Skip to main content
 首页 » 编程设计

Powershell 远程处理之策略不允许委派用户凭据

2024年11月24日32myhome

我是 powershell 新手,我在使用凭据委派时遇到了麻烦。我有以下脚本:

$session = New-PSSession myserver -Authentication CredSSP -Credential DOMAIN\Administrator 
Invoke-Command -Session $session -ScriptBlock { <Some PowerShell Command> } 

在运行它之前,我做了以下事情:
  • 运行Enable-PSRemoting在我的服务器上。
  • 运行Enable-WSManCredSSP Server在我的服务器上。
  • 运行Restart-Service WinRM在我的服务器上。
  • 运行Enable-WSManCredSSP Client –DelegateComputer myserver在客户端。
  • 重新启动服务器和客户端。

  • 但是一旦我运行脚本,我会收到以下错误消息:
    [myserver] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. A computer policy does not allow the delegation of 
     the user credentials to the target computer. Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delega 
    tion -> Allow Delegating Fresh Credentials.  Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name "m 
    yserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. For more information, see the about_Remote_Troubleshooting Help topic. 
        + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException 
        + FullyQualifiedErrorId : PSSessionOpenFailed 
    

    我检查了错误消息中提到的政策,但一切似乎都很好。还有什么能阻止我?

    请您参考如下方法:

    在服务器上执行以下操作:

    Enable-WSManCredSSP -Role Server 
    
    在客户端执行以下操作:
    set-item wsman:localhost\client\trustedhosts -value * 
     
    Enable-WSManCredSSP -Role Client –DelegateComputer * 
    
    使用 gpedit.msc在客户端上启用将新鲜凭证委托(delegate)给 WSMAN/*:
  • 展开Local Computer Policy , 展开 Computer Configuration , 扩张Administrative Templates , 展开 System ,然后单击 Credential Delegation .
  • Settings Pane ,双击 Allow Delegating Fresh Credentials with NTLM-only Server Authentication .
  • Allow Delegating Fresh Credentials with NTLM-only Server Authentication对话框,请执行以下操作:
  • 点击Enabled .
  • Options区,点击Show .
  • 在值中,键入 WSMAN/* ,然后单击 OK .确保Concatenate OS defaults with input above被选中,然后
    点击OK .

  • 以下命令现在可以工作(在密码提示之后):
    Invoke-Command { dir \\fileserver\devtools } -computer appserver01 -authentication credssp -credential domain\user 
    
    MSDN forums .
    TechNet