我正在尝试执行以下 Powershell 命令:
Enter-PSSession -ComputerName localhost
正在使用的服务器运行的是 Windows Server 2008 R2 SP1 64 位。该服务器位于域中。我使用域管理员帐户登录。powershell 会话以管理员身份启动。
我从 powershell 本身收到以下错误消息:
PS C:\Users\Daniel> Enter-PSSession -Computername localhost
Enter-PSSession : Connecting to remote server localhost failed with the following error message : The client cannot
connect to the destination specified in the request. Verify that the service on the destination is running and is
accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most
commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to
analyze and configure the WinRM service: "winrm quickconfig". For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -Computername localhost
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (localhost:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
PS C:\Users\Daniel>
使用事件查看器,我可以找到以下内容两个错误在应用程序和服务日志 > Microsoft > Windows > Windows 远程管理 > 操作下
General:
The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".
Detail:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WinRM" Guid="{A7975C8F-AC13-49F1-87DA-5A984A4AB417}" />
<EventID>161</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x400000000000000a</Keywords>
<TimeCreated SystemTime="2016-08-17T23:10:40.766446000Z" />
<EventRecordID>56814</EventRecordID>
<Correlation ActivityID="{0190DC40-F800-0000-3291-5DB0DAF8D101}" />
<Execution ProcessID="7888" ThreadID="7912" />
<Channel>Microsoft-Windows-WinRM/Operational</Channel>
<Computer>FNZAS2.flow.net.nz</Computer>
<Security UserID="S-1-5-21-2875926586-1071052228-4104636349-1151" />
</System>
<EventData>
<Data Name="authFailureMessage">The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".</Data>
</EventData>
</Event>
General:
WSMan operation CreateShell failed, error code 2150858770
Detail:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WinRM" Guid="{A7975C8F-AC13-49F1-87DA-5A984A4AB417}" />
<EventID>142</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>10</Task>
<Opcode>2</Opcode>
<Keywords>0x4000000000000002</Keywords>
<TimeCreated SystemTime="2016-08-17T23:10:40.766446000Z" />
<EventRecordID>56816</EventRecordID>
<Correlation ActivityID="{0190DC40-F800-0000-2F91-5DB0DAF8D101}" />
<Execution ProcessID="7888" ThreadID="7912" />
<Channel>Microsoft-Windows-WinRM/Operational</Channel>
<Computer>FNZAS2.flow.net.nz</Computer>
<Security UserID="S-1-5-21-2875926586-1071052228-4104636349-1151" />
</System>
<EventData>
<Data Name="operationName">CreateShell</Data>
<Data Name="errorCode">2150858770</Data>
</EventData>
</Event>
我已经尝试了很多方法来验证一切。以下是一些较长的 powershell 输出,以展示我迄今为止的一些工作。
PS C:\Users\Daniel> $PSVersionTable.PSVersion
Major Minor Build Revision
----- ----- ----- --------
4 0 -1 -1
PS C:\Users\Daniel> winrm quickconfig
WinRM service is already running on this machine.
WinRM is already set up for remote management on this computer.
PS C:\Users\Daniel> Enable-PSRemoting
WinRM Quick Configuration
Running command "Set-WSManQuickConfig" to enable remote management of this computer by using the Windows Remote
Management (WinRM) service.
This includes:
1. Starting or restarting (if already started) the WinRM service
2. Setting the WinRM service startup type to Automatic
3. Creating a listener to accept requests on any IP address
4. Enabling Windows Firewall inbound rule exceptions for WS-Management traffic (for http only).
Do you want to continue?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A
WinRM is already set up to receive requests on this computer.
WinRM is already set up for remote management on this computer.
Confirm
Are you sure you want to perform this action?
Performing the operation "Set-PSSessionConfiguration" on target "Name: microsoft.powershell SDDL:
O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD). This lets selected users remotely run Windows PowerShell
commands on this computer.".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A
PS C:\Users\Daniel> Enable-PSRemoting -force
WinRM is already set up to receive requests on this computer.
