9

I am trying to bring up a virtual machine that needs to be able to create new sessions (with New-PSSession). The highly engaging about_Remote_Troubleshooting is my constant companion, of course!

After bringing up a basic machine (Win 8.1 Enterprise):

  • My company's primary domain is, say, mycompany.com.
  • We have a development domain dev.mycompany.com so that developers have a sandbox to play with.
  • I added the new VM (named my-vm) to the development domain dev.mycompany.com.
  • I have a local account on the new VM, my-vm\msorens which is in the Administrators group on the local machine.

First Hurdle:

Attempting to run just New-PSSession failed with access denied because of cross-domain issues. Per the troubleshooting page referenced above:

When a user in another domain is a member of the Administrators group on the local computer, the user cannot connect to the local computer remotely with Administrator privileges.

I am not convinced this is true (due to my inexperience in domain issues) but applying the recipe for that remedy allowed the basic New-PSSession to work:

New-ItemProperty `
-Name LocalAccountTokenFilterPolicy `
-Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System `
-PropertyType DWord `
-Value 1

(And that, while less secure, is fine, as it is just a sandbox VM.)

Second Hurdle:

With the above patch in place I could successfully do any of these:

PS> New-PSSession
PS> New-PSSession -ComputerName localhost
PS> New-PSSession -ComputerName my-vm

However, my actual need is to give the FQDN of the machine:

PS> New-PSSession -ComputerName my-vm.dev.mycompany.com

That fails because of missing credentials. Which brings us to this:

PS> New-PSSession -ComputerName my-vm.dev.mycompany.com -Credential (Get-Credential)

I have tried my local (my-vm) credentials, which resulted in WinRM cannot process the request; no logon servers available.

I have tried my company domain credentials (note that is mycompany.com not the domain the VM is actually on dev.mycompany.com), which resulted in Access is denied.

Is there a way to make this work?

Michael Sorens
  • 445
  • 2
  • 6
  • 17
  • Have you tried specifying a UPN suffix? myuser@mydom.com – red888 Aug 28 '14 at 19:23
  • 1
    Does the `dev.mycompany.com` domain trust the `mycompany.com` domain? If not, you may not be able to connect. Also, we have an environment very similar to yours. My main corporate account is an Administrator on my VM, which is on our dev domain, and I'm able to log into the VM. – splattered bits Aug 28 '14 at 22:44

1 Answers1

10

At work we have the same situation. Here a some steps we do at new coworker computers so they are able to connect to these server how are outside our domain.

On client side

winrm quickconfig
winrm set winrm/config/client '@{TrustedHosts="Computer1,Computer2"}'

On server side

Enable-PSRemoting -Force
winrm quickconfig

For HTTPS

winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="_";CertificateThumbprint="_"}

For HTTP

winrm create winrm/config/Listener?Address=*+Transport=HTTP

Test with

Test-WsMan ComputerName
Test-WsMan ComputerName -UseSSL

Create a session with

New-PSSession -ComputerName Computer1 -Credential (Get-Credential)

Of course you need to configure your firewall to let the server listen on the powershell remoting port.

Edit: Set TrustedHosts with PowerShell

Or with PowerShell (as Admin)

Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value "Computer1,Computer2"

And check (don't need Admin for that)

Get-Item WSMan:\localhost\Client\TrustedHosts
hdev
  • 630
  • 7
  • 17
  • 1
    Or, instead of a New-PSSession, you can just do an Enter-PSSession. Also, I only this line - winrm set winrm/config/client '@{TrustedHosts="Computer1"}' - since I had remoting working intra-domain from before. – Gomibushi Mar 13 '17 at 08:39