9

I'm trying to remote powershell from my domain joined PC to a server in our DMZ but I cannot figure out how to get it working.

The DMZ server has a listener configured for HTTP on the default port 5985 that is enabled. The two NIC's in the machine are both labeled for Public networks so I changed the Windows Remote Management (HTTP-In) firewall rule for the Public profile to accept connections from my IP as well as the Local subnet that was already configured.

On my client machine (Windows 10) I added the server's hostname to the WSMan:\localhost\Client\TrustedHosts and I added the LocalAccountTokenFilterPolicy (Value: 1, Type: DWORD) to the registry.

I create a credential object with my local credentials for the server (servername\username) and then I try $Sess = New-PSSession -ComputerName DMZCOMPUTER -Port 5985 -Credential $Cred the connection always tries to use Kerberos to connect to the machine which is obviously not going to work.

If I try $Sess = New-PSSession -ComputerName DMZCOMPUTER -Port 5985 -Credential $Cred -Authentication Basic I get an error that unecrypted traffic is currently disabled. Other Authetication schemes produce different error messages but I've never been able to remote.

Am I missing a configuration somewhere? What are the settings needed (server & client) to use remote powershell connect to a workgroup server from a domain joined client.

Martin
  • 503
  • 1
  • 6
  • 20
  • You should take a look at this article:https://blogs.msdn.microsoft.com/wmi/2009/07/24/powershell-remoting-between-two-workgroup-machines/ and this book: https://devopscollective.gitbooks.io/secrets-of-powershell-remoting/content/index.html – 4c74356b41 Oct 25 '16 at 20:01
  • @4c74356b41 - I'd actually looked at that link already and it got me farther than others, but I've sorted this out and the link actually has incorrect info now that I've figured it out – Martin Oct 26 '16 at 15:26

2 Answers2

12

I eventually figured this out, there were a couple of issues with what I was doing. First the link at https://blogs.msdn.microsoft.com/wmi/2009/07/24/powershell-remoting-between-two-workgroup-machines/ has some incorrect information. It states that the LocalAccountTokenFilterPolicy registry entry should be on the client machine, this is incorrect, it should be on the server machine.

The other fix was just me being a bonehead using the FQDN of the server in the TrustedHosts value and then using just the hostname when trying to create the session.

If anyone else is trying to get this working the steps to follow are:

  1. Run Enable-PSRemoting on the server machine
    • This will start the WinRM service and set its startup to automatic
    • It will create an HTTP listener
      • You can verify this by running winrm enumerate winrm/config/listener
    • It will enable the Windows Remote Management firewall rules
    • It will create and configure the LocalAccountTokenFilterPolicy registry key
    • It will reset the permissions on the four sessions hosts
      • You can verify this by running Get-PSSessionConfiguration
  2. Start the WinRM service on the client machine
  3. Run Set-Item WSMan:\localhost\Client\TrustedHosts -Value <hostname or FQDN or server>
    • You can add -Concatenate to the end of Set-Item if you're trying to add a server to the list
  4. Run $Cred = Get-Credential I just entered a username and password (not servername\username) as suggested by kevmar
  5. Run a command such as $S = New-PSSession -ComputerName <same name exactly that you put in the TrustedHosts> -Credential $Cred
  6. If everything is working properly the command should just return
  7. If you get an error that mentions Kerberos check that you're using the same name in your ComputerName parameter and the TrustedHosts
  8. If you get an access denied error check that the LocalAccountTokenFilterPolicy is configured on the server
Martin
  • 503
  • 1
  • 6
  • 20
  • 3
    Wow, I could never get this working without domains and the public network profile without this post. I was always setting TrustedHosts on the SERVER. You still have to add the client ip to the server firewall like this in public networks: "Set-NetFirewallRule -Name WINRM-HTTP-In-TCP -RemoteAddress " (Name is not the name you see in the firewall control panel, but the registry entry.) Nice that copy-item works with pssessions. – js2010 Apr 26 '17 at 14:19
  • Also "enable-psremoting -force -skipnetworkprofilecheck" for public networks. – js2010 Apr 26 '17 at 14:39
  • 1
    In win7, you can install powershell 4 (wmf 4), then run "enable-psremoting -force -skipnetworkprofilecheck", even as system user with uac enabled, and a public network profile. There's still no powershell firewall commands though. https://www.microsoft.com/en-us/download/details.aspx?id=40855 (Windows6.1-KB2819745-x64-MultiPkg.msu) Microsoft advises not enabling it with PS 2.0 anyway. https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/enable-psremoting?f=255&MSPPError=-2147217396 – js2010 Apr 27 '17 at 19:34
  • I just learned you can do: $S = New-PSSession -ComputerName 's1','s2','s3','s4' – js2010 May 10 '17 at 19:54
  • LocalAccountTokenFilterPolicy is `Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LocalAccountTokenFilterPolicy -Value 1` based on [KB 951016](https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows) – mlhDev Mar 17 '20 at 19:14
1

First try creating a credential object with just your username and password. Skip trying to designate a domain or server name in the credential.

Then try connecting with the IP address instead of computer name. You will still need to add it into the trusted hosts values.

The last thing to use is Test-WSMan for troubleshooting your issue. The error message that provides should give you a strong hint as to what the issue is.

kevmar
  • 808
  • 6
  • 6
  • 1
    Thanks for the help. This pushed me in the right direction and the Test-WSMan was helpful in troubleshooting. – Martin Oct 26 '16 at 15:28