Remotely connect to a device to invoke-command using local admin credentials instead of domain authentication

Question

I need to access a remote device to run commands, but they need to be run as the local admin account. Whenever I use Get-Credential, I have to authenticate over the domain, which of course fails if I provide a .\LocalAdmin format.

Is there a way to use the remote device's local admin account?

#Example code
if (!$cred) {
    $cred = Get-Credential -Message "Enter Privileged Account"
} else {
    Write-Host "Running script as $($cred.UserName)"
}

$session = New-PSSession -ComputerName ExampleComputer -Credential $cred
Enter-PSSession $session

Invoke-Command -Session $session { "do stuff here" }

Exit-PSSession

Per Santiago's request, the following error message is what is shown when I provide the username in the .\LocalAdmin format:

New-PSSession : [ExampleComputer] Connecting to remote server ExampleComputer failed with the following error message : The user name or password is incorrect. For more information, see the about_Remote_Troubleshooting Help topic.

When I provide ExampleComputer\LocalAdmin as the format, I get the following error:

New-PSSession : [ExampleComputer] Connecting to remote server ExampleComputer failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential.

Possible causes are:

-The user name or password specified are invalid.

-Kerberos is used when no authentication method and no user name are specified.

-Kerberos accepts domain user names, but not local user names.

-The Service Principal Name (SPN) for the remote computer name and port does not exist.

-The client and remote computers are in different domains and there is no trust between the two domains. After checking for the above issues, try the following:

-Check the Event Viewer for events related to authentication.

-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport. Note that computers in the TrustedHosts list might not be authenticated.

-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.

Can you add the error message while authenticating ? also, for username, try using `RemoteComputerName\LocalUser`, I'm not sure if `.\LocalUser` would work — Santiago Squarzon, May 24 '22 at 23:59
@SantiagoSquarzon I've updated the question with the error messages in both scenarios. Hope it helps narrow down things. — David Metcalfe, May 25 '22 at 05:14

Remotely connect to a device to invoke-command using local admin credentials instead of domain authentication

0 Answers0