我正在尝试执行以下Powershell命令:
Enter-PSSession -ComputerName localhost 正在使用的服务器正在运行Windows Server 2008 R2 SP1 64位。 服务器在域上。 我以我的域pipe理员帐户login。 PowerShell会话以pipe理员身份启动。
我从PowerShell本身收到以下错误消息:
PS C:\Users\Daniel> Enter-PSSession -Computername localhost Enter-PSSession : Connecting to remote server localhost failed with the following error message : The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig". For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:1 + Enter-PSSession -Computername localhost + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (localhost:String) [Enter-PSSession], PSRemotingTransportException + FullyQualifiedErrorId : CreateRemoteRunspaceFailed PS C:\Users\Daniel>
使用事件查看器,我可以在应用程序和服务日志> Microsoft> Windows> Windows远程pipe理>操作下查找以下两个错误
General: The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig". Detail: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-WinRM" Guid="{A7975C8F-AC13-49F1-87DA-5A984A4AB417}" /> <EventID>161</EventID> <Version>0</Version> <Level>2</Level> <Task>7</Task> <Opcode>0</Opcode> <Keywords>0x400000000000000a</Keywords> <TimeCreated SystemTime="2016-08-17T23:10:40.766446000Z" /> <EventRecordID>56814</EventRecordID> <Correlation ActivityID="{0190DC40-F800-0000-3291-5DB0DAF8D101}" /> <Execution ProcessID="7888" ThreadID="7912" /> <Channel>Microsoft-Windows-WinRM/Operational</Channel> <Computer>FNZAS2.flow.net.nz</Computer> <Security UserID="S-1-5-21-2875926586-1071052228-4104636349-1151" /> </System> <EventData> <Data Name="authFailureMessage">The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".</Data> </EventData> </Event> General: WSMan operation CreateShell failed, error code 2150858770 Detail: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-WinRM" Guid="{A7975C8F-AC13-49F1-87DA-5A984A4AB417}" /> <EventID>142</EventID> <Version>0</Version> <Level>2</Level> <Task>10</Task> <Opcode>2</Opcode> <Keywords>0x4000000000000002</Keywords> <TimeCreated SystemTime="2016-08-17T23:10:40.766446000Z" /> <EventRecordID>56816</EventRecordID> <Correlation ActivityID="{0190DC40-F800-0000-2F91-5DB0DAF8D101}" /> <Execution ProcessID="7888" ThreadID="7912" /> <Channel>Microsoft-Windows-WinRM/Operational</Channel> <Computer>FNZAS2.flow.net.nz</Computer> <Security UserID="S-1-5-21-2875926586-1071052228-4104636349-1151" /> </System> <EventData> <Data Name="operationName">CreateShell</Data> <Data Name="errorCode">2150858770</Data> </EventData> </Event>
我一直在尝试一些事情来validation一切。 下面是一些更长的PowerShell输出,以显示我迄今为止的一些工作。
PS C:\Users\Daniel> $PSVersionTable.PSVersion Major Minor Build Revision ----- ----- ----- -------- 4 0 -1 -1 PS C:\Users\Daniel> winrm quickconfig WinRM service is already running on this machine. WinRM is already set up for remote management on this computer. PS C:\Users\Daniel> Enable-PSRemoting WinRM Quick Configuration Running command "Set-WSManQuickConfig" to enable remote management of this computer by using the Windows Remote Management (WinRM) service. This includes: 1. Starting or restarting (if already started) the WinRM service 2. Setting the WinRM service startup type to Automatic 3. Creating a listener to accept requests on any IP address 4. Enabling Windows Firewall inbound rule exceptions for WS-Management traffic (for http only). Do you want to continue? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A WinRM is already set up to receive requests on this computer. WinRM is already set up for remote management on this computer. Confirm Are you sure you want to perform this action? Performing the operation "Set-PSSessionConfiguration" on target "Name: microsoft.powershell SDDL: O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD). This lets selected users remotely run Windows PowerShell commands on this computer.". