我正尝试将PowerShell远程连接到Exchange服务器。 这是一个单独的AD域。 (连接域A到域B)我可以从域A连接到其他域的服务器就好了。 我收到以下错误:
PS Y:\Personal\scripts> $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://server1.domainB.tld/PowerShell/ -Authentication Kerberos -Credential $cred New-PSSession : [server1.domainB.tld] Connecting to remote server server1.domainB.tld failed with the following error message : The user name or password is incorrect. For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:12 + $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri ht ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException + FullyQualifiedErrorId : LogonFailure,PSSessionOpenFailed 这不是特定于此服务器,我得到相同的结果到同一域中的两个其他服务器。
我的用户名是UPN格式[email protected]如果我使用domainB\me我得到以下错误:
PS Y:\Personal\scripts> $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://server1.domainB.tld/PowerShell/ -Authentication Kerberos -Credential $cred New-PSSession : [server1.domainB.tld] Connecting to remote server server1.domainB.tld failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: There are currently no logon servers available to service the logon request. Possible causes are: -The user name or password specified are invalid. -Kerberos is used when no authentication method and no user name are specified. -Kerberos accepts domain user names, but not local user names. -The Service Principal Name (SPN) for the remote computer name and port does not exist. -The client and remote computers are in different domains and there is no trust between the two domains. After checking for the above issues, try the following: -Check the Event Viewer for events related to authentication. -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport. Note that computers in the TrustedHosts list might not be authenticated. -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:12 + $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri ht ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException + FullyQualifiedErrorId : AuthenticationFailed,PSSessionOpenFailed
我也尝试从其他域连接到域B,并收到相同的结果。 我假设有一个权限需要设置,但我不知道是什么。
wsman:\localhost\client\trustedhosts被设置为正确的值
我可以RDP在相同的凭据没有问题,所以我知道我的凭据是有效的。 我也是一个域pipe理员。 服务器是Windows 2012 R2。
PSRemoting已启用
[PS] D:\>Enable-PSRemoting -Force WinRM is already set up to receive requests on this computer. WinRM is already set up for remote management on this computer.
PSSessionConfiguration
Name : microsoft.powershell PSVersion : 4.0 StartupScript : RunAsUser : Permission : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed Name : microsoft.powershell.workflow PSVersion : 4.0 StartupScript : RunAsUser : Permission : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed Name : microsoft.powershell32 PSVersion : 4.0 StartupScript : RunAsUser : Permission : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed Name : microsoft.windows.servermanagerworkflows PSVersion : 3.0 StartupScript : RunAsUser : Permission : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed
另外,我尝试从domainB中的服务器远程处理server1.domainB,它工作正常。 所以它与域之外的连接有关。
testing身份validation在IIS中正常工作
删除 – -Authentication Kerberos或使用Negotiate也会导致错误
wsman trustedhosts – 添加客户端到服务器的FQDN。 添加服务器的FQDN和IP到客户端。 不用找了。
我需要修正什么才能在这里远程?
如果这是一个特权问题,错误会说'拒绝访问'。
不知何故,服务器实际上不知道你的用户(或PW是不正确的)。
你说你试图连接'从DomainA到DomainB'。 这听起来像你的用户位于DomainA,但你告诉服务器,你的用户位于DomainB。
尝试连接[email protected]或me\domainA 。
您是否尝试从New-PSSession中删除-Authentication Kerberos ? 我有用于pipe理受信任的域交换服务器的类似脚本,但是我没有指定身份validationtypes。
$session = New-PSSession -ConnectionUri "https://mail.server.com/Powershell" -ConfigurationName Microsoft.Exchange -Credential $cred