我试图让PowerShell远程处理使用它的CNAME而不是计算机名称的服务器。 本地和远程机器都在同一个networking和域上。
我已经启用PowerShell的远程处理,并与计算机名称正常工作。 我已经将我的TrustedHosts设置为CNAME,并添加了CNAME的SPN,但是当我发出Enter-PSSession CNAME我得到以下内容:
Enter-PSSession : Connecting to remote server CNAME failed with the following error message : WinRM cannot process the request. The following error occurred while using Kerberos authentication: Cannot find the computer CNAME. Verify that the computer exists on the network and that the name provided is spelled correctly. For more information, see the about_Remote_Troubleshooting Help topic.
执行setspn -l COMPUTERNAME给了我这个:
Registered ServicePrincipalNames for CN=COMPUTERNAME,OU=SERVERS,DC=COMPANY,DC=private: WSMAN/CNAME WSMAN/COMPUTERNAME WSMAN/COMPUTERNAME.local TERMSRV/COMPUTERNAME TERMSRV/COMPUTERNAME.local HOST/COMPUTERNAME HOST/COMPUTERNAME.local
还需要通过CNAME启用访问权限吗?
我所做的解决这个问题是为Enter-PSSession创build一个代理函数来parsing我的CNAME。 这可能不适用于你的情况,这取决于你为什么需要使用CNAME,但这对我很有用。
代理PowerShellfunction的详细信息: http : //www.windowsitpro.com/blog/powershell-with-a-purpose-blog-36/windows-powershell/powershell-proxy-functions-141413
全function:
function Enter-PSSession { [CmdletBinding(DefaultParameterSetName='ComputerName')] param( [Parameter(ParameterSetName='ComputerName', Mandatory=$true, Position=0, ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('Cn')] [ValidateNotNullOrEmpty()] [string] ${ComputerName}, [Parameter(ParameterSetName='Session', Position=0, ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.Runspaces.PSSession] ${Session}, [Parameter(ParameterSetName='Uri', Position=1, ValueFromPipelineByPropertyName=$true)] [Alias('URI','CU')] [ValidateNotNullOrEmpty()] [uri] ${ConnectionUri}, [Parameter(ParameterSetName='InstanceId', ValueFromPipelineByPropertyName=$true)] [ValidateNotNull()] [guid] ${InstanceId}, [Parameter(ParameterSetName='Id', Position=0, ValueFromPipelineByPropertyName=$true)] [ValidateNotNull()] [int] ${Id}, [Parameter(ParameterSetName='Name', ValueFromPipelineByPropertyName=$true)] [string] ${Name}, [Parameter(ParameterSetName='Uri')] [Parameter(ParameterSetName='ComputerName')] [switch] ${EnableNetworkAccess}, [Parameter(ParameterSetName='ComputerName', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='Uri', ValueFromPipelineByPropertyName=$true)] [system.management.automation.pscredential] ${Credential}, [Parameter(ParameterSetName='ComputerName')] [ValidateRange(1, 65535)] [int] ${Port}, [Parameter(ParameterSetName='ComputerName')] [switch] ${UseSSL}, [Parameter(ParameterSetName='ComputerName', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='Uri', ValueFromPipelineByPropertyName=$true)] [string] ${ConfigurationName}, [Parameter(ParameterSetName='ComputerName', ValueFromPipelineByPropertyName=$true)] [string] ${ApplicationName}, [Parameter(ParameterSetName='Uri')] [switch] ${AllowRedirection}, [Parameter(ParameterSetName='Uri')] [Parameter(ParameterSetName='ComputerName')] [ValidateNotNull()] [System.Management.Automation.Remoting.PSSessionOption] ${SessionOption}, [Parameter(ParameterSetName='Uri')] [Parameter(ParameterSetName='ComputerName')] [System.Management.Automation.Runspaces.AuthenticationMechanism] ${Authentication}, [Parameter(ParameterSetName='Uri')] [Parameter(ParameterSetName='ComputerName')] [string] ${CertificateThumbprint}) begin { try { $outBuffer = $null if ($PSBoundParameters.TryGetValue('OutBuffer', [ref]$outBuffer)) { $PSBoundParameters['OutBuffer'] = 1 } $PSBoundParameters['ComputerName'] = ([System.Net.Dns]::GetHostByName($PSBoundParameters['ComputerName'])).HostName $wrappedCmd = $ExecutionContext.InvokeCommand.GetCommand('Microsoft.PowerShell.Core\Enter-PSSession', [System.Management.Automation.CommandTypes]::Cmdlet) $scriptCmd = {& $wrappedCmd @PSBoundParameters } $steppablePipeline = $scriptCmd.GetSteppablePipeline($myInvocation.CommandOrigin) $steppablePipeline.Begin($PSCmdlet) } catch { throw } } process { try { $steppablePipeline.Process($_) } catch { throw } } end { try { $steppablePipeline.End() } catch { throw } } <# .ForwardHelpTargetName Enter-PSSession .ForwardHelpCategory Cmdlet #> }
我唯一添加的是:
$PSBoundParameters['ComputerName'] = ([System.Net.Dns]::GetHostByName($PSBoundParameters['ComputerName'])).HostName
这只是在调用本地Enter-PSSession之前,将CNAMEparsing为代理函数中的FQDN。
这允许我通过组策略在我的TrustedHosts中设置* .mydomain.local,而且我仍然可以使用“Enter-PSSession ShortName”或“Enter-PSSession CNAME”,而不必混淆其他的SPN等。