Using Active Directory cmdlets in a remote Powershell session
Question
I need to be able to run Active Directory cmdlets in a remote session without having to pass explicit credentials every time.
Here is my setup:
ServerA: Where I'm starting from.
ServerB: Server I remote into using PS remoting/WinRM
ServerC: Domain controller I'm trying to communicate with.
Once I'm connected to ServerB, I try contacting AD:
Get-ADUser frank -Server ServerC
This fails with the following error:
Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.
+ CategoryInfo : ResourceUnavailable: (frank:ADUser) [Get-ADUser], ADServerDownException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADUser
However passing the credential explicitly:
Get-ADUser frank -Server ServerC -Credential $storedCredential
succeeds as you'd expect.
As I understand it, the failure of the first command is because ServerB is not allowed to pass the credential used to create the remote session along to ServerC. I did some research, and a solution I believe should work in this case is Resource-Based Constrained Kerberos Delegation.
I have added ServerB to the PrincipalsAllowedToDelegateToAccount property of the AD computer object for ServerC but I still get the exact same error message.
I can't tell at this point if I've messed up the RBCKD configuration or if I've misunderstood it somehow and it's not actually a way to achieve what I'm trying to do. I'm also not seeing anything useful in the logs for ServerB or ServerC to explain why the call to AD is being rejected.
My main question is: should this work? If yes, how do I determine why it's failing? If not, is there another solution I should be using instead?
1 answers
solution1
0 2022-02-02 10:12:44
• I would suggest you to please check whether the below Group policy settings is enabled in your domain environment or not. If it is enabled, then please disable it, as this setting will disable the authentication protocol negotiation for WinRM service.
'Group Policy Management -> Default Domain Policy -> Edit -> Computer Configuration -> Administrative Templates -> Windows Component -> Windows Remote Management -> WinRM Service -> Disallow Negotiate Authentication -> Disabled'
• Once the above has been done, update the Group policy setting through the 'gpupdate /force' command on the Primary domain controller as well as the member server. Then restart the Windows Remote Management (WS-MAN) service on both. Then, please try changing the IIS application pool to run under 'Local System' and delete the existing SPNs as below and agin connect to the Server B to check. If the issue remains, disable Kernel mode authentication in IIS management console.
Also, I would suggest you to please execute the commands you want to as a remote powershell script through the powershell command line by executing the command as below: -
Invoke-Command -ComputerName Server01, Server02 -FilePath c:\Scripts\ADUser.ps1
In the 'ADUser.ps1' script file, enter the command which you need to execute on the specified servers.
For more details, please refer to the link below: -
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.