我正在對 PRTG 感測器未從我們的一台伺服器收集 Windows 更新資訊的問題進行故障排除。它使用 WinRM 和遠端 PowerShell 命令來執行此操作。
伺服器 1 - 發行伺服器
伺服器 2 - 工作伺服器
當我嘗試使用Enter-PSSession -ComputerName Server1或winrs -r:Server1 dir測試連線時,我不斷收到以下錯誤:
PS C:\WINDOWS\system32> winrs -r:Server1 dir
Winrs error:WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config.
PS C:\WINDOWS\system32> Enter-PSSession -ComputerName Server1
Enter-PSSession : Connecting to remote server Server1 failed with the following error message : WinRM cannot process the request. The
following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName Server1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Server1:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
如果我在任何其他伺服器上運行該命令,連接就會成功,這是唯一給我帶來麻煩的伺服器。
如果我使用我的使用者帳戶Enter-PSSession使用交換器執行該命令-Credential,則會出現相同的錯誤,但如果我執行該命令並指定它將連接的伺服器的本機管理員帳戶。其他伺服器工作正常。
PS C:\WINDOWS\system32> Enter-PSSession -ComputerName Server1 -Credential Server1\administrator
[Server1]: PS C:\Users\Administrator\Documents> exit
PS C:\WINDOWS\system32> Enter-PSSession -ComputerName Server1 -credential domain\myuser
Enter-PSSession : Connecting to remote server Server1 failed with the following error message : WinRM cannot process the request. The
following error with errorcode 0x80090322 occurred while using Negotiate authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName Server1 -credential alpenaw2k.local\kemp ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Server1:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
PS C:\WINDOWS\system32> Enter-PSSession -ComputerName Server2
[Server2]: PS C:\Users\user\Documents> exit
PS C:\WINDOWS\system32>
如果我New-PSSession從本機伺服器運行,我將得到相同的錯誤,除非我指定開關-EnableNetworkAccess然後它將連接。這讓我很困惑。事件檢視器向我提供與使用者驗證相關的事件 ID 161 和無法建立會話的錯誤 142。
如果我Test-WSMan從本機伺服器和遠端主機運行,它會顯示它正在運行。
這是 WinRM 設定和偵聽器配置:
PS C:\Windows\system32> winrm get winrm/config
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = 10.10.10.142
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 2147483647
MaxShellsPerUser = 2147483647
PS C:\Windows\system32> winrm enumerate winrm/config/listener
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 10.10.10.87, 127.0.0.1, ::1, fe80::4579:db85:c9cb:ead0%6
我嘗試過的其他事情:
- 我沒有為 WinRM 設定 GPO。
- 我已刪除並重新建立了偵聽器。
- 我已經重置了WinRM的配置好幾次了。
- 對於公用、專用和網域網路停用 Windows 進階防火牆。
- 我檢查了
Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI權限,權限似乎沒問題。 - 我使用 IP 位址而不是主機名,得到了相同的結果。
- 我已將我的電腦新增至受信任的主機清單中,但它不起作用。但這不是必需的,因為兩台電腦位於同一網域中。
- Ran
Enable-PSRemoting -Force(儘管這應該是不必要的,因為 Server 2012 及更高版本預設啟用 WinRM)。 - 我已將我的用戶添加到伺服器上的本機管理員和遠端管理用戶中,但沒有成功。
- 我已經調整了註冊表
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1,但無論其值如何,這都不起作用。 - 我已經重新啟動並運行了
sfc /scannow作為最後的努力。
伺服器、工作站和我的使用者的規格:
- 我的網域帳戶是網域管理員。
- 伺服器是Windows Server 2019標準版。
- 工作站是 Windows 10 專業版。
- 適用於兩者的 PowerShell 版本 5。
- 兩台電腦位於同一網域中。
- 兩台電腦都是最新的。
我可以使用本地管理員帳戶來輪詢此資訊並解決我的可怕問題,但這並不能解決根本問題。
在遠端伺服器上,Windows 遠端管理日誌中沒有錯誤條目,但在我的電腦上有以下錯誤條目:
錯誤事件 ID - 142
WSMan operation Enumeration failed, error code 2150858909
錯誤事件 ID - 49
The WinRM protocol operation failed due to the following error: WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config..
錯誤事件 ID - 161
WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config.
我可以透過 RDP 連接到伺服器,這就是我進行一些本地測試的方式。
我測試了這兩個命令:
gwmi win32_operatingsystem -ComputerName Server1正常執行,沒有問題,即指定遠端伺服器和 RDPing 在本地運行。
Get-CimInstance win32_operatingsystem -ComputerName Server1我無法從我的工作站運行,但如果我通過 RDP 進入伺服器並運行它,它將正常執行。
的輸出SetSPN -X傳回不重疊的 SPN
返回的輸出SetSPN -L:
Registered ServicePrincipalNames for CN=Server1,OU=Servers,OU=Organization,DC=Organization,DC=LOCAL:
TERMSRV/Server1.DOMAIN.LOCAL
WSMAN/Server1.DOMAIN.LOCAL
RestrictedKrbHost/Server1.DOMAIN.LOCAL
HOST/Server1.DOMAIN.LOCAL
TERMSRV/Server1
WSMAN/Server1
RestrictedKrbHost/Server1
HOST/Server1
非常感謝任何和所有建議。
答案1
我解決了。
這是一個 SPN 問題。 HTTP/Server1 和 HTTP/Server1.domain 正由以伺服器命名的隨機使用者帳戶使用。
停用帳戶並將 SPN 移至電腦物件後,WinRM 現在可以正常運作。
這讓我朝著正確的方向前進。
答案2
我透過重置 spn 自己解決了這個問題
setspn -R <hostname>