New-PSSession across domain boundaries

powershell credentials domain

I am trying to bring up a virtual machine that needs to be able to create new sessions (with New-PSSession). The highly engaging about_Remote_Troubleshooting is my constant companion, of course!

After bringing up a basic machine (Win 8.1 Enterprise):

  • My company's primary domain is, say, mycompany.com.
  • We have a development domain dev.mycompany.com so that developers have a sandbox to play with.
  • I added the new VM (named my-vm) to the development domain dev.mycompany.com.
  • I have a local account on the new VM, my-vm\msorens which is in the Administrators group on the local machine.

First Hurdle:

Attempting to run just New-PSSession failed with access denied because of cross-domain issues. Per the troubleshooting page referenced above:

When a user in another domain is a member of the Administrators group on the local computer, the user cannot connect to the local computer remotely with Administrator privileges.

I am not convinced this is true (due to my inexperience in domain issues) but applying the recipe for that remedy allowed the basic New-PSSession to work:

New-ItemProperty `
-Name LocalAccountTokenFilterPolicy `
-Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System `
-PropertyType DWord `
-Value 1

(And that, while less secure, is fine, as it is just a sandbox VM.)

Second Hurdle:

With the above patch in place I could successfully do any of these:

PS> New-PSSession
PS> New-PSSession -ComputerName localhost
PS> New-PSSession -ComputerName my-vm

However, my actual need is to give the FQDN of the machine:

PS> New-PSSession -ComputerName my-vm.dev.mycompany.com

That fails because of missing credentials. Which brings us to this:

PS> New-PSSession -ComputerName my-vm.dev.mycompany.com -Credential (Get-Credential)

I have tried my local (my-vm) credentials, which resulted in WinRM cannot process the request; no logon servers available.

I have tried my company domain credentials (note that is mycompany.com not the domain the VM is actually on dev.mycompany.com), which resulted in Access is denied.

Is there a way to make this work?


At work we have the same situation. Here a some steps we do at new coworker computers so they are able to connect to these server how are outside our domain.

On client side

winrm quickconfig
winrm set winrm/config/client '@{TrustedHosts="Computer1,Computer2"}'

On server side

Enable-PSRemoting -Force
winrm quickconfig

For HTTPS

winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="_";CertificateThumbprint="_"}

For HTTP

winrm create winrm/config/Listener?Address=*+Transport=HTTP

Test with

Test-WsMan ComputerName
Test-WsMan ComputerName -UseSSL

Create a session with 

New-PSSession -ComputerName Computer1 -Credential (Get-Credential)

Of course you need to configure your firewall to let the server listen on the powershell remoting port.

Edit: Set TrustedHosts with PowerShell

Or with PowerShell (as Admin)

Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value "Computer1,Computer2"

And check (don't need Admin for that)

Get-Item WSMan:\localhost\Client\TrustedHosts

Related

What does TCP: too many orphaned sockets mean?
How do you configure runit logging
How secure is SSH ForceCommand on a jump host?
What's the difference between Remove-WindowsFeature and Uninstall-WindowsFeature?
Is it possible to set the processor affinity of a service, and persist this affinity across reboots?
Windows Updates taking a long time to install
Alternative to Firewalld on memory critical servers?
Can someone explain nginx conditional flags? (-f, -d, -e, etc)
OpenVPN timeout to reconnect on fail takes a long time
How do I connect to an OpenVPN server and dump the certificate chain presented when connecting?
Is there a difference in bandwidth consumption between a RODC and RWDC?
Ansible: run different plays on the same host as different users