计算机详细信息

计算机详细信息

我坐在两个虚拟机上,一个是服务器,另一个是客户端。当我尝试Enter-PSSession在服务器和客户端上执行此操作时,我收到以下错误

Connecting to remote server 10.10.106.2 failed with the following error 
message : The WinRM client cannot process the request. If the authentication 
scheme is different from Kerberos, or if the client computer is not joined 
to a domain, then HTTPS transport must be used or the destination machine 
must be added to the TrustedHosts configuration setting. Use winrm.cmd to 
configure TrustedHosts. Note that computers in the TrustedHosts list might 
not be authenticated. You can get more information about that by running the 
following command: winrm help config. For more information, see the 
about_Remote_Troubleshooting Help topic.

计算机详细信息

服务器

  • 操作系统:Windows Server 2016
  • IP:192.168.2.2
  • hostname.exe:主持人
  • $env:Username: 行政人员
  • $env:UserDomain:杰普森
  • whoami: jeppesen\管理员
  • 域名位于control.exe system:Jeppesen.local
  • 完整计算机名称control.exe system:Host.Jeppesen.local
  • $PSVersionTable.PSVersion | FT -H:5 1 14393 2248

客户

  • 操作系统:Windows 10 Pro 1809

  • IP:192.168.2.3

  • hostname.exe: DESKTOP-USJVHNQ

  • $env:Username: 約哈

  • $env:UserDomain:杰普森

  • whoami: jeppesen\joha

  • 域名位于control.exe system:Jeppesen.local

  • 完整计算机名称control.exe system:DESKTOP-USJVHNQ.Jeppesen.local

  • $PSVersionTable.PSVersion | FT -H:5 1 17763 1

我已经检查了防火墙。在两边都添加了 TrustedHosts。甚至按照指南在域控制器上配置了 WinRM。

很抱歉这篇文章太长了。

答案1

错误消息提供了您所需的大部分信息。这不仅仅与 TrustedHosts 列表有关;它表示,为了使用具有默认身份验证方案的 IP 地址,您还必须使用 HTTPS(默认情况下未配置)并提供显式凭据。我可以说您至少没有使用 SSL,因为您没有使用 -UseSSL 开关。

请注意,默认情况下未配置 SSL/HTTPS - 这是您必须采取的额外步骤。您不能只添加 -UseSSL。

默认身份验证机制是 Kerberos,它希望看到 AD 中出现的真实主机名。不是 IP 地址,也不是 DNS CNAME 昵称。有些人会启用基本身份验证,这种身份验证不太挑剔 - 但您还应该设置 HTTPS,因为否则您将以明文形式传递凭据。Enable-PSRemoting 仅设置 HTTP。

在 hosts 文件中添加名称不起作用。这不是名称解析的问题;而是计算机之间如何进行相互身份验证的问题。

此外,如果此连接中涉及的两台计算机不在同一个 AD 域中,则默认身份验证机制将不起作用。阅读“help about_remote_troubleshooting”以获取有关配置非域和跨域身份验证的信息。

来自文档http://technet.microsoft.com/en-us/library/dd347642.aspx

HOW TO USE AN IP ADDRESS IN A REMOTE COMMAND
-----------------------------------------------------
    ERROR:  The WinRM client cannot process the request. If the
    authentication scheme is different from Kerberos, or if the client
    computer is not joined to a domain, then HTTPS transport must be used
    or the destination machine must be added to the TrustedHosts
    configuration setting.

The ComputerName parameters of the New-PSSession, Enter-PSSession and
Invoke-Command cmdlets accept an IP address as a valid value. However,
because Kerberos authentication does not support IP addresses, NTLM
authentication is used by default whenever you specify an IP address. 

When using NTLM authentication, the following procedure is required
for remoting.

1. Configure the computer for HTTPS transport or add the IP addresses
   of the remote computers to the TrustedHosts list on the local
   computer.

   For instructions, see "How to Add a Computer to the TrustedHosts
   List" below.


2. Use the Credential parameter in all remote commands.

   This is required even when you are submitting the credentials
   of the current user.

因此,使用主机名或配置 SSL/HTTPS。

相关内容