我现在在这个问题上花费了很多时间,并且已经在另一个论坛中提出了问题,这有助于解决方案,但最终我还没有实现。
我"简单地说"需要在PowerShell脚本的帮助下,在我们公司的云端收集有关云端主机的信息。您可以通过本地网络的jumphost访问云,jumphost也是云的一部分。然后从jumphost你可以到达所有的cloudhosts。 所以我尝试了2 pssessions并使用了invoke-command(对于jumphost和cloudhost使用相同的密码):
$cred = Get-Credential ad\username -Message "Please insert the password for the jumphost and the cloudhost"
$session = New-PSSession -ComputerName jumphost -Credential $cred
$cldhost = Read-Host "Please insert the name of the cloudhost"
$script = {
Param (
$Credential,
$cloudhost
)
$ses = New-PSSession -ComputerName $cloudhost -Credential $Credential
Invoke-Command -Session $ses -ScriptBlock { Get-ChildItem C:\ }
Remove-PSSession $ses
}
Invoke-Command -Session $session -ScriptBlock $script -ArgumentList $cred, $cldhost
Remove-PSSession $session
但是这总是给我跳转主机的C:\而不是cloudhost的输出。
在另一个论坛中,我被建议使用credssp或委托会话。 CredSSP在这里是不可能的,因为我收到AD帐户中缺少SPN的错误,并且我不允许添加一个,委派的会话对我没有帮助,因为我有管理权限jumphost和cloudhost并且不需要委托一些东西。
但无论如何,我认为这不是证书的问题,因为我没有得到#34;访问被拒绝"错误或其他东西和enter-pssession到jumphost并从那里invoke-command到cloudhost工作没有问题,但我不能在脚本中使用它。 嵌套的pssessions代码的逻辑似乎有些错误......
你有什么想法让这项工作适当吗?
非常感谢, 马克
顺便说一下: 我尝试过使用CredSSP,因为建议将它用于第二跳:
Enable-WSManCredSSP -Role Client -DelegateComputer jumphost -Force
$cred = Get-Credential ad\username -Message "Please insert the password for the jumphost and the cloudhost"
$session = New-PSSession -ComputerName jumphost -Credential $cred
Invoke-Command -Session $session -ScriptBlock {Enable-WSManCredSSP -Role Server –Force; Set-Item wsman:\localhost\client\trustedhosts -value localcomputer -Force; Restart-Service winrm -Force}
$session2 = new-PSSession -ComputerName jumphost -Credential $cred -Authentication Credssp
输入最后一个命令后,我收到以下错误:
The WinRM client cannot
process the request. A computer policy does not allow the delegation of the user credentials to the target computer because the
computer is not trusted. The identity of the target computer can be verified if you configure the WSMAN service to use a valid
certificate using the following command: winrm set winrm/config/service '@{CertificateThumbprint="<thumbprint>"}' Or you can
check the Event Viewer for an event that specifies that the following SPN could not be created: WSMAN/<computerFQDN>. If you find
this event, you can manually create the SPN using setspn.exe . If the SPN exists, but CredSSP cannot use Kerberos to validate
the identity of the target computer and you still want to allow the delegation of the user credentials to the target computer,
use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials
Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication. Verify that it is enabled and configured with an SPN
appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the
following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. Try the request again after these changes. Weitere Informationen
finden Sie im Hilfethema "about_Remote_Troubleshooting".
In Zeile:1 Zeichen:13
+ $session2 = new-PSSession -ComputerName jumphost -Credential $cred -Aut ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportE
xception
+ FullyQualifiedErrorId : -2144108124,PSSessionOpenFailed
我不知道如何进一步使用CredSSP,无论如何,如果没有CredSSP,它会更好。
另外: 它应该与委派会议一起使用,我尝试了以下内容:
跳转主机上的:
Register-PSSessionConfiguration -Name PowerShell.Session -SessionType DefaultRemoteShell -AccessMode Remote -RunAsCredential 'ad\username' -ShowSecurityDescriptorUI –Force
然后授予用户&#39; ad \ username&#39; (调用和读取访问权限)。 之后,我可以使用以下命令在jumphost上使用会话配置:
$cred = Get-Credential ad\username -Message "Please enter the password for jumphost"
$session = New-PSSession -ConfigurationName PowerShell.Session -ComputerName jumphost -Credential $cred
所以会话已连接,我输入了其他命令:
$cldhost = Read-Host "Please enter the cloudhost name"
$script = {
Param (
$Credential,
$Hostname2
)
$ses = New-PSSession -ComputerName $Hostname2 -Credential $Credential
Invoke-Command -Session $ses -ScriptBlock { Get-ChildItem C:\ }
Remove-PSSession $ses
}
Invoke-Command -Session $session -ScriptBlock $script -ArgumentList $cred, $cldhost
Remove-PSSession $session
不幸的是,我再次得到了Jump-ChildItem C:\的输出,而不是cloudhost的输出...... 你有什么进一步的想法吗?可能是$ script {}部分错了吗?
答案 0 :(得分:3)
最后它有效:
$cred = Get-Credential ad\username -Message "Please insert the password for the jumphost"
$session = New-PSSession -ComputerName jumphost -Credential $cred
$cldhost = Read-Host "Please insert the cloudhost name"
$script = {
Param (
$Credential,
$Hostname2
)
$ses = New-PSSession -ComputerName $Hostname2 -Credential $Credential
Invoke-Command -Session $ses -ScriptBlock { Get-ChildItem C:\ }
Remove-PSSession $ses
}
Invoke-Command -Session $session -ScriptBlock $script -ArgumentList $cred, $cldhost
Remove-PSSession $session
这意味着我不需要委派会话或CredSSP。但无论如何,它也可以通过手动设置jumphost上的委派配置,然后添加应该能够连接到弹出窗口 -ShowSecurityDescriptorUI 中的会话配置的用户并删除默认用户&#34;互动用户&#34;和本地管理员:
Register-PSSessionConfiguration -Name PowerShell.Session -SessionType DefaultRemoteShell -AccessMode Remote -RunAsCredential 'ad\username' -ShowSecurityDescriptorUI –Force
如果您现在使用上面指定的用户连接到会话配置,则命令将在您在 -RunAsCredential 下指定的用户的上下文中执行。
它也可以直接从本地主机工作,但您必须使用 -SecurityDescriptorSddl ,这需要一个删除会话配置的默认凭据的功能,并自动添加带有ACL的新凭证。 ..意味着很多工作。
非常感谢您的帮助!
马克