Home
%3CLINGO-SUB%20id%3D%22lingo-sub-571575%22%20slang%3D%22en-US%22%3ESetting%20up%20remote%20PowerShell%20for%20SP%20Raas%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-571575%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3E%20First%20published%20on%20TECHNET%20on%20Jan%2018%2C%202016%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%3CP%3EHello%20All%2C%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3ELately%26nbsp%3B%20when%20I%20setup%20remote%20PowerShell%20to%20run%20the%20Raas%20tool%20(For%20more%20info%20about%20the%20service%20see%20%3CA%20href%3D%22https%3A%2F%2Fservices.premier.microsoft.com%2Fassess%3FCulture%3Den-US%26amp%3BCultureAutoDetect%3Dtrue%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%20https%3A%2F%2Fservices.premier.microsoft.com%2Fassess%3FCulture%3Den-US%26amp%3BCultureAutoDetect%3Dtrue%20%3C%2FA%3E%20)%20I%20have%20been%20having%20the%20same%20problems%20every%20time%2C%20so%20I%20figured%20I%20would%20throw%20it%20up%20here%20so%20that%20everybody%20could%20benefit%20from%20it.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EFirst%20thing%20first%20we%20are%20setting%20up%20PSRemoting%2C%20and%20very%20quickly%20this%20is%20what%20we%20do.%26nbsp%3B%20I%20follow%20this%20article%20%3CA%20href%3D%22http%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D34698%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%20http%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D34698%3C%2FA%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EOn%20the%20SharePoint%20server%20(Target%20machine)%20we%20run%20the%20following%20commands%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3COL%3E%3CBR%20%2F%3E%3CLI%3Ewinrm%20quickconfig%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3EEnable-WSManCredSSP%20-Role%20server%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FOL%3E%3CBR%20%2F%3E%3CP%3ENOTE%3A%20(Run%20the%20following%20two%20commands%20for%20Windows%20Server%202008%2FR2%20only)%3C%2FP%3E%3CBR%20%2F%3E%3COL%3E%3CBR%20%2F%3E%3CLI%3Ewinrm%20set%20winrm%2Fconfig%2Fwinrs%20'%40%7BMaxShellsPerUser%3D%2225%22%7D'%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3Ewinrm%20set%20winrm%2Fconfig%2Fwinrs%20'%40%7BMaxMemoryPerShellMB%3D%22600%22%7D'%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FOL%3E%3CBR%20%2F%3E%3CP%3ENOTE%3A%20(Watch%20the%20quotes%20in%20the%20last%202%20commands%20above)%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EThen%20on%20the%20tool%20server%20(Client%20machine)%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3COL%3E%3CBR%20%2F%3E%3CLI%3EEnable-WSManCredSSP%20-Role%20client%20-DelegateComputer%20%3CSHAREPOINTSERVER%20fqdn%3D%22%22%3E%3C%2FSHAREPOINTSERVER%3E%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FOL%3E%3CBR%20%2F%3E%3CP%3ENOTE%3A%20You%20must%20provide%20the%20whole%20FQDN%20not%20just%20Netbios%20name%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EThen%20we%20test%20our%20connection%20by%20running%20a%20New-PSSession%20command%2C%20and%20baam%20the%20trouble%20starts.%26nbsp%3B%20We%20get%20the%20following%20error%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EPS%20C%3A%5CUsers%5CXXXXXXX%26gt%3B%20%24s%20%3D%20New-PSSession%20-ComputerName%20server.domain.com%20-Authentication%20CredSSP%20-Credential%20%24farm%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%5Bserver.domain.com%5D%20Connecting%20to%20remote%20server%20failed%20with%20the%20f%3C%2FP%3E%3CBR%20%2F%3E%3CP%3Eollowing%20error%20message%20%3A%20The%20WinRM%20client%20cannot%20process%20the%20request.%20A%20compute%3C%2FP%3E%3CBR%20%2F%3E%3CP%3Er%20policy%20does%20not%20allow%20the%20delegation%20of%20the%20user%20credentials%20to%20the%20target%20co%3C%2FP%3E%3CBR%20%2F%3E%3CP%3Emputer%20because%20the%20computer%20is%20not%20trusted.%20The%20identity%20of%20the%20target%20computer%3C%2FP%3E%3CBR%20%2F%3E%3CP%3Ecan%20be%20verified%20if%20you%20configure%20the%20WSMAN%20service%20to%20use%20a%20valid%20certificate%3C%2FP%3E%3CBR%20%2F%3E%3CP%3Eusing%20the%20following%20command%3A%20winrm%20set%20winrm%2Fconfig%2Fservice%20'%40%7BCertificateThumb%3C%2FP%3E%3CBR%20%2F%3E%3CP%3Eprint%3D%22%3CTHUMBPRINT%3E%22%7D'%26nbsp%3B%20Or%20you%20can%20check%20the%20Event%20Viewer%20for%20an%20event%20that%20spe%3C%2FTHUMBPRINT%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3Ecifies%20that%20the%20following%20SPN%20could%20not%20be%20created%3A%20WSMAN%2F%3CCOMPUTERFQDN%3E.%20If%20yo%3C%2FCOMPUTERFQDN%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3Eu%20find%20this%20event%2C%20you%20can%20manually%20create%20the%20SPN%20using%20setspn.exe%20.