Chr*_*isB 24 powershell powershell-remoting winrm
我是PowerShell的新手,我在使用凭证授权方面遇到了麻烦.我有以下脚本:
$session = New-PSSession myserver -Authentication CredSSP -Credential DOMAIN\Administrator
Invoke-Command -Session $session -ScriptBlock { <Some PowerShell Command> }
在运行之前,我做了以下事情:
Enable-PSRemoting在myserver上运行.Enable-WSManCredSSP Server在myserver上运行.Restart-Service WinRM在myserver上运行.Enable-WSManCredSSP Client –DelegateComputer myserver在客户端上运行.但是一旦我运行脚本,我收到以下错误消息:
[myserver] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. A computer policy does not allow the delegation of
the user credentials to the target computer. Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delega
tion -> Allow Delegating Fresh Credentials. Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name "m
yserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionOpenFailed
我检查了错误消息中提到的策略,但一切似乎都没问题.还有什么可以挡住我?
Aki*_*oto 22
我必须在服务器上执行以下操作:
Enable-WSManCredSSP -Role Server
我必须在客户端上执行以下操作:
set-item wsman:localhost\client\trustedhosts -value *
Enable-WSManCredSSP -Role Client –DelegateComputer *
gpedit.msc在客户端上使用以启用委派Fresh Credentials到WSMAN/*:
Local Computer Policy,展开Computer Configuration,展开
Administrative Templates,展开System,然后单击Credential
Delegation.Settings窗格中,双击Allow Delegating Fresh
Credentials with NTLM-only Server Authentication.Allow Delegating Fresh Credentials with NTLM-only Server Authentication对话框中,执行以下操作:Enabled.Options区域中,单击Show.WSMAN/*,然后单击"确定" OK.确保
Concatenate OS defaults with input above选中,然后单击OK.现在可以使用以下命令(在密码提示之后):
Invoke-Command { dir \\fileserver\devtools } -computer appserver01 -authentication credssp -credential domain\user
请参阅MSDN论坛.
请参阅TechNet
Chr*_*isB 12
由于这个页面,我终于得到了它的工作.它提供了一个脚本,通过直接设置相应的注册表项来设置所需的凭据委派策略.一旦我用管理员权限运行该脚本,我就能够成功建立到myserver的CredSSP连接:
Enable-WSManCredSSP -Role client -DelegateComputer *.mydomain.com
$allowed = @('WSMAN/*.mydomain.com')
$key = 'hklm:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation'
if (!(Test-Path $key)) {
md $key
}
New-ItemProperty -Path $key -Name AllowFreshCredentials -Value 1 -PropertyType Dword -Force
$key = Join-Path $key 'AllowFreshCredentials'
if (!(Test-Path $key)) {
md $key
}
$i = 1
$allowed |% {
# Script does not take into account existing entries in this key
New-ItemProperty -Path $key -Name $i -Value $_ -PropertyType String -Force
$i++
}
小智 5
我不得不完全自动化我的解决方案,特别是解决方案中让您进入 GPO 编辑器的部分部分。
1) 启用远程 PS
Enable-PSRemoting -force
2) 启用 CredSSP
Enable-WSManCredSSP -Role Server -Force
Enable-WSManCredSSP -Role Client -DelegateComputer locahost -Force
Enable-WSManCredSSP -Role Client -DelegateComputer $env:COMPUTERNAME -Force
Enable-WSManCredSSP -Role Client -DelegateComputer $domain -Force
Enable-WSManCredSSP -Role Client -DelegateComputer "*.$domain" -Force
Set-Item -Path "wsman:\localhost\service\auth\credSSP" -Value $True -Force
3) 通过注册表启用 NTLM Fresh Credentials:
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -Name AllowFreshCredentialsWhenNTLMOnly -Force
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly -Name 1 -Value * -PropertyType String
只有在此之后,我才能以本地管理员身份启动 powershell 脚本,该脚本能够在 PSSession 中运行并执行 AD 操作。
$secpasswd = ConvertTo-SecureString $adPassword -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ("$domain\Admin", $secpasswd)
$adminSession = New-PSSession -Credential $credential -Authentication Credssp;
$sb = {
param($p1, $p2)
whoami
New-ADUser ....
}
Invoke-Command -Session $adminSession -Script $sb -ArgumentList $domain,$userPassword
| 归档时间: |
|
| 查看次数: |
38264 次 |
| 最近记录: |