我Windows 2012R2
在域中有一个服务器。此服务器没有域用户访问权限,只有本地管理员用户。我可以使用管理员帐户 RDC 进入此计算机,但不能有PSSession
,所以Enter-PSSession
或Invoke-Command
或New-PSSession
不起作用。我已将 Trustedhosts 值设置为“*”。仍然不起作用。
这个例子:
$cred = Get-Credential # username: Aministrator, password: secret123
Enter-PSSession -computername SVR1 -Credential $cred
我立即收到错误:
Enter-PSSession : Connecting to remote server SVR1 failed with the following error message : The user name or password is incorrect. For more information, see the about_Remote_Troubleshooting Help topic.
为什么我无法使用本地管理员帐户登录服务器?
编辑:
在下面的评论之后,我尝试使用 SVR1\ADMINISTRATOR 作为用户名,然后出现不同的错误消息:
Enter-PSSession : Connecting to remote server SVR1 failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains. After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport. Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
答案1
以下是指南:https://4sysops.com/archives/enable-powershell-remoting-on-a-standalone-workgroup-computer/
要点总结如下:
- 确保远程服务器上的网络类型不是“公共”。由于它不在域中,因此您可能需要确保它是“私有”。相反,您可以确保
-SkipNetworkProfileCheck
在启用 psremoting 时添加。 - 在客户端(您从其启动的地方),输入远程服务器的知识产权到受信任的主机。例如,
winrm set winrm/config/client @{TrustedHosts="10.0.2.33"}
在升高命令提示符(确保将该 IP 更改为您环境中的 IP)。
答案2
使用 Kerberos 身份验证时发生 0x80090311
当您连接到独立计算机时,您可能会收到此特定错误,因为 Kerberos 仅适用于域成员。
请检查两台计算机是否具有通用的身份验证方法。
在客户端计算机上:
Get-ChildItem -Path WSMan:\localhost\Client\Auth
在目标计算机上:
Get-ChildItem -Path WSMan:\localhost\Service\Auth
通常,您可能希望在连接到独立计算机时使用 CredSPP,尽管这不是最安全的方法。
如果目标是域成员,您可能在某处禁用了 Kerberos 配置中的某些内容(检查您的 GPO)