SOLVED

How do I PowerShell Remote from an AAD machine to an AD machine?

Contributor

Hello, I have an Azure-AD-joined machine, from which I want to do PowerShell Remoting (WinRM) to domain-joined servers.

 

When I try Enter-PSSession myserver (whether I use -Credential with my domain account or not), I get the same error:

Enter-PSSession : Connecting to remote server myserver failed with the following error message : The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. You can get more information about that by running the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.

 

I am on the same network as the servers.  If I connect from domain computer to domain computer, then I have no issues.  It's only when connecting from an Azure-AD joined computer (even when supplying domain credentials) that it doesn't work.  

 

How do I PowerShell Remote from an AAD machine to an AD machine? Thanks in advance

5 Replies

@Roger Seekell Did you ever figure this out? I was hopeful to finally find a thread with this question but sad to see there were no replies. 

Thanks for your reply. No, I have not been able to figure it out.
best response confirmed by Roger Seekell (Contributor)
Solution

@Roger Seekell 

After posting my reply I did manage to figure it out. Do the following from an Administrative PS window.

On the machine you are running Enter-PSSession on (Client), first ensure WinRM is running (and setting it to Automatic for ease of use)

Set-Service -Name WinRM -Status Running -StartupType Automatic

Add either all (*) or just the servers you want to connect to into the TrustedHosts list

Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value 'server1'

or -Value *

To append to the list in the future use -Concatenate at the end of the command. You can also specify multiple servers in the command by using 'server1,server2,server3'

Now you should be able to remote to these servers from an Azure Joined server. 

One additional note, you may have to specify credentials in the DOMAIN\Username format in the Enter-PSSession command with the -Credential parameter:

Enter-PSSession server1 -Credential (Get-Credential)

 

Sorry for my delay, but your solution has worked for me! Thanks so much! I didn't realize that the initiating computer needed to have WinRM service enabled and have the target machines in its TrustedHosts list. Thanks again!

I have WINRM completely stopped & disabled yet I'm able to run Enter-PSSession -ComputerName 192.168.128.140 -Credential 192.168.128.140\user just fine.

- PS Remoting is much easier when both the client\server are both members of the same domain due to the trust that is already there because of the domain join
o (not tested) have not tested if client\server are both joined to the same Azure AD
o Other wise if they are both part of a workgroup on the same LAN then you will need to add the client to the server’s trusted hosts
o (Not tested) or you can enable HTTPS transport and add the firewall rule for WSMAN/WINRM server
- PS remoting will require enable-PSremoting in both cases whether the client\server are members of the same domain or member of a work group
o you will run enable-PSremoting on the server (not the client)

  • when client\server are both part of a workgroup (not AD domain) then you will use IP addresses instead of high level computer names to connect