First published on TECHNET on Jan 18, 2016
Hello All,
Lately when I setup remote PowerShell to run the Raas tool (For more info about the service see https://services.premier.microsoft.com/assess?Culture=en-US&CultureAutoDetect=true ) I have been having the same problems every time, so I figured I would throw it up here so that everybody could benefit from it.
First thing first we are setting up PSRemoting, and very quickly this is what we do. I follow this article http://www.microsoft.com/en-us/download/details.aspx?id=34698
On the SharePoint server (Target machine) we run the following commands
- winrm quickconfig
- Enable-WSManCredSSP -Role server
NOTE: (Run the following two commands for Windows Server 2008/R2 only)
- winrm set winrm/config/winrs '@{MaxShellsPerUser="25"}'
- winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="600"}'
NOTE: (Watch the quotes in the last 2 commands above)
Then on the tool server (Client machine)
- Enable-WSManCredSSP -Role client -DelegateComputer <SharePointServer FQDN>
NOTE: You must provide the whole FQDN not just Netbios name
Then we test our connection by running a New-PSSession command, and baam the trouble starts. We get the following error
PS C:\Users\XXXXXXX> $s = New-PSSession -ComputerName server.domain.com -Authentication CredSSP -Credential $farm
[server.domain.com] Connecting to remote server failed with the f
ollowing error message : The WinRM client cannot process the request. A compute
r policy does not allow the delegation of the user credentials to the target co
mputer because the computer is not trusted. The identity of the target computer
can be verified if you configure the WSMAN service to use a valid certificate
using the following command: winrm set winrm/config/service '@{CertificateThumb
print="<thumbprint>"}' Or you can check the Event Viewer for an event that spe
cifies that the following SPN could not be created: WSMAN/<computerFQDN>. If yo
u find this event, you can manually create the SPN using setspn.exe . If the S
PN exists, but CredSSP cannot use Kerberos to validate the identity of the targ
et computer and you still want to allow the delegation of the user credentials
to the target computer, use gpedit.msc and look at the following policy: Comput
er Configuration -> Administrative Templates -> System -> Credentials Delegatio
n -> Allow Fresh Credentials with NTLM-only Server Authentication. Verify that
it is enabled and configured with an SPN appropriate for the target computer.
For example, for a target computer name "myserver.domain.com", the SPN can be o
ne of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. Try the r
equest again after these changes. For more information, see the about_Remote_Tr
oubleshooting Help topic.
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:Re
moteRunspace) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionOpenFailed
PS C:\Users\XXXXXXX>
Here are the solutions that I have found for this issue, hopefully one of them will help you.
- Denied permission on session configuration, run the following command
Set-PSSsessionConfiguration -ShowSecurityDescriptorUI –Name microsoft.powershell
Then in the window that opens insure your user has Full Control and there are no denies.
- Deny Access to Server, make sure your user is a member of Local Admin group on the SharePoint server
- CreddSSP authentication failing, if your able to connect to session by dropping the CredSSP parameter. Perform the following steps.
- Open GPEdit.msc
- Expand Computer Configuration -> Administrative Templates -> System -> Credentials Delegation
- Enable the policy 'Allow delegating fresh credentials with NTLM-only server authentication'
- Click the Show button and add the SPN in the format WSMAN/<FQDN>
- Click ok and close the .msc
- Run gpupdate /force
As I find new solutions/issues I will update this article, good luck and have fun everybody.
