Powershell remoting to a server using CNAME, not COMPUTER NAME
I am trying to get powershell remoting to work with a server using it's CNAME rather than the computer name. Both local and remote machines are on the same network and domain.
I have enabled powershell remoting, and it works fine with the computer name. I have set my TrustedHosts to the CNAME and have added the SPN for the CNAME, however when I issue the Enter-PSSession CNAME
I get the following:
Enter-PSSession : Connecting to remote server CNAME failed with the following
error message : WinRM cannot process the request. The following error
occurred while using Kerberos authentication: Cannot find the computer CNAME.
Verify that the computer exists on the network and that the name
provided is spelled correctly. For more information, see the
about_Remote_Troubleshooting Help topic.
Executing setspn -l COMPUTERNAME
gives me this:
Registered ServicePrincipalNames for CN=COMPUTERNAME,OU=SERVERS,DC=COMPANY,DC=private:
WSMAN/CNAME
WSMAN/COMPUTERNAME
WSMAN/COMPUTERNAME.local
TERMSRV/COMPUTERNAME
TERMSRV/COMPUTERNAME.local
HOST/COMPUTERNAME
HOST/COMPUTERNAME.local
What else is needed to enable access via the CNAME?
Solution 1:
What I did to resolve this issue was to create a proxy function for Enter-PSSession that resolves the CNAME for me. This might not work in your case, depending on why you need to use the CNAME, but this works for me.
Details on proxy powershell functions: http://www.windowsitpro.com/blog/powershell-with-a-purpose-blog-36/windows-powershell/powershell-proxy-functions-141413
Full function:
function Enter-PSSession {
[CmdletBinding(DefaultParameterSetName='ComputerName')]
param(
[Parameter(ParameterSetName='ComputerName', Mandatory=$true, Position=0, ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)]
[Alias('Cn')]
[ValidateNotNullOrEmpty()]
[string]
${ComputerName},
[Parameter(ParameterSetName='Session', Position=0, ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)]
[ValidateNotNullOrEmpty()]
[System.Management.Automation.Runspaces.PSSession]
${Session},
[Parameter(ParameterSetName='Uri', Position=1, ValueFromPipelineByPropertyName=$true)]
[Alias('URI','CU')]
[ValidateNotNullOrEmpty()]
[uri]
${ConnectionUri},
[Parameter(ParameterSetName='InstanceId', ValueFromPipelineByPropertyName=$true)]
[ValidateNotNull()]
[guid]
${InstanceId},
[Parameter(ParameterSetName='Id', Position=0, ValueFromPipelineByPropertyName=$true)]
[ValidateNotNull()]
[int]
${Id},
[Parameter(ParameterSetName='Name', ValueFromPipelineByPropertyName=$true)]
[string]
${Name},
[Parameter(ParameterSetName='Uri')]
[Parameter(ParameterSetName='ComputerName')]
[switch]
${EnableNetworkAccess},
[Parameter(ParameterSetName='ComputerName', ValueFromPipelineByPropertyName=$true)]
[Parameter(ParameterSetName='Uri', ValueFromPipelineByPropertyName=$true)]
[system.management.automation.pscredential]
${Credential},
[Parameter(ParameterSetName='ComputerName')]
[ValidateRange(1, 65535)]
[int]
${Port},
[Parameter(ParameterSetName='ComputerName')]
[switch]
${UseSSL},
[Parameter(ParameterSetName='ComputerName', ValueFromPipelineByPropertyName=$true)]
[Parameter(ParameterSetName='Uri', ValueFromPipelineByPropertyName=$true)]
[string]
${ConfigurationName},
[Parameter(ParameterSetName='ComputerName', ValueFromPipelineByPropertyName=$true)]
[string]
${ApplicationName},
[Parameter(ParameterSetName='Uri')]
[switch]
${AllowRedirection},
[Parameter(ParameterSetName='Uri')]
[Parameter(ParameterSetName='ComputerName')]
[ValidateNotNull()]
[System.Management.Automation.Remoting.PSSessionOption]
${SessionOption},
[Parameter(ParameterSetName='Uri')]
[Parameter(ParameterSetName='ComputerName')]
[System.Management.Automation.Runspaces.AuthenticationMechanism]
${Authentication},
[Parameter(ParameterSetName='Uri')]
[Parameter(ParameterSetName='ComputerName')]
[string]
${CertificateThumbprint})
begin
{
try {
$outBuffer = $null
if ($PSBoundParameters.TryGetValue('OutBuffer', [ref]$outBuffer))
{
$PSBoundParameters['OutBuffer'] = 1
}
$PSBoundParameters['ComputerName'] = ([System.Net.Dns]::GetHostByName($PSBoundParameters['ComputerName'])).HostName
$wrappedCmd = $ExecutionContext.InvokeCommand.GetCommand('Microsoft.PowerShell.Core\Enter-PSSession', [System.Management.Automation.CommandTypes]::Cmdlet)
$scriptCmd = {& $wrappedCmd @PSBoundParameters }
$steppablePipeline = $scriptCmd.GetSteppablePipeline($myInvocation.CommandOrigin)
$steppablePipeline.Begin($PSCmdlet)
} catch {
throw
}
}
process
{
try {
$steppablePipeline.Process($_)
} catch {
throw
}
}
end
{
try {
$steppablePipeline.End()
} catch {
throw
}
}
<#
.ForwardHelpTargetName Enter-PSSession
.ForwardHelpCategory Cmdlet
#>
}
The only line I added was:
$PSBoundParameters['ComputerName'] = ([System.Net.Dns]::GetHostByName($PSBoundParameters['ComputerName'])).HostName
This simply resolves the CNAME to the FQDN in the proxy function before calling the native Enter-PSSession.
This allows me to set *.mydomain.local in my TrustedHosts via Group Policy, and I can still use "Enter-PSSession ShortName" or "Enter-PSSession CNAME" without having to mess with additional SPNs, etc.