WinRM is already set up for remote management on this computer.
PS C:\Users\Daniel> winrm get winrm/config
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = true [Source="GPO"]
Auth
Basic = true [Source="GPO"]
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = true [Source="GPO"]
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = *
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = true [Source="GPO"]
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = true [Source="GPO"]
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter [Source="GPO"]
IPv6Filter [Source="GPO"]
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true [Source="GPO"]
Winrs
AllowRemoteShellAccess = true [Source="GPO"]
IdleTimeout = 7200000
MaxConcurrentUsers = 10
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 25
MaxMemoryPerShellMB = 1000
MaxShellsPerUser = 30
PS C:\Users\Daniel> winrm e winrm/config/listener
Listener [Source="GPO"]
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = null
PS C:\Users\Daniel> get-service WinRM
Status Name DisplayName
------ ---- -----------
Running WinRM Windows Remote Management (WS-Manag...
PS C:\Users\Daniel> winrm get wmicimv2/Win32_Service?Name=WinRM
Win32_Service
AcceptPause = false
AcceptStop = true
Caption = Windows Remote Management (WS-Management)
CheckPoint = 0
CreationClassName = Win32_Service
Description = Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management.
WS-Management is a standard web services protocol used for remote software and hardware management. The WinRM service l
istens on the network for WS-Management requests and processes them. The WinRM Service needs to be configured with a lis
tener using winrm.cmd command line tool or through Group Policy in order for it to listen over the network. The WinRM se
rvice provides access to WMI data and enables event collection. Event collection and subscription to events require that
the service is running. WinRM messages use HTTP and HTTPS as transports. The WinRM service does not depend on IIS but i
s preconfigured to share a port with IIS on the same machine. The WinRM service reserves the /wsman URL prefix. To prev
ent conflicts with IIS, administrators should ensure that any websites hosted on IIS do not use the /wsman URL prefix.
DesktopInteract = false
DisplayName = Windows Remote Management (WS-Management)
ErrorControl = Normal
ExitCode = 0
InstallDate = null
Name = WinRM
PathName = C:\Windows\System32\svchost.exe -k NetworkService
ProcessId = 936
ServiceSpecificExitCode = 0
ServiceType = Share Process
Started = true
StartMode = Auto
StartName = NT AUTHORITY\NetworkService
State = Running
Status = OK
SystemCreationClassName = Win32_ComputerSystem
SystemName = FNZAS2
TagId = 0
WaitHint = 0
PS C:\Users\Daniel> winrm id
IdentifyResponse
ProtocolVersion = http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor = Microsoft Corporation
ProductVersion = OS: 6.1.7601 SP: 1.0 Stack: 3.0
SecurityProfiles
SecurityProfileName = http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/http/basic, http://schemas.dmtf.org/
wbem/wsman/1/wsman/secprofile/http/spnego-kerberos
PS C:\Users\Daniel> Enter-PSSession -ComputerName localhost
Enter-PSSession : Connecting to remote server localhost failed with the following error message : The client cannot
connect to the destination specified in the request. Verify that the service on the destination is running and is
accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most
commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to
analyze and configure the WinRM service: "winrm quickconfig". For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName localhost
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (localhost:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
PS C:\Users\Daniel>
我也尝试过重启 WinRM 服务,以及重启整个服务器。但仍然出现同样的错误。
很容易被忽略。以我(外行)的眼光来看,事件查看器中的第二条错误消息似乎很有意义:
WSMan 操作 CreateShell 失败,错误代码 2150858770
我发现这个错误代码另一个问题关于服务器故障,但没有答案。
我找到了类似的问题这里。我尝试了 Arthur_Li 建议的 MaxFieldLength 和 MaxRequestBytes,但这并不能解决我的问题。
该错误代码看起来可能是十进制的,因此我尝试将其转换为十六进制并搜索十六进制代码,但没有发现基本错误代码尚未出现的任何内容。
我现在完全不知所措了。我之前在其他服务器上设置过 PowerShell Remoting,没有出现过这样的问题。
我收到的一条建议是:“停止使用 2008 R2。升级到更新的版本。”无论如何,我们计划在未来六个月内某个时候这样做。但我们最早可能要到 9 月底才能采取行动。
我可以通过登录机器、自己上传部署脚本和包并手动运行它们来解决这个问题。但这从一开始就违背了自动化部署流程的意义。
任何帮助都将不胜感激。
更新 #1
尝试删除然后恢复 WinRM 的默认侦听器。
PS C:\Users\Daniel> winrm delete winrm/config/listener?address=*+transport=HTTP
WSManFault
Message
ProviderFault
WSManFault
Message = WS-Management does not allow changes to a listener created automatically by the group policy.
