我是 powershell 新手,我在使用凭据委派时遇到了麻烦。我有以下脚本:
$session = New-PSSession myserver -Authentication CredSSP -Credential DOMAIN\Administrator
Invoke-Command -Session $session -ScriptBlock { <Some PowerShell Command> }
在运行它之前,我做了以下事情:
Enable-PSRemoting在我的服务器上。 Enable-WSManCredSSP Server在我的服务器上。 Restart-Service WinRM在我的服务器上。 Enable-WSManCredSSP Client –DelegateComputer myserver在客户端。 但是一旦我运行脚本,我会收到以下错误消息:
[myserver] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. A computer policy does not allow the delegation of
the user credentials to the target computer. Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delega
tion -> Allow Delegating Fresh Credentials. Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name "m
yserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionOpenFailed
我检查了错误消息中提到的政策,但一切似乎都很好。还有什么能阻止我?
请您参考如下方法:
在服务器上执行以下操作:
Enable-WSManCredSSP -Role Server
set-item wsman:localhost\client\trustedhosts -value *
Enable-WSManCredSSP -Role Client –DelegateComputer *
gpedit.msc在客户端上启用将新鲜凭证委托(delegate)给 WSMAN/*:
Local Computer Policy , 展开 Computer Configuration , 扩张Administrative Templates , 展开 System ,然后单击 Credential Delegation . Settings Pane ,双击 Allow Delegating Fresh Credentials with NTLM-only Server Authentication . Allow Delegating Fresh Credentials with NTLM-only Server Authentication对话框,请执行以下操作:Enabled . Options区,点击Show . WSMAN/* ,然后单击 OK .确保Concatenate OS defaults with input above被选中,然后点击
OK . 以下命令现在可以工作(在密码提示之后):
Invoke-Command { dir \\fileserver\devtools } -computer appserver01 -authentication credssp -credential domain\user
见 TechNet