%26nbsp%3B%20If%20the%20S%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EPN%20exists%2C%20but%20CredSSP%20cannot%20use%20Kerberos%20to%20validate%20the%20identity%20of%20the%20targ%3C%2FP%3E%3CBR%20%2F%3E%3CP%3Eet%20computer%20and%20you%20still%20want%20to%20allow%20the%20delegation%20of%20the%20user%20credentials%3C%2FP%3E%3CBR%20%2F%3E%3CP%3Eto%20the%20target%20computer%2C%20use%20gpedit.msc%20and%20look%20at%20the%20following%20policy%3A%20Comput%3C%2FP%3E%3CBR%20%2F%3E%3CP%3Eer%20Configuration%20-%26gt%3B%20Administrative%20Templates%20-%26gt%3B%20System%20-%26gt%3B%20Credentials%20Delegatio%3C%2FP%3E%3CBR%20%2F%3E%3CP%3En%20-%26gt%3B%20Allow%20Fresh%20Credentials%20with%20NTLM-only%20Server%20Authentication.%26nbsp%3B%20Verify%20that%3C%2FP%3E%3CBR%20%2F%3E%3CP%3Eit%20is%20enabled%20and%20configured%20with%20an%20SPN%20appropriate%20for%20the%20target%20computer.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EFor%20example%2C%20for%20a%20target%20computer%20name%20%22myserver.domain.com%22%2C%20the%20SPN%20can%20be%20o%3C%2FP%3E%3CBR%20%2F%3E%3CP%3Ene%20of%20the%20following%3A%20WSMAN%2Fmyserver.domain.com%20or%20WSMAN%2F*.domain.com.%20Try%20the%20r%3C%2FP%3E%3CBR%20%2F%3E%3CP%3Eequest%20again%20after%20these%20changes.%20For%20more%20information%2C%20see%20the%20about_Remote_Tr%3C%2FP%3E%3CBR%20%2F%3E%3CP%3Eoubleshooting%20Help%20topic.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%2B%20CategoryInfo%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20OpenError%3A%20(System.Manageme....RemoteRunspace%3ARe%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EmoteRunspace)%20%5B%5D%2C%20PSRemotingTransportException%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%2B%20FullyQualifiedErrorId%20%3A%20PSSessionOpenFailed%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EPS%20C%3A%5CUsers%5CXXXXXXX%26gt%3B%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EHere%20are%20the%20solutions%20that%20I%20have%20found%20for%20this%20issue%2C%20hopefully%20one%20of%20them%20will%20help%20you.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3COL%3E%3CBR%20%2F%3E%3CLI%3EDenied%20permission%20on%20session%20configuration%2C%20run%20the%20following%20command%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FOL%3E%3CBR%20%2F%3E%3CP%3ESet-PSSsessionConfiguration%20-ShowSecurityDescriptorUI%20%E2%80%93Name%20microsoft.powershell%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EThen%20in%20the%20window%20that%20opens%20insure%20your%20user%20has%20Full%20Control%20and%20there%20are%20no%20denies.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3COL%3E%3CBR%20%2F%3E%3CLI%3EDeny%20Access%20to%20Server%2C%20make%20sure%20your%20user%20is%20a%20member%20of%20Local%20Admin%20group%20on%20the%20SharePoint%20server%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FOL%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3COL%3E%3CBR%20%2F%3E%3CLI%3ECreddSSP%20authentication%20failing%2C%20if%20your%20able%20to%20connect%20to%20session%20by%20dropping%20the%20CredSSP%20parameter.%26nbsp%3B%20Perform%20the%20following%20steps.%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FOL%3E%0A%20%20%3COL%3E%3CBR%20%2F%3E%3CLI%3EOpen%20GPEdit.msc%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3EExpand%20Computer%20Configuration%20-%26gt%3B%20Administrative%20Templates%20-%26gt%3B%20System%20-%26gt%3B%20Credentials%20Delegation%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3EEnable%20the%20policy%20'Allow%20delegating%20fresh%20credentials%20with%20NTLM-only%20server%20authentication'%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3EClick%20the%20Show%20button%20and%20add%20the%20SPN%20in%20the%20format%20WSMAN%2F%3CFQDN%3E%3C%2FFQDN%3E%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3EClick%20ok%20and%20close%20the%20.msc%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3ERun%20gpupdate%20%2Fforce%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FOL%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EAs%20I%20find%20new%20solutions%2Fissues%20I%20will%20update%20this%20article%2C%20good%20luck%20and%20have%20fun%20everybody.%3C%2FP%3E%0A%20%0A%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-571575%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20TECHNET%20on%20Jan%2018%2C%202016%20Hello%20All%2C%26nbsp%3BLately%26nbsp%3B%20when%20I%20setup%20remote%20PowerShell%20to%20run%20the%20Raas%20tool%20(For%20more%20info%20about%20the%20service%20see%20https%3A%2F%2Fservices.%3C%2FLINGO-TEASER%3E
First published on TECHNET on Jan 18, 2016