The policy "Allow Auto Configuration of listeners on WinRm service" would need to be set to "Not Configured" in order to
create a new listener for same Address and Transport or to modify an already existing listener.
Error number: -2144108406 0x8033808A
Cannot change GPO controlled setting.
我进入 gpedit.msc。结果发现“允许自动配置 WinRm 服务上的侦听器”已被重命名为“允许通过 WinRM 进行远程服务器管理”。我将其设置为“未配置”,然后重试。
PS C:\Users\Daniel> winrm delete winrm/config/listener?address=*+transport=HTTP
PS C:\Users\Daniel> winrm create winrm/config/Listener?Address=*+Transport=HTTP
ResourceCreated
Address = http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
ReferenceParameters
ResourceURI = http://schemas.microsoft.com/wbem/wsman/1/config/listener
SelectorSet
Selector: Address = *, Transport = HTTP
PS C:\Users\Daniel> winrm e winrm/config/listener
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 10.10.90.6, 127.0.0.1, ::1, fe80::100:7f:fffe%11, fe80::5efe:10.10.90.6%13
PS C:\Users\Daniel> Enter-PSSession -ComputerName localhost
Enter-PSSession : Connecting to remote server localhost failed with the following error message : WinRM cannot process
the request. The following error with errorcode 0x80090322 occurred while using Negotiate authentication: An unknown
security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more
information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName localhost
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (localhost:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
PS C:\Users\Daniel>
关于这个主题,这是我的 WinRM GPO 的当前配置
本地计算机策略 > 计算机配置 > 管理模板 > Windows 组件 > Windows 远程管理 (WinRM) > WinRM 客户端
- 允许基本身份验证:已启用
- 允许 CredSSP 身份验证:已启用
- 允许未加密流量:已启用
- 不允许摘要式身份验证:未配置
- 不允许 Kerberos 身份验证:未配置
- 不允许协商身份验证:未配置
- 受信任的主机:未配置
本地计算机策略 > 计算机配置 > 管理模板 > Windows 组件 > Windows 远程管理 (WinRM) > WinRM 服务器
- 允许通过 WinRM 进行远程服务器管理:未配置(注意:在此更新之前的示例中,此项设置为“已启用”)
- 允许基本身份验证:已启用
- 允许 CredSSP 身份验证:已启用
- 允许未加密流量:已启用
- 指定通道绑定令牌强化级别:未配置
- 禁止 WinRM 存储 RunAs 凭据:未配置
- 不允许 Kerberos 身份验证:未配置
- 不允许协商身份验证:未配置
- 打开兼容性 HTTP 侦听器:未配置
- 打开兼容性 HTTPS 侦听器:未配置
错误消息已更改。当我跳转到事件查看器时,我现在收到以下两个错误。请注意,它们都已更改。第一个变化很大,第二个变化不大。
General:
Omitted for brevity. Same as per the "authFailureMessage" in the details below.