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A PS C:\Users\Daniel> Enable-PSRemoting -force WinRM is already set up to receive requests on this computer. WinRM is already set up for remote management on this computer. PS C:\Users\Daniel> winrm get winrm/config Config MaxEnvelopeSizekb = 500 MaxTimeoutms = 60000 MaxBatchItems = 32000 MaxProviderRequests = 4294967295 Client NetworkDelayms = 5000 URLPrefix = wsman AllowUnencrypted = true [Source="GPO"] Auth Basic = true [Source="GPO"] Digest = true Kerberos = true Negotiate = true Certificate = true CredSSP = true [Source="GPO"] DefaultPorts HTTP = 5985 HTTPS = 5986 TrustedHosts = * Service RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD) MaxConcurrentOperations = 4294967295 MaxConcurrentOperationsPerUser = 1500 EnumerationTimeoutms = 240000 MaxConnections = 300 MaxPacketRetrievalTimeSeconds = 120 AllowUnencrypted = false Auth Basic = true [Source="GPO"] Kerberos = true Negotiate = true Certificate = false CredSSP = true [Source="GPO"] CbtHardeningLevel = Relaxed DefaultPorts HTTP = 5985 HTTPS = 5986 IPv4Filter [Source="GPO"] IPv6Filter [Source="GPO"] EnableCompatibilityHttpListener = false EnableCompatibilityHttpsListener = false CertificateThumbprint AllowRemoteAccess = true [Source="GPO"] Winrs AllowRemoteShellAccess = true [Source="GPO"] IdleTimeout = 7200000 MaxConcurrentUsers = 10 MaxShellRunTime = 2147483647 MaxProcessesPerShell = 25 MaxMemoryPerShellMB = 1000 MaxShellsPerUser = 30 PS C:\Users\Daniel> winrm e winrm/config/listener Listener [Source="GPO"] Address = * Transport = HTTP Port = 5985 Hostname Enabled = true URLPrefix = wsman CertificateThumbprint ListeningOn = null PS C:\Users\Daniel> get-service WinRM Status Name DisplayName ------ ---- ----------- Running WinRM Windows Remote Management (WS-Manag... PS C:\Users\Daniel> winrm get wmicimv2/Win32_Service?Name=WinRM Win32_Service AcceptPause = false AcceptStop = true Caption = Windows Remote Management (WS-Management) CheckPoint = 0 CreationClassName = Win32_Service Description = Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management. WS-Management is a standard web services protocol used for remote software and hardware management. The WinRM service l istens on the network for WS-Management requests and processes them. The WinRM Service needs to be configured with a lis tener using winrm.cmd command line tool or through Group Policy in order for it to listen over the network. The WinRM se rvice provides access to WMI data and enables event collection. Event collection and subscription to events require that the service is running. WinRM messages use HTTP and HTTPS as transports. The WinRM service does not depend on IIS but i s preconfigured to share a port with IIS on the same machine. The WinRM service reserves the /wsman URL prefix. To prev ent conflicts with IIS, administrators should ensure that any websites hosted on IIS do not use the /wsman URL prefix. DesktopInteract = false DisplayName = Windows Remote Management (WS-Management) ErrorControl = Normal ExitCode = 0 InstallDate = null Name = WinRM PathName = C:\Windows\System32\svchost.exe -k NetworkService ProcessId = 936 ServiceSpecificExitCode = 0 ServiceType = Share Process Started = true StartMode = Auto StartName = NT AUTHORITY\NetworkService State = Running Status = OK SystemCreationClassName = Win32_ComputerSystem SystemName = FNZAS2 TagId = 0 WaitHint = 0 PS C:\Users\Daniel> winrm id IdentifyResponse ProtocolVersion = http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd ProductVendor = Microsoft Corporation ProductVersion = OS: 6.1.7601 SP: 