Powershell Remoting into Non-Domain server issue
Can anyone help with the following problem?
I am trying to remote into a server (SVR_A) that is not part of the domain from the server (SRV_B) in a company domain.
- The IP address range of
SRV_Bis10.0.X.X. - The IP address of
SRV_Ais172.23.1.2.
I can ping each server (SVR_A to SVR_B and vise versa). WinRM is running on both servers and Enable-PSRemoting is configured correctly in both cases. The SRV_B also has added the SRV_A to its TrustedHosts list.
get-item WSMan:\localhost\Client\TrustedHosts
Returns
WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Client
pe Name SourceOfValue Value
-- ---- ------------- -----
stem.String TrustedHosts SVR_A
The SRV_A is one of the web servers in our DMZ, so there are other web servers that are not part of domain. I can remote into web servers using Invoke-Command or Enter-PSSession, but not from the App Server (SRV_B) which is in company domain.
I get this error
[SRV_A] Connecting to remote server SRV_A failed with the following error message : The client
cannot connect to the destination specified in the request. Verify that the service on the destination is running and
is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination,
most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to
analyze and configure the WinRM service: "winrm quickconfig". For more information, see the
about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (SRV_A:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : CannotConnect,PSSessionStateBroken
Powershell Version on both end
Name Value
---- -----
PSVersion 4.0
WSManStackVersion 3.0
SerializationVersion 1.1.0.1
CLRVersion 4.0.30319.42000
BuildVersion 6.3.9600.19170
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0}
PSRemotingProtocolVersion 2.2
Result of winrm e winrm/config/listener on SRV_A
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 127.0.0.1, 172.23.1.2, ::1, fe80::5efe:172.23.1.2%13
1. As per the winrm e winrm/config/listener output on Server A...
- it is using port
5985 - and listening with an IP address of
172.23.1.2
2. Check any firewall rules or router configurations and ensure...
- the
10.0.x.xServerBtraffic can get across to the172.23.1.2IP address (and subnet) to ServerA - and with the
5989port in particular
3. Additionally...
-
run
Enable-PSRemoting -Force;PowerShell administrator elevated on ServerAagain -
consider trusting only the IP address of Server
Bor it's entire10.0.x.xsubnet on ServerA -
use a valid Server
Acredential but execute it on ServerBwith the remote PowerShell command and it will work with non-trusted domains as long as the network traffic and port access is allowed-
Executing this on Server B
Invoke-Command -ComputerName "ServerA" -ScriptBlock { <Remote Command...> } -Credential Get-Credential "SrvA\UserNameHere"
-
4. To assist troubleshooting...
- run
Enter-PSSession -ComputerName "ServerA" -Credential Get-Credential "SrvA\UserNameHere"to confirm you can access ServerAfrom ServerB
5. Last but not least for more thoroughness...
- consider updating your Server 2012 R2 to PowerShell 5.1 for additional thoroughness
Supporting Resource
-
How to configure WINRM for HTTPS
-
Enable-PSRemoting
-
Enter-PSSession
-
Invoke-Command