PowerShell双跳问题

时间:2015-06-23 18:18:15

标签: powershell net-use

我正在尝试在SYSTEM1上运行PowerShell脚本,该脚本在SYSTEM2上执行robocopy,将文件复制到SYSTEM3,4,5等。

SYSTEM1和SYSTEM2位于同一个域中,但SYSTEM2不在防火墙后面(因此需要从SYSTEM2而不是SYSTEM1运行robocopy)。

SYSTEM3,4,5与SYSTEM2位于不同的域,以及彼此不同的域。

我像这样设置脚本(它使用net use命令提示用户输入不同域的凭据):

Foreach($server in $servers) {
        $command = {
            param($cred, $server);
            $error.clear();

            # Stored credentials in local variables
            $user = $cred.GetNetworkCredential().username
            $pass = $cred.GetNetworkCredential().password

            #establish connection from SYSTEM2-> $server
            net use \\$server\c$\Deployments /delete
            net use \\$server\c$\Deployments /USER:$user $pass

            # Check to see if C:\Deployments exists on server, and if not create it.
            if ((Test-Path \\$server\c$\Deployments) -eq $FALSE) {
                $c = {
                    New-Item \\$server\c$\Deployments -type directory
                }

                $ws = Invoke-Command -ComputerName $server -Credential $cred -ScriptBlock $c
            }

            # Copy over the deployment packages
            $dest = "\\$server\Deployments\$DeploymentDate\$CurrentDirectoryName"
            robocopy $CurrentDirectoryPath $dest  /W:20 /R:15 /e /XF CopyPackage.ps1

            # Delete connection from SYSTEM2 -> $server
            net use \\$server\c$\Deployments /delete

但是,net use命令在输入凭据后返回错误:

The network connection could not be found.
    + CategoryInfo          : NotSpecified: (The network con...d not be found.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
    + PSComputerName        : SYSTEM2

More help is available by typing NET HELPMSG 2250.
System error 55 has occurred.
    + CategoryInfo          : NotSpecified: (System error 55 has occurred.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
    + PSComputerName        : SYSTEM2

The specified network resource or device is no longer available.
[SYSTEM3] Connecting to remote server failed with the following error message : WinRM cannot process the request. The
following error occured while using Kerberos authentication: There are currently no logon servers available to service
the logon request.
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more
information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (:) [], PSRemotingTransportException
    + FullyQualifiedErrorId : PSSessionStateBroken
    + PSComputerName        : SYSTEM2
The network connection could not be found.
    + CategoryInfo          : NotSpecified: (The network con...d not be found.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
    + PSComputerName        : SYSTEM2

More help is available by typing NET HELPMSG 2250.

我读过这可能是一个“双跳”问题(详见here),但我不确定如何编辑脚本以使用CredSSP而不是Kerberos(或者如果这是问题)。

有什么想法吗?

1 个答案:

答案 0 :(得分:0)

发布此解决方案,以防有人在不使用CredSSP的情况下解决DoubleHop的简单问题。

试试这个: https://www.powershellgallery.com/packages/Invoke-PSSession

它调用PSSession,然后使用您提供的凭据注册PSSessionConfiguration。基本上为DoubleHop提供凭证

然后使用Invoke-Command和新的PSSession。它应具备所需的权限,以满足您的需求。