1.0 Stack: 3.0 SecurityProfiles SecurityProfileName = http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/http/basic, http://schemas.dmtf.org/ wbem/wsman/1/wsman/secprofile/http/spnego-kerberos PS C:\Users\Daniel> Enter-PSSession -ComputerName localhost Enter-PSSession : Connecting to remote server localhost failed with the following error message : The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig". For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:1 + Enter-PSSession -ComputerName localhost + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (localhost:String) [Enter-PSSession], PSRemotingTransportException + FullyQualifiedErrorId : CreateRemoteRunspaceFailed PS C:\Users\Daniel>
我也尝试重新启动WinRM服务,以及重新启动整个服务器。 仍然得到相同的错误。
很容易错过。 对于我的(不专业)眼睛来说,事件查看器中的第二个错误信息看起来可能是有意义的:
WSMan操作CreateShell失败,错误代码2150858770
我在Server Fault的另一个问题上发现了这个错误代码,但是没有答案。
我已经设法在这里find类似的问题。 我已经尝试了Arthur_Libuild议的MaxFieldLength和MaxRequestBytes,但这并没有解决我的问题。
该错误代码看起来可能是十进制的,所以我试图将其转换为hex,而不是searchhex代码,并没有发现任何基本的错误代码已经没有了。
我完全被困在这一点上。 我之前在其他服务器上设置了PowerShell Remoting,而没有像这样的问题。
我收到的一条build议是:“停止使用2008 R2,升级到更近的地方”。 无论如何,我们打算在接下来的六个月中的某个时候这样做。 但是,直到最早9月底,我们才能够采取行动。
我可以通过login到机器,上传部署脚本和打包自己,并手动运行它们来解决这个问题。 但是这样做首先会破坏自动化部署stream程。
任何援助将不胜感激。
更新#1
尝试删除并恢复WinRM的默认侦听器。
PS C:\Users\Daniel> winrm delete winrm/config/listener?address=*+transport=HTTP WSManFault Message ProviderFault WSManFault Message = WS-Management does not allow changes to a listener created automatically by the group policy. The policy "Allow Auto Configuration of listeners on WinRm service" would need to be set to "Not Configured" in order to create a new listener for same Address and Transport or to modify an already existing listener. Error number: -2144108406 0x8033808A Cannot change GPO controlled setting.
我去了这里gpedit.msc。 原来,“允许WinRm服务上的监听程序的自动configuration”已被无用地重命名为“允许通过WinRM进行远程服务器pipe理”。 我将其设置为“未configuration”,然后重试。
PS C:\Users\Daniel> winrm delete winrm/config/listener?address=*+transport=HTTP PS C:\Users\Daniel> winrm create winrm/config/Listener?Address=*+Transport=HTTP ResourceCreated Address = http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous ReferenceParameters ResourceURI = http://schemas.microsoft.com/wbem/wsman/1/config/listener SelectorSet Selector: Address = *, Transport = HTTP PS C:\Users\Daniel> winrm e winrm/config/listener Listener Address = * Transport = HTTP Port = 5985 Hostname Enabled = true URLPrefix = wsman CertificateThumbprint ListeningOn = 10.10.90.6, 127.0.0.1, ::1, fe80::100:7f:fffe%11, fe80::5efe:10.10.90.6%13 PS C:\Users\Daniel> Enter-PSSession -ComputerName localhost Enter-PSSession : Connecting to remote server localhost failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Negotiate authentication: An unknown security error occurred. Possible causes are: -The user name or password specified are invalid. -Kerberos is used when no authentication method and no user name are specified. -Kerberos accepts domain user names, but not local user names. -The Service Principal Name (SPN) for the remote computer name and port does not exist. -The client and remote computers are in different domains and there is no trust between the two domains. After checking for the above issues, try the following: -Check the Event Viewer for events related to authentication. -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport. Note that computers in the TrustedHosts list might not be authenticated. -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:1 + Enter-PSSession -ComputerName localhost + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (localhost:String) [Enter-PSSession], PSRemotingTransportException + FullyQualifiedErrorId : CreateRemoteRunspaceFailed PS C:\Users\Daniel>
