Enter-PSSession not working within domain

Im sitting on two VM's where one is a server and another is the client. When I try to Enter-PSSession on both the server and the client, i get the following error

Connecting to remote server 10.10.106.2 failed with the following error
message : The WinRM client cannot process the request. If the authentication
scheme is different from Kerberos, or if the client computer is not joined
to a domain, then HTTPS transport must be used or the destination machine
must be added to the TrustedHosts configuration setting. Use winrm.cmd to
configure TrustedHosts. Note that computers in the TrustedHosts list might
not be authenticated. You can get more information about that by running the
following command: winrm help config. For more information, see the
about_Remote_Troubleshooting Help topic.

Computer Details

Server

  • OS: Windows Server 2016
  • IP: 192.168.2.2
  • hostname.exe:Host
  • $env:Username: Administrator
  • $env:UserDomain: JEPPESEN
  • whoami: jeppesen\administrator
  • Domain in control.exe system:Jeppesen.local
  • Full computername in control.exe system: Host.Jeppesen.local
  • $PSVersionTable.PSVersion | FT -H : 5 1 14393 2248

Client

  • OS: Windows 10 Pro 1809

  • IP: 192.168.2.3

  • hostname.exe: DESKTOP-USJVHNQ

  • $env:Username: JoHa

  • $env:UserDomain: JEPPESEN

  • whoami: jeppesen\joha

  • Domain in control.exe system:Jeppesen.local

  • Full computername in control.exe system: DESKTOP-USJVHNQ.Jeppesen.local

  • $PSVersionTable.PSVersion | FT -H : 5 1 17763 1

And I've checked the Firewall. Have added TrustedHosts on both sides. Even followed a guide to configure WinRM on a domain controller.

And sorry about this long post.

2

1 Answer

The error message is giving you most of what you need. This isn't just about the TrustedHosts list; it's saying that in order to use an IP address with the default authentication scheme, you have to ALSO be using HTTPS (which isn't configured by default) and provide explicit credentials. I can tell you're at least not using SSL, because you didn't use the -UseSSL switch.

Note that SSL/HTTPS is not configured by default - that's an extra step you'll have to take. You can't just add -UseSSL.

The default authentication mechanism is Kerberos, and it wants to see real host names as they appear in AD. Not IP addresses, not DNS CNAME nicknames. Some folks will enable Basic authentication, which is less picky - but you should also set up HTTPS since you'd otherwise pass credentials in cleartext. Enable-PSRemoting only sets up HTTP.

Adding names to your hosts file won't work. This isn't an issue of name resolution; it's about how the mutual authentication between computers is carried out.

Additionally, if the two computers involved in this connection aren't in the same AD domain, the default authentication mechanism won't work. Read "help about_remote_troubleshooting" for information on configuring non-domain and cross-domain authentication.

From the docs at

HOW TO USE AN IP ADDRESS IN A REMOTE COMMAND
----------------------------------------------------- ERROR: The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting.
The ComputerName parameters of the New-PSSession, Enter-PSSession and
Invoke-Command cmdlets accept an IP address as a valid value. However,
because Kerberos authentication does not support IP addresses, NTLM
authentication is used by default whenever you specify an IP address.
When using NTLM authentication, the following procedure is required
for remoting.
1. Configure the computer for HTTPS transport or add the IP addresses of the remote computers to the TrustedHosts list on the local computer. For instructions, see "How to Add a Computer to the TrustedHosts List" below.
2. Use the Credential parameter in all remote commands. This is required even when you are submitting the credentials of the current user.

So, use the hostname or configure SSL/HTTPS.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like