Enable PowerShell Remoting with Client Outside of Server's Domain (Trusted Host and Double Hop Issue)
To enable remote
powershelling with servers not in the same domain as the client machine
you will need to perform the following steps:
Note: Do not allow unencrypted communication for internet use.
On the client PC type:
PS c:\users\root> cd wsman:localhost\Client
PS WSMan:\localhost\Client> Set-Item AllowUnencrypted -Value $true -force
PS WSMan:\localhost\Client> Set-Item TrustedHosts -Value * -force
On the server PC type:
PS c:\users\root> Enable-PSRemoting
Then using regedit set the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Service\allow_unencrypted to 0x00000001
To connect from the client type:
PS WSMan:\localhost\Client> New-PSSession -name Server01 -computername boqsource -credential boq\spsetup -Port 5985
PS WSMan:\localhost\Client> Enter-PSSession Server01
You should be on a command line on your server!
To add Sharepoint commands to your shell type:
[server] c:\> Add-PSSnapin Microsoft.Sharepoint.Powershell
Now you can execute any SP cmdlets!
But wait, you get access denied to the farm :O. This is due to a known issue in the double hop of credentials. My server credentials are different to my client credentials and my Powershell is using my client credentials. The solution is to configure CredSSP authentication.
Here are the steps to enable CredSSP on the server:
1. Login to your server.
2. In powershell type: PS C:\> Enable-WSManCredSSP -Role Server
Here are the steps to enable CredSSP on the client:
1. Enable CredSSP through powershell by typing: PS C:\> Enable-WSManCredSSP -Role Client -DelegateComputer <FQDN of the server>
2. Run "gpedit.msc" drill down: Local Computer Policy > Computer Configuration > Administrative Templates > Credentials Delegation > Allow Delegating Fresh Credentials with NTLM-only.
3. Enable "Allow Delegating Fresh Credentials with NTLM-only" and click "Show" next to "Add servers to list:". Add the server "WSMAN/*" this will add all servers, you can be specific if you wish.
4. Apply the new policy and click Start -> Run -> and type: "gpupdate"
Logging in using CredSSP:
PS C:> Enter-PSSession server -Authentication CredSSP -Credential (Get-Credential)
[server]: PS C:> Add-PSSnapin Microsoft.Sharepoint.Powershell
alternatively, put this into a ps1 script file:
$session = New-PSSession -Name server -ComputerName server -Authentication CredSSP -Credential (Get-Credential)
Invoke-Command -Session $session -ScriptBlock { Add-PSSnapin Microsoft.SharePoint.PowerShell }
Enter-PSsession $session
Now you have full access to the server and Sharepoint cmdlets!! Phew.
Note: Do not allow unencrypted communication for internet use.
On the client PC type:
PS c:\users\root> cd wsman:localhost\Client
PS WSMan:\localhost\Client> Set-Item AllowUnencrypted -Value $true -force
PS WSMan:\localhost\Client> Set-Item TrustedHosts -Value * -force
On the server PC type:
PS c:\users\root> Enable-PSRemoting
Then using regedit set the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Service\allow_unencrypted to 0x00000001
To connect from the client type:
PS WSMan:\localhost\Client> New-PSSession -name Server01 -computername boqsource -credential boq\spsetup -Port 5985
PS WSMan:\localhost\Client> Enter-PSSession Server01
You should be on a command line on your server!
To add Sharepoint commands to your shell type:
[server] c:\> Add-PSSnapin Microsoft.Sharepoint.Powershell
Now you can execute any SP cmdlets!
But wait, you get access denied to the farm :O. This is due to a known issue in the double hop of credentials. My server credentials are different to my client credentials and my Powershell is using my client credentials. The solution is to configure CredSSP authentication.
Here are the steps to enable CredSSP on the server:
1. Login to your server.
2. In powershell type: PS C:\> Enable-WSManCredSSP -Role Server
Here are the steps to enable CredSSP on the client:
1. Enable CredSSP through powershell by typing: PS C:\> Enable-WSManCredSSP -Role Client -DelegateComputer <FQDN of the server>
2. Run "gpedit.msc" drill down: Local Computer Policy > Computer Configuration > Administrative Templates > Credentials Delegation > Allow Delegating Fresh Credentials with NTLM-only.
3. Enable "Allow Delegating Fresh Credentials with NTLM-only" and click "Show" next to "Add servers to list:". Add the server "WSMAN/*" this will add all servers, you can be specific if you wish.
4. Apply the new policy and click Start -> Run -> and type: "gpupdate"
Logging in using CredSSP:
PS C:> Enter-PSSession server -Authentication CredSSP -Credential (Get-Credential)
[server]: PS C:> Add-PSSnapin Microsoft.Sharepoint.Powershell
alternatively, put this into a ps1 script file:
$session = New-PSSession -Name server -ComputerName server -Authentication CredSSP -Credential (Get-Credential)
Invoke-Command -Session $session -ScriptBlock { Add-PSSnapin Microsoft.SharePoint.PowerShell }
Enter-PSsession $session
Now you have full access to the server and Sharepoint cmdlets!! Phew.
Comments
Post a Comment