PowerShell从Windows服务远程处理

Question

我有一个Windows服务,通过WsManConnectionInfo/ 定期在远程计算机上运行PowerShell脚本RunspaceFactory(遵循本文中的步骤:使用C#在PowerShell中远程执行命令):

var connectionInfo = new WSManConnectionInfo(false, server, 5985, "/wsman",
                                             "http://schemas.microsoft.com/powershell/Microsoft.PowerShell",
                                             cred)
                        {
                            OperationTimeout = 4*60*1000,
                            OpenTimeout = 1*60*1000
                        };
using (var runSpace = RunspaceFactory.CreateRunspace(connectionInfo))
{
    runSpace.Open();
    using (var p = runSpace.CreatePipeline())
    {
        p.Commands.AddScript(script);
        var output = p.Invoke();
        ...
    }
}

现在,如果我使用管理员帐户运行Windows服务,一切都很好.但是,如果我使用LocalSystem帐户运行该服务,我会得到以下异常;

System.Management.Automation.Remoting.PSRemotingTransportException:
    Connecting to remote server NOSRVDEV02 failed with the following error message :
        WinRM cannot process the request. The following error with
        errorcode 0x8009030d occurred while using Negotiate authentication:
        A specified logon session does not exist. It may already have been terminated.

    Possible causes are:
        -The user name or password specified are invalid.
        -Kerberos is used when no authentication method and no user name are specified.
        -Kerberos accepts domain user names, but not local user names.
        -The Service Principal Name (SPN) for the remote computer name and port does not exist.
        -The client and remote computers are in different domains and there is no trust between the two domains.

    After checking for the above issues, try the following:
        -Check the Event Viewer for events related to authentication.
        -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
         Note that computers in the TrustedHosts list might not be authenticated.
        -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.

    at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
    at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
    at System.Management.Automation.RemoteRunspace.Open()
    ...

注意:这与凭据无关WSManConnectionInfo- 只是服务属性"登录"选项卡中的帐户设置.

我不想给予服务管理员权限.任何想法为什么LocalSystem用户无法登录？

附加信息:

• 远程计算机不是域的成员.
• 我试图通过IP地址和主机名连接两者(两者都列在本地计算机中TrustedHosts).

编辑:更多信息(评论摘要):

• 本地计算机:Windows 7 Ultimate 64bit(Windows 8机箱上的虚拟机).
• 远程计算机:Windows Server 2008R2 Datacenter 64位.
• 我们不想更改服务用户帐户的主要原因是这是对已经部署在许多客户端(客户)上的旧服务的更新.
• 该服务还访问本地计算机上的Windows注册表和文件系统,因此将用户帐户设置为更受限制的内容(如NetworkService)只会打开不同的蠕虫病毒.

Answer 1

一个相当令人惊讶的解决方案:PSCredentialobject(cred)中的用户名需要以无域远程计算机的名称为前缀,例如" MYREMOTESERVERNAME\remoteusername "而不仅仅是" remoteusername ".

我不知道为什么只有在与LocalSystem帐户连接时才需要前缀...