我正在尝试将 PowerShell 远程连接到 Exchange 服务器。这是连接到单独的 AD 域。(将域 A 连接到域 B)我可以从域 A 顺利连接到其他域上的服务器。我收到以下错误:
PS Y:\Personal\scripts> $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://server1.domainB.tld/PowerShell/ -Authentication Kerberos -Credential $cred
New-PSSession : [server1.domainB.tld] Connecting to remote server server1.domainB.tld failed with the following error message : The user name or password is incorrect. For more
information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12
+ $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri ht ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : LogonFailure,PSSessionOpenFailed
这并非特定于该服务器,我在同一个域中的另外两台服务器上也得到了相同的结果。
我的用户名是 UPN 格式,[email protected]如果我使用,domainB\me我会收到以下错误:
PS Y:\Personal\scripts> $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://server1.domainB.tld/PowerShell/ -Authentication Kerberos -Credential $cred
New-PSSession : [server1.domainB.tld] Connecting to remote server server1.domainB.tld failed with the following error message : WinRM cannot process the request. The following
error with errorcode 0x80090311 occurred while using Kerberos authentication: There are currently no logon servers available to service the logon request.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12
+ $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri ht ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : AuthenticationFailed,PSSessionOpenFailed
我也尝试从其他域连接到域 B,并收到相同的结果。我假设某个地方需要设置权限,但我不确定是什么。
wsman:\localhost\client\trustedhosts设置为正确的值
我可以使用相同的凭据通过 RDP 访问,没有任何问题,所以我知道我的凭据是有效的。我也是域管理员。服务器是 Windows 2012 R2。
已启用 PSRemoting
[PS] D:\>Enable-PSRemoting -Force
WinRM is already set up to receive requests on this computer.
WinRM is already set up for remote management on this computer.
PSSession配置
Name : microsoft.powershell
PSVersion : 4.0
StartupScript :
RunAsUser :
Permission : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed
Name : microsoft.powershell.workflow
PSVersion : 4.0
StartupScript :
RunAsUser :
Permission : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed
Name : microsoft.powershell32
PSVersion : 4.0
StartupScript :
RunAsUser :
Permission : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed
Name : microsoft.windows.servermanagerworkflows
PSVersion : 3.0
StartupScript :
RunAsUser :
Permission : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed
此外,我尝试从 domainB 中的服务器远程连接到 server1.domainB,一切正常。因此,这与从域外进行连接有关。
删除-Authentication Kerberos或使用Negotiate也会导致错误
wsman trusthosts - 将客户端的 FQDN 添加到服务器。将服务器的 FQDN 和 IP 添加到客户端。无变化。
我需要修复什么才能在这里进行远程控制?
答案1
如果是权限问题,错误会显示类似“拒绝访问”的内容。
不知何故,服务器实际上并不认识您的用户(或者密码不正确)。
您说您正在尝试“从域 A 连接到域 B”。这听起来像是您的用户位于域 A,但您告诉服务器您的用户位于域 B。
尝试使用[email protected]或进行连接me\domainA。
答案2
您是否尝试过从 New-PSSession 中删除-Authentication Kerberos?我有用于管理受信任域交换服务器的类似脚本,但我没有指定身份验证类型。
$session = New-PSSession -ConnectionUri "https://mail.server.com/Powershell" -ConfigurationName Microsoft.Exchange -Credential $cred