关于这个话题,这里是我的GPO for WinRM的当前configuration
本地计算机策略>计算机configuration>pipe理模板> Windows组件> Windows远程pipe理(WinRM)> WinRM客户端
本地计算机策略>计算机configuration>pipe理模板> Windows组件> Windows远程pipe理(WinRM)> WinRM服务器
错误消息已更改。 当我跳进事件查看器时,我现在得到以下两个错误。 请注意,他们都改变了。 第一个变化很大,第二个变化不大。
General: Omitted for brevity. Same as per the "authFailureMessage" in the details below. Detail: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-WinRM" Guid="{A7975C8F-AC13-49F1-87DA-5A984A4AB417}" /> <EventID>161</EventID> <Version>0</Version> <Level>2</Level> <Task>7</Task> <Opcode>0</Opcode> <Keywords>0x400000000000000a</Keywords> <TimeCreated SystemTime="2016-08-18T00:37:41.784323600Z" /> <EventRecordID>61452</EventRecordID> <Correlation ActivityID="{0190DC40-F800-0000-79D1-5DB0DAF8D101}" /> <Execution ProcessID="7888" ThreadID="8116" /> <Channel>Microsoft-Windows-WinRM/Operational</Channel> <Computer>FNZAS2.flow.net.nz</Computer> <Security UserID="S-1-5-21-2875926586-1071052228-4104636349-1151" /> </System> <EventData> <Data Name="authFailureMessage">WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Negotiate authentication: An unknown security error occurred. Possible causes are: -The user name or password specified are invalid. -Kerberos is used when no authentication method and no user name are specified. -Kerberos accepts domain user names, but not local user names. -The Service Principal Name (SPN) for the remote computer name and port does not exist. -The client and remote computers are in different domains and there is no trust between the two domains. After checking for the above issues, try the following: -Check the Event Viewer for events related to authentication. -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport. Note that computers in the TrustedHosts list might not be authenticated. -For more information about WinRM configuration, run the following command: winrm help config.</Data> </EventData> </Event> General: WSMan operation CreateShell failed, error code 2150858909 Details: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-WinRM" Guid="{A7975C8F-AC13-49F1-87DA-5A984A4AB417}" /> <EventID>142</EventID> <Version>0</Version> <Level>2</Level> <Task>10</Task> <Opcode>2</Opcode> <Keywords>0x4000000000000002</Keywords> <TimeCreated SystemTime="2016-08-18T00:37:41.784323600Z" /> <EventRecordID>61454</EventRecordID> <Correlation ActivityID="{0190DC40-F800-0000-7CD1-5DB0DAF8D101}" /> <Execution ProcessID="7888" ThreadID="8116" /> <Channel>Microsoft-Windows-WinRM/Operational</Channel> <Computer>FNZAS2.flow.net.nz</Computer> <Security UserID="S-1-5-21-2875926586-1071052228-4104636349-1151" /> </System> <EventData> <Data Name="operationName">CreateShell</Data> <Data Name="errorCode">2150858909</Data> </EventData> </Event>
更新#2
试图清除WinRM设置,然后恢复默认值。
Powershell输出:pastebin.com/E5wgXE1q
底层Windows事件日志与更新#1中生成的相同。
更新#3
使用Mer的winrm / config输出作为指导,我已经通过了我的本地计算机组策略对象,并将所有内容都重置为“未configuration”。这给了我一个匹配Mer的winrm / config输出。
但是,我仍然无法通过。 尝试了更新#2中所遵循的清除/重置步骤,以确保安全,而且这也不起作用。
Powershell输出在pastebin.com/EuzyDR6d
事件日志中的输出与更新2相同。
将尝试重新启动服务器,看看是否有所作为。
更新#4
服务器重新启动没有解决。 仍然收到相同的错误消息,根据更新#2。
更新#5
好的。 这是坚果。
以上所有问题都在我们称为AS2的服务器上进行。
我刚刚跳到AS1服务器,并设置远程PowerShell。 只是为了确保我不会疯狂。
此前,我从AS2进入任何服务器时遇到问题。 但是我沿着这条线固定了 现在只是 AS2上的本地主机问题。
这感觉完全是疯了。 为什么AS2远离自己,当它明显地乐意接受传入的连接时,它可以使传出连接正常?
更新#6
好的,新的信息:CredSSPauthentication工作。 这似乎是专门做这个服务器上的协商身份validation是坏了。
我可能能够使用这个作为我想要做的解决方法的基础。 这仍然无法解释为什么Negotiate似乎在这台服务器上被打破。
你可以删除现有的侦听器:
winrm delete winrm/config/listener?address=*+transport=HTTP
并添加一个新的:
winrm create winrm/config/Listener?Address=*+Transport=HTTP
然后,再次检查:
winrm e winrm/config/listener
ListeningOn应该列出你的IP地址,而不是null。