我是 powershell 新手,我在使用凭据委派时遇到了麻烦。我有以下脚本:
$session = New-PSSession myserver -Authentication CredSSP -Credential DOMAIN\Administrator
Invoke-Command -Session $session -ScriptBlock { <Some PowerShell Command> }
在运行它之前,我做了以下事情:
Enable-PSRemoting
在我的服务器上。 Enable-WSManCredSSP Server
在我的服务器上。 Restart-Service WinRM
在我的服务器上。 Enable-WSManCredSSP Client –DelegateComputer myserver
在客户端。 但是一旦我运行脚本,我会收到以下错误消息:
[myserver] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. A computer policy does not allow the delegation of
the user credentials to the target computer. Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delega
tion -> Allow Delegating Fresh Credentials. Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name "m
yserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionOpenFailed
我检查了错误消息中提到的政策,但一切似乎都很好。还有什么能阻止我?
请您参考如下方法:
在服务器上执行以下操作:
Enable-WSManCredSSP -Role Server
在客户端执行以下操作:
set-item wsman:localhost\client\trustedhosts -value *
Enable-WSManCredSSP -Role Client –DelegateComputer *
使用
gpedit.msc
在客户端上启用将新鲜凭证委托(delegate)给 WSMAN/*:
Local Computer Policy
, 展开 Computer Configuration
, 扩张Administrative Templates
, 展开 System
,然后单击 Credential Delegation
. Settings
Pane ,双击 Allow Delegating Fresh Credentials with NTLM-only Server Authentication
. Allow Delegating Fresh Credentials with NTLM-only Server Authentication
对话框,请执行以下操作:Enabled
. Options
区,点击Show
. WSMAN/*
,然后单击 OK
.确保Concatenate OS defaults with input above
被选中,然后点击
OK
. 以下命令现在可以工作(在密码提示之后):
Invoke-Command { dir \\fileserver\devtools } -computer appserver01 -authentication credssp -credential domain\user
见
MSDN forums .
见 TechNet