我正在排除 PRTG 传感器无法从我们的某台服务器收集 Windows 更新信息的问题。它使用 WinRM 和远程 PowerShell 命令来执行此操作。
服务器 1 - 问题服务器
服务器 2 - 工作服务器
当我尝试使用Enter-PSSession -ComputerName Server1或winrs -r:Server1 dir测试连接时,我不断收到以下错误:
PS C:\WINDOWS\system32> winrs -r:Server1 dir
Winrs error:WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config.
PS C:\WINDOWS\system32> Enter-PSSession -ComputerName Server1
Enter-PSSession : Connecting to remote server Server1 failed with the following error message : WinRM cannot process the request. The
following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName Server1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Server1:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
如果我在我们的任何其他服务器上运行该命令,连接就会成功,这是唯一给我带来麻烦的命令。
如果我使用我的用户帐户Enter-PSSession通过-Credential开关运行该命令,我会得到同样的错误,但如果我运行该命令并指定服务器的本地管理员帐户,它将连接。其他服务器工作正常。
PS C:\WINDOWS\system32> Enter-PSSession -ComputerName Server1 -Credential Server1\administrator
[Server1]: PS C:\Users\Administrator\Documents> exit
PS C:\WINDOWS\system32> Enter-PSSession -ComputerName Server1 -credential domain\myuser
Enter-PSSession : Connecting to remote server Server1 failed with the following error message : WinRM cannot process the request. The
following error with errorcode 0x80090322 occurred while using Negotiate authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName Server1 -credential alpenaw2k.local\kemp ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Server1:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
PS C:\WINDOWS\system32> Enter-PSSession -ComputerName Server2
[Server2]: PS C:\Users\user\Documents> exit
PS C:\WINDOWS\system32>
如果我New-PSSession从本地服务器运行,我会得到同样的错误,除非我指定交换机-EnableNetworkAccess然后它才会连接。这让我很困惑。事件查看器给我与用户身份验证相关的事件 ID 161 和会话创建失败的错误 142。
如果我Test-WSMan从本地服务器和远程主机运行,它会显示它正在运行。
以下是 WinRM 配置和监听器配置:
PS C:\Windows\system32> winrm get winrm/config
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = 10.10.10.142
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 2147483647
MaxShellsPerUser = 2147483647
PS C:\Windows\system32> winrm enumerate winrm/config/listener
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 10.10.10.87, 127.0.0.1, ::1, fe80::4579:db85:c9cb:ead0%6
我还尝试过其他方法:
- 我没有为 WinRM 设置 GPO。
- 我已删除并重新创建了监听器。
- 我已多次重置 WinRM 的配置。
- 对于公共网络、私有网络和域网络,Windows 高级防火墙均被禁用。
- 我已经检查了
Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI权限并且权限似乎没有问题。 - 我使用 IP 地址代替主机名,得到了相同的结果。
- 我已将我的计算机添加到受信任主机列表,但它不起作用。不过,这应该没有必要,因为两台计算机都在同一个域中。
- 运行
Enable-PSRemoting -Force(尽管这应该是不必要的,因为 WinRM 在 Server 2012 及更高版本中默认启用)。 - 我已将我的用户添加到服务器上的本地管理员和远程管理用户,但没有成功。
- 我已经调整了注册表
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1,但无论其值如何,这都不起作用。 - 我已经重新启动并运行了
sfc /scannow最后的努力。
服务器、工作站和我的用户的规格:
- 我的域帐户是域管理员。
- 服务器是Windows Server 2019 Standard。
- 工作站是 Windows 10 Pro。
- 两者都使用 PowerShell 版本 5。
- 两台计算机都在同一个域中。
- 两台计算机均已更新。
我可以使用本地管理员帐户来轮询这些信息并解决我的恐吓问题,但这并不能解决根本问题。
在远程服务器上,Windows 远程管理日志中没有错误条目,但是在我的计算机上有这些:
错误事件 ID - 142
WSMan operation Enumeration failed, error code 2150858909
错误事件 ID - 49
The WinRM protocol operation failed due to the following error: WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config..
错误事件 ID - 161
WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config.
我可以通过 RDP 顺利地进入服务器,这就是我一直进行一些本地测试的方法。
我测试了这两个命令:
gwmi win32_operatingsystem -ComputerName Server1正常执行没有问题,即指定远程服务器和 RDPing 在本地运行。
Get-CimInstance win32_operatingsystem -ComputerName Server1我无法从我的工作站运行,但如果我通过 RDP 进入服务器并运行它,它将正常运行。
输出SetSPN -X不返回重叠的 SPN
返回的输出SetSPN -L:
Registered ServicePrincipalNames for CN=Server1,OU=Servers,OU=Organization,DC=Organization,DC=LOCAL:
TERMSRV/Server1.DOMAIN.LOCAL
WSMAN/Server1.DOMAIN.LOCAL
RestrictedKrbHost/Server1.DOMAIN.LOCAL
HOST/Server1.DOMAIN.LOCAL
TERMSRV/Server1
WSMAN/Server1
RestrictedKrbHost/Server1
HOST/Server1
非常感谢所有建议。
答案1
我已经解决了。
这是 SPN 问题。HTTP/Server1 和 HTTP/Server1.domain 被一个以服务器命名的随机用户帐户使用。
禁用帐户并将 SPN 移动到计算机对象后,WinRM 现在可以正常工作。
这让我朝着正确的方向前进。
答案2
我通过重置 spn 自行解决了这个问题
setspn -R <hostname>