在使用 Microsoft Azure MDM Baselines 后,我被禁止使用 Powershell for Exchange Online 模块。
我曾经移除过一次,经过几次重启和一些快速配置后一切都很顺利。但这次我仍然无法做到新 ExoPSSession,我没有其他想法来解决这个问题。
所以我这样做:
Connect-ExchangeOnline -UserPrincipalName [email protected]
并得到:
New-ExoPSSession : Connecting to remote server outlook.office365.com failed with the
following error message : The client cannot connect to the destination specified in the
request. Verify that the service on the destination is running and is accepting requests.
Consult the logs and documentation for the WS-Management service running on the
destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the
following command on the destination to analyze and configure the WinRM service: "winrm
quickconfig". For more information, see the about_Remote_Troubleshooting Help topic.
At C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\0.3582.0\ExchangeOnl
ineManagement.psm1:401 char:30
我已从所有 Azure 配置文件中删除了我的用户和计算机,并且能够在其他计算机上使用此命令。因此,我开始更改本地 GPO 以确保一切就绪:
PS C:\WINDOWS\system32> winrm get winrm/config
返回:
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 30000
URLPrefix = wsman
AllowUnencrypted = true [Source="GPO"]
Auth
Basic = true [Source="GPO"]
Digest = true [Source="GPO"]
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = true [Source="GPO"]
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = * [Source="GPO"]
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = true [Source="GPO"]
Auth
Basic = true [Source="GPO"]
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = true [Source="GPO"]
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = * [Source="GPO"]
IPv6Filter = * [Source="GPO"]
EnableCompatibilityHttpListener = true [Source="GPO"]
EnableCompatibilityHttpsListener = true [Source="GPO"]
CertificateThumbprint
AllowRemoteAccess = true [Source="GPO"]
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 2147483647
MaxShellsPerUser = 2147483647
和
PS C:\WINDOWS\system32> winrm enumerate winrm/config/listener
返回:
Listener [Source="GPO"]
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 10.10.16.63, 127.0.0.1, 169.254.1.145, 169.254.5.162, 169.254.175.225, 169.254.235.174,<a lot of IPv6>
Listener [Source="Compatibility"]
Address = *
Transport = HTTP
Port = 80
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 10.10.16.63, 127.0.0.1, 169.254.1.145, 169.254.5.162, 169.254.175.225, 169.254.235.174, <a lot of IPv6>
Listener [Source="Compatibility"]
Address = *
Transport = HTTPS
Port = 443
Hostname = ooo-VASCO
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 10.10.16.63, 127.0.0.1, 169.254.1.145, 169.254.5.162, 169.254.175.225, 169.254.235.174, ::1, <a lot of IPv6>
这
PS C:\WINDOWS\system32> Get-Item WSMan:\localhost\Client\TrustedHosts
显示:
WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Client
Type Name SourceOfValue Value
---- ---- ------------- -----
System.String TrustedHosts GPO *
事件查看器保存了以下内容:
事件 ID 11:WSMan API 调用:: 使用 ResourceUri 创建 WSMan shell: http://schemas.microsoft.com/powershell/Microsoft.Exchange和 ShellId: bla-bla-bla
事件 ID 254::: 活动转移
事件 ID 161:用户身份验证 :: 客户端无法连接到请求中指定的目标。验证目标上的服务是否正在运行并接受请求。查阅目标上运行的 WS-Management 服务的日志和文档,最常见的是 IIS 或 WinRM。如果目标是 WinRM 服务,请在目标上运行以下命令来分析和配置 WinRM 服务:“winrm quickconfig”。
甚至做了
C:\WINDOWS\system32>winrm invoke Restore winrm/Config
Restore_OUTPUT
(编辑)
是的,id> winrm quickconfig在故障排除过程中多次执行了此操作,但结果是:(
WinRM service is already running on this machine.
WinRM is already set up for remote management on this computer.
另一次编辑)
在同一台机器上使用另一个配置文件时,连接失败。
在新机器上使用同一用户,连接成功。
(在其他计算机上测试后编辑)
我能够在另一台设备上应用相同的限制性 MDM 策略并将其恢复。
另一台设备正在使用基本身份验证进行连接,但有问题的设备即使将其设置为 true 仍然不会进行身份验证,如当前配置所示:
PS C:\Windows\System32> winrm get winrm/config
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false [Source="GPO"]
Auth
Basic = true [Source="GPO"]
Digest = false [Source="GPO"]
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false [Source="GPO"]
Auth
Basic = true [Source="GPO"]
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 2147483647
MaxShellsPerUser = 2147483647
有人可以分享一些这个路径吗?
编辑:刚刚移至 PS7,错误略有改变:
New-ExoPSSession: C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\0.3582.0\ExchangeOnlineManagement.psm1:401
Line |
401 | … PSSession = New-ExoPSSession -ExchangeEnvironmentName $ExchangeEnviro …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Could not load type 'System.Security.Cryptography.SHA256Cng' from assembly 'System.Core,
| Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'..
。
答案1
这可能是由于 winrm 服务未运行。在 cmd 提示符下运行以下 cmdlet 以启动 winrm 服务。
Winrm quickconfig
然后尝试连接 Exchange Online。
答案2
首先,为了在 WinRM 中启用基本身份验证,WinRM 服务必须处于运行状态。要启动 WinRM 服务,请以管理员身份启动命令提示符并运行以下命令
Winrm 快速配置
您是否配置了 MFA?如果是,您可以禁用它进行测试。请确认您是否能够使用以下常规 cmdlet 连接到 Exchange Online PowerShell: https://technet.microsoft.com/en-us/library/jj984289(v=exchg.160).aspx
答案3
尝试这个 PowerShell 脚本
# Set the maximum envelope size, maximum timeout, and maximum batch items for WinRM.
Set-Item WSMan:\localhost\MaxEnvelopeSizeKb 500
Set-Item WSMan:\localhost\MaxTimeoutMS 60000
Set-Item WSMan:\localhost\MaxBatchItems 32000
# Allow unencrypted traffic and basic authentication for WinRM.
Set-Item WSMan:\localhost\Client\AllowUnencrypted $true
Set-Item WSMan:\localhost\Client\Auth\Basic $true
# Set the default ports for WinRM.
Set-Item WSMan:\localhost\Client\DefaultPorts HTTP,HTTPS
# Enable remote shell access and set the maximum shell run time.
Set-Item WSMan:\localhost\WinRS\AllowRemoteShellAccess $true
Set-Item WSMan:\localhost\WinRS\MaxShellRunTime 2147483647
# Restart the WinRM service to apply the changes.
Restart-Service WinRM
# Test the WinRM connectivity.
Test-WSMan
# Test network connectivity to Exchange Online.
Test-NetConnection outlook.office365.com -Port 443
# If you encounter issues, check your firewall, proxy settings, and DNS resolution.