Hello All,



Lately  when I setup remote PowerShell to run the Raas tool (For more info about the service see https://services.premier.microsoft.com/assess?Culture=en-US&CultureAutoDetect=true ) I have been having the same problems every time, so I figured I would throw it up here so that everybody could benefit from it.



First thing first we are setting up PSRemoting, and very quickly this is what we do.  I follow this article http://www.microsoft.com/en-us/download/details.aspx?id=34698



On the SharePoint server (Target machine) we run the following commands




  1. winrm quickconfig

  2. Enable-WSManCredSSP -Role server


NOTE: (Run the following two commands for Windows Server 2008/R2 only)



  1. winrm set winrm/config/winrs '@{MaxShellsPerUser="25"}'

  2. winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="600"}'


NOTE: (Watch the quotes in the last 2 commands above)



Then on the tool server (Client machine)




  1. Enable-WSManCredSSP -Role client -DelegateComputer <SharePointServer FQDN>


NOTE: You must provide the whole FQDN not just Netbios name



Then we test our connection by running a New-PSSession command, and baam the trouble starts.  We get the following error



PS C:\Users\XXXXXXX> $s = New-PSSession -ComputerName server.domain.com -Authentication CredSSP -Credential $farm


[server.domain.com] Connecting to remote server failed with the f


ollowing error message : The WinRM client cannot process the request. A compute


r policy does not allow the delegation of the user credentials to the target co


mputer because the computer is not trusted. The identity of the target computer


can be verified if you configure the WSMAN service to use a valid certificate


using the following command: winrm set winrm/config/service '@{CertificateThumb


print="<thumbprint>"}'  Or you can check the Event Viewer for an event that spe


cifies that the following SPN could not be created: WSMAN/<computerFQDN>. If yo


u find this event, you can manually create the SPN using setspn.exe .  If the S


PN exists, but CredSSP cannot use Kerberos to validate the identity of the targ


et computer and you still want to allow the delegation of the user credentials


to the target computer, use gpedit.msc and look at the following policy: Comput


er Configuration -> Administrative Templates -> System -> Credentials Delegatio


n -> Allow Fresh Credentials with NTLM-only Server Authentication.  Verify that


it is enabled and configured with an SPN appropriate for the target computer.


For example, for a target computer name "myserver.domain.com", the SPN can be o


ne of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. Try the r


equest again after these changes. For more information, see the about_Remote_Tr


oubleshooting Help topic.


+ CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:Re


moteRunspace) [], PSRemotingTransportException


+ FullyQualifiedErrorId : PSSessionOpenFailed


PS C:\Users\XXXXXXX>




Here are the solutions that I have found for this issue, hopefully one of them will help you.




  1. Denied permission on session configuration, run the following command


Set-PSSsessionConfiguration -ShowSecurityDescriptorUI –Name microsoft.powershell


Then in the window that opens insure your user has Full Control and there are no denies.




  1. Deny Access to Server, make sure your user is a member of Local Admin group on the SharePoint server




  1. CreddSSP authentication failing, if your able to connect to session by dropping the CredSSP parameter.  Perform the following steps.


  1. Open GPEdit.msc

  2. Expand Computer Configuration -> Administrative Templates -> System -> Credentials Delegation

  3. Enable the policy 'Allow delegating fresh credentials with NTLM-only server authentication'

  4. Click the Show button and add the SPN in the format WSMAN/<FQDN>

  5. Click ok and close the .msc

  6. Run gpupdate /force



As I find new solutions/issues I will update this article, good luck and have fun everybody.