Detail:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WinRM" Guid="{A7975C8F-AC13-49F1-87DA-5A984A4AB417}" />
<EventID>161</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x400000000000000a</Keywords>
<TimeCreated SystemTime="2016-08-18T00:37:41.784323600Z" />
<EventRecordID>61452</EventRecordID>
<Correlation ActivityID="{0190DC40-F800-0000-79D1-5DB0DAF8D101}" />
<Execution ProcessID="7888" ThreadID="8116" />
<Channel>Microsoft-Windows-WinRM/Operational</Channel>
<Computer>FNZAS2.flow.net.nz</Computer>
<Security UserID="S-1-5-21-2875926586-1071052228-4104636349-1151" />
</System>
<EventData>
<Data Name="authFailureMessage">WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Negotiate authentication: An unknown security error occurred. Possible causes are: -The user name or password specified are invalid. -Kerberos is used when no authentication method and no user name are specified. -Kerberos accepts domain user names, but not local user names. -The Service Principal Name (SPN) for the remote computer name and port does not exist. -The client and remote computers are in different domains and there is no trust between the two domains. After checking for the above issues, try the following: -Check the Event Viewer for events related to authentication. -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport. Note that computers in the TrustedHosts list might not be authenticated. -For more information about WinRM configuration, run the following command: winrm help config.</Data>
</EventData>
</Event>
General:
WSMan operation CreateShell failed, error code 2150858909
Details:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WinRM" Guid="{A7975C8F-AC13-49F1-87DA-5A984A4AB417}" />
<EventID>142</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>10</Task>
<Opcode>2</Opcode>
<Keywords>0x4000000000000002</Keywords>
<TimeCreated SystemTime="2016-08-18T00:37:41.784323600Z" />
<EventRecordID>61454</EventRecordID>
<Correlation ActivityID="{0190DC40-F800-0000-7CD1-5DB0DAF8D101}" />
<Execution ProcessID="7888" ThreadID="8116" />
<Channel>Microsoft-Windows-WinRM/Operational</Channel>
<Computer>FNZAS2.flow.net.nz</Computer>
<Security UserID="S-1-5-21-2875926586-1071052228-4104636349-1151" />
</System>
<EventData>
<Data Name="operationName">CreateShell</Data>
<Data Name="errorCode">2150858909</Data>
</EventData>
</Event>
更新 #2
尝试清除 WinRM 设置然后恢复默认设置。
Powershell 输出位于:pastebin.com/E5wgXE1q
底层 Windows 事件日志与更新 #1 中生成的日志相同。
更新 #3
使用 Mer 的 winrm/config 输出作为指南,我检查了本地机器组策略对象并将所有内容重置为“未配置”,这为我提供了与 Mer 匹配的 winrm/config 输出。
但我还是没能通过。为了安全起见,我尝试了更新 #2 中相同的清除/重置步骤,但还是没用。
pastebin.com/EuzyDR6d 上的 Powershell 输出
事件日志中的输出与更新 2 相同。
将尝试重新启动服务器,看看是否有区别。
更新 #4
服务器重启没有解决问题。仍然收到与更新 #2 相同的错误消息。
更新 #5
好吧。这太疯狂了。
所有上述问题都发生在我们称之为 AS2 的服务器上。
我刚刚跳转到 AS1 服务器,并设置了远程 powershell。只是为了确保我不会发疯。
- AS1:Enter-PSSession localhost > 成功
- AS1:输入 PSSession AS2 > 成功
- AS2:输入 PSSession localhost > 失败
- AS2:输入 PSSession AS1 > 成功
之前,我在从 AS2 进入任何服务器。不过我后来修复了这个问题。现在只是AS2 上的本地主机就是问题所在。
这感觉简直是疯了。为什么 AS2 无法远程控制自身,而它显然很乐意接受传入连接,并且可以正常进行传出连接?
更新 #6
好的,新信息:CredSSP 身份验证做工作。这似乎与此服务器上已损坏的协商身份验证有关。
我可能能够以此为基础解决我尝试做的事情。但这仍然无法解释为什么 Negotiate 似乎在此服务器上出现故障。
答案1
您可以使用以下命令删除现有的监听器:
winrm delete winrm/config/listener?address=*+transport=HTTP
并添加一个新的:
winrm create winrm/config/Listener?Address=*+Transport=HTTP
然后再检查一下:
winrm e winrm/config/listener
ListeningOn应该列出您的 IP 地址,而不是空的。