Estou solucionando um problema com um sensor PRTG que não coleta informações do Windows Update de um de nossos servidores. Ele está usando WinRM e um comando remoto do PowerShell para fazer isso.
Servidor 1 - Servidor de emissão
Servidor 2 - Servidor em funcionamento
Quando tento usar Enter-PSSession -ComputerName Server1ou winrs -r:Server1 dirtestar a conexão, recebo os seguintes erros:
PS C:\WINDOWS\system32> winrs -r:Server1 dir
Winrs error:WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config.
PS C:\WINDOWS\system32> Enter-PSSession -ComputerName Server1
Enter-PSSession : Connecting to remote server Server1 failed with the following error message : WinRM cannot process the request. The
following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName Server1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Server1:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
Se eu executar o comando em qualquer um de nossos outros servidores, a conexão será bem-sucedida, este é o único que está me causando problemas.
Se eu executar o comando Enter-PSSessioncom o -Credentialswitch com minha conta de usuário, recebo o mesmo erro, mas se eu executar o comando e especificar a conta do administrador local do servidor, ele se conectará. Outros servidores funcionam bem.
PS C:\WINDOWS\system32> Enter-PSSession -ComputerName Server1 -Credential Server1\administrator
[Server1]: PS C:\Users\Administrator\Documents> exit
PS C:\WINDOWS\system32> Enter-PSSession -ComputerName Server1 -credential domain\myuser
Enter-PSSession : Connecting to remote server Server1 failed with the following error message : WinRM cannot process the request. The
following error with errorcode 0x80090322 occurred while using Negotiate authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName Server1 -credential alpenaw2k.local\kemp ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Server1:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
PS C:\WINDOWS\system32> Enter-PSSession -ComputerName Server2
[Server2]: PS C:\Users\user\Documents> exit
PS C:\WINDOWS\system32>
Se eu executar New-PSSessiona partir do servidor local, receberei o mesmo erro, a menos que eu especifique o -EnableNetworkAccessswitch e ele se conectará. Isso me confunde. O visualizador de eventos me fornece o ID do evento 161 relacionado à autenticação do usuário e ao erro 142 para a falha na criação da sessão.
Se eu executar Test-WSMana partir do servidor local e de um host remoto, ele será exibido em execução.
Aqui está a configuração do WinRM e a configuração do ouvinte:
PS C:\Windows\system32> winrm get winrm/config
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = 10.10.10.142
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 2147483647
MaxShellsPerUser = 2147483647
PS C:\Windows\system32> winrm enumerate winrm/config/listener
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 10.10.10.87, 127.0.0.1, ::1, fe80::4579:db85:c9cb:ead0%6
Outras coisas que tentei:
- Não tenho configurações de GPO em vigor para WinRM.
- Eu excluí e recriei o ouvinte.
- Redefini a configuração do WinRM várias vezes.
- O Firewall Avançado do Windows está desabilitado para redes públicas, privadas e de domínio.
- Eu verifiquei as
Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUIpermissões e os privilégios parecem corretos. - Usei endereços IP em vez de nomes de host com os mesmos resultados.
- Adicionei meu computador à lista de hosts confiáveis e ele não funciona. Isso não deve ser necessário, pois os dois computadores estão no mesmo domínio.
- Ran
Enable-PSRemoting -Force(embora isso deva ser desnecessário, pois o WinRM está habilitado por padrão para o Server 2012 e posteriores). - Adicionei meu usuário aos Administradores Locais e Usuários de Gerenciamento Remoto no servidor sem sorte.
- Ajustei o registro de
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1e isso não funciona independente do seu valor. - Eu reiniciei e executei um
sfc /scannowúltimo esforço.
Especificações do servidor, estação de trabalho e meu usuário:
- Minha conta de domínio é Administrador de Domínio.
- O servidor é o Windows Server 2019 Standard.
- A estação de trabalho é o Windows 10 Pro.
- PowerShell versão 5 para ambos.
- Ambos os computadores estão no mesmo domínio.
- Ambos os computadores estão atualizados.
Eu poderia usar a conta do administrador local para pesquisar essas informações e resolver meu problema de intimidação, mas isso não resolve o problema subjacente.
No servidor remoto, não há entradas de erro no log de gerenciamento remoto do Windows, mas no meu computador tenho estas:
ID do evento de erro - 142
WSMan operation Enumeration failed, error code 2150858909
ID do evento de erro - 49
The WinRM protocol operation failed due to the following error: WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config..
ID do evento de erro - 161
WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config.
Posso fazer RDP no servidor perfeitamente, é assim que tenho feito alguns dos testes locais.
Testei estes dois comandos:
gwmi win32_operatingsystem -ComputerName Server1executa normalmente sem problemas, isso especifica o servidor remoto e o RDPing para execução local.
Get-CimInstance win32_operatingsystem -ComputerName Server1Não consigo executar a partir da minha estação de trabalho, mas se eu fizer RDP no servidor e executá-lo, ele será executado normalmente.
A saída de SetSPN -Xnão retorna SPNs sobrepostos
A saída dos SetSPN -Lretornos:
Registered ServicePrincipalNames for CN=Server1,OU=Servers,OU=Organization,DC=Organization,DC=LOCAL:
TERMSRV/Server1.DOMAIN.LOCAL
WSMAN/Server1.DOMAIN.LOCAL
RestrictedKrbHost/Server1.DOMAIN.LOCAL
HOST/Server1.DOMAIN.LOCAL
TERMSRV/Server1
WSMAN/Server1
RestrictedKrbHost/Server1
HOST/Server1
Toda e qualquer sugestão é muito apreciada.
Responder1
Eu resolvi isso.
Foi um problema de SPN. O HTTP/Server1 e HTTP/Server1.domain estavam sendo usados por uma conta de usuário aleatória com o nome do servidor.
Depois de desabilitar a conta e mover os SPNs para o objeto do computador, o WinRM agora está funcionando como deveria.
Esseme colocou na direção certa.
Responder2
Eu resolvi esse problema sozinho com uma redefinição do spn
setspn -R <hostname>