0

I am trying to install Exchange Cu 14 from Server A to Server B through Powershell remote and Invoke-command.

The installation completes successfully when running locally on Server B as the same logged on user... But not remote using Invoke-command from another server.

Running on Server A (Simplified version and $SetupPath and $Params is correct):

$ScriptBlock_ExchangeInstallation = {
            Start-Process $SetupPath -ArgumentList $Params -NoNewWindow    
}

$SessionOptions = New-PSSessionOption -MaxConnectionRetryCount 50 -IdleTimeout 86400000 -OperationTimeout 21600000
$SecPw= ConvertTo-SecureString "PwSuperSecure!" -AsPlainText -Force
$Creds = New-Object System.Management.Automation.PSCredential ("MrMarshall\Andreas.marshall", $SecPw)

   Invoke-Command -ComputerName "ServerB" -SessionOption $SessionOptions -ScriptBlock $ScriptBlock_ExchangeInstallation -ErrorAction Stop -Authentication Kerberos -Credential $Creds

In the failed Exchange logs. I can see the error:

[11/12/2019 21:34:18.0728] [0] [ERROR] Active Directory operation failed on . The supplied credential for 'MRMARSHALL\andreas.marshall' is invalid. [11/12/2019 21:34:18.0728] [0] [ERROR] The supplied credential is invalid.

I feels like the credentials is not passed correctly towards the DC during the installation. Any ideas of how I could start the installation some another way?

More exceptions.

Microsoft.Exchange.Configuration.MonadDataProvider.MonadDataAdapterInvocationException: Active Directory operation failed on . The supplied credential for 'MRMARSHALL\andreas.marshall' is invalid. It was running the command 'Get-OrganizationConfig'. ---> Microsoft.Exchange.Data.Directory.ADInvalidCredentialException: Active Directory operation failed on . The supplied credential for 'MRMARSHALL\andreas.marshall' is invalid. ---> System.DirectoryServices.Protocols.LdapException: The supplied credential is invalid.

Andreas
  • 299
  • 1
  • 5
  • 15
  • 1. Pretty sure you're not supposed to use powershell to install exchange; 2. You're still running into a double-hop issue -- you're not actually authenticating locally on the remote server, and the remote server isn't allowed to delegate your credentials off-system. If you want to do it this way, you need to configure Kerberos Constrained Delegation for that host on your account, or use another mechanism to actually locally start a process on the remote server so that you can access off-system resources. – Semicolon Nov 12 '19 at 22:46

1 Answers1

0

After some reading, this is a double hop issue just like @Semicolon commented. Now I could not configure kerberos for this so I went another way by scheduling a task locally and start it to run the job for me.

It's not pretty, but it works for now!

I am invoking the code below to start the process locally on the remote-servers.

$Action = New-ScheduledTaskAction -Execute $SetupPathUNC -Argument $MediaParametersExchangeCU14
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -WakeToRun
Register-ScheduledTask -Action $Action -User "MrMarshall\andreas.marshall" -Password "Bytidag123!" -TaskName "Start_ExchangeInstallation" -RunLevel Highest -Settings $Settings -Force
Start-ScheduledTask -TaskName "Start_ExchangeInstallation" -ErrorAction Stop | Out-Null

while ((Get-ScheduledTask -TaskName 'Start_ExchangeInstallation').State  -ne 'Ready') {

    Write-Output "$(Get-Date) Waiting on scheduled task..." |  Tee-Object "$LogPath/_MainLog.txt" -Append
    Start-Sleep 60
}
Andreas
  • 299
  • 1
  • 5
  • 15