlainText -Force
$UNPASSWORD = New-Object System.Management.Automation.PsCredential $adminaccount, $PASSWORD

$out = ""
$out += $server + "`n----------`n"
$out += Invoke-Command -ComputerName $server -Credential $UNPASSWORD -ScriptBlock {
    Function Get-LocalTime($UTCTime) {
        $strCurrentTimeZone = (Get-WmiObject win32_timezone).StandardName;
        $TZ = [System.TimeZoneInfo]::FindSystemTimeZoneById($strCurrentTimeZone);
        Return [System.TimeZoneInfo]::ConvertTimeFromUtc($UTCTime, $TZ);
    } 

    $updateInfo = "Last Checked for Windows Update: `n";
    $updateInfo += Get-LocalTime $(New-Object -ComObject Microsoft.Update.AutoUpdate).Results.LastSearchSuccessDate;
    $updateInfo += "`n`n"
    
    Return $updateInfo
}

$out += "Disk`tSize`tFree`t%Free`n"
$disks = Get-WmiObject Win32_LogicalDisk -computername $server -filter DriveType=3 -Credential $UNPASSWORD
foreach ($objdisk in $disks)
{
    $size = "{0:N2}" -f ($objDisk.Size/1GB)
    $free = "{0:N2}" -f ($objDisk.FreeSpace/1GB)
    $freePercent="{0:P2}" -f ([double]$objDisk.FreeSpace/[double]$objDisk.Size)

    $out += $objDisk.DeviceID + "`t" 
    $out += $size + "`t" 
    $out += $free + "`t" 
    $out += $freePercent + "`n"
}
$out
windows
powershell
asked on Super User Jan 20, 2021 by Tyler N • edited Jan 20, 2021 by Tyler N

1 Answer

3

As far as I can tell, Invoke-Command needs the computer to be a trusted host if it is not on the same domain, so the solution is to add the computer as a trusted host.

For the sake of not messing with trusted hosts unnecessarily, I implemented the solution in a way that will only temporarily affect the trusted hosts:

Before Invoke-Command (add a trusted host):

$curHosts = (Get-ChildItem WSMan:\localhost\Client\TrustedHosts).Value
Set-Item WSMan:\localhost\Client\TrustedHosts -Value $server -Concatenate -Force

After Invoke-Command (reset trusted hosts):

Set-Item WSMan:\localhost\Client\TrustedHosts $curHosts -Force
answered on Super User Jan 20, 2021 by Tyler N

User contributions licensed under CC BY-SA 3.0