运行Invoke-Command时,PowerShell脚本无法对用户进行身份验证

时间:2018-01-30 05:49:16

标签: powershell authentication invoke-command

我最近创建了一个小脚本,当我向脚本提供学校4位数的站点代码时,我可以在每个学校站点获得2个服务器的磁盘大小和可用空间。

首先,它从.csv文件中提取站点上的信息,然后使用该信息将DC FQDN主机名和.10服务器的字符串组合在一起。

然后它请求我用于获取磁盘信息的提升访问帐户的密码。

我遇到的问题是,当脚本创建脚本块然后使用Invoke-Command并将脚本块发送到服务器时,会向PowerShell对象提供信息。

提供的错误如下:

[{ServerName}] Connecting to remote server {ServerName} failed with the
following error message : WinRM cannot process the request. The following
error with errorcode 0x80090311 occurred while using Kerberos authentication: 
There are currently no logon servers available to service the logon request.
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does
   not exist.
  -The client and remote computers are in different domains and there is no trust
   between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM
   TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
  -For more information about WinRM configuration, run the following command:
   winrm help config. For more information, see the about_Remote_Troubleshooting
   Help topic.
    + CategoryInfo          : OpenError: ({ServerName}:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : AuthenticationFailed,PSSessionStateBroken

我尝试过的事情:

  • 重设密码

  • 将身份验证类型更改为基本

  • 让别人尝试同样的事情 - 有些人有同样的问题,有些则没有
  • 我工作站上的其他用户也有同样的问题
  • 我对我的工作站进行了重新映像并且它工作了一段时间,但随后在设备安装了软件更新后似乎停止了,所以我正在卸载这些更新,但其中两个赢了“允许我卸载,我认为它们是由Microsoft强制安装并且需要安装(选择时卸载按钮会消失) - KB4019472和KB4049065。

设备运行的是Windows 10 1607 v14393.1944,PowerShell v5.1。

我所在的域与DC1和MS10(.10)所在的域之间存在单向信任,域信任我们,但我们不信任域。

我使用的帐户是设备上的本地管理员,通过嵌套的AD组,跨所有域。

我对Kerberos不是很了解,所以任何帮助都会很棒。

脚本如下: 注意:我必须删除一些部分,所以我已经填充了该区域(即{String},其中只有标准文本)和{FQDNServerName},其中将有一个FQDN服务器名称写为文本,或{Region}我将该区域写为文本})。

$csvSchoolsLoc = "{FQDNServerName}\SharedReports$\SchoolsExport.csv"
$Schools = Import-Csv $csvSchoolsLoc -Delimiter "`t" -Header LocCode,SchoolName,SchoolAddress,SchoolPhoneNumber,SchoolFaxNumber,SchoolOfficerInCharge,DistrictCode,DistrictNumeric,RegionCode,RegionNumeric,LSD,WANLinkType,RouterName,RouterIP,RouterStatus,OneSchemaGraphUrl,OneSchemaSiteUrl,SCCMSiteID,SiteAdminNetwork,ProxyServerIP,PrimaryDcName,PrimaryDcIP,PrimaryDcOS,PrimaryDcVersion,PrimaryDcPatch,Style

#Gets the users credentials for their GBN ZZ account - this is used throughout the script for authentication
$username = "{Region}\zz-$env:USERNAME"
$mycreds = Get-Credential -UserName $username -Message "Enter your password for {region}\zz-$env:USERNAME"

Clear-Host
Write-Host "What is the schools 4 digit site code?" -ForegroundColor Magenta
$Global:SiteCode = Read-Host

Function Main {
    Clear-Host

    $SchoolName = $schools | Where-Object {$_.LocCode -eq $SiteCode} | ForEach-Object SchoolName

    $Region = $schools | Where-Object {$_.LocCode -eq $SiteCode} | ForEach-Object RegionCode

    Write-Host "Getting details for: " -ForegroundColor Gray -NoNewline; Write-Host "$SchoolName - $SiteCode - ($Region)"-ForegroundColor Yellow

    $DC1 = "{String}$($Region)$($SiteCode)001.$region.{String}.{String}.{String}"
    $MS10 = "{String}$($Region)$($SiteCode)010.$region.{String}.{String}.{String}"

    if (Test-Connection -ComputerName $DC1 -Count 2 -Delay 1 -Quiet) {
        $DC1Run = $true
    } else {
        $DC1Run = $false
    }
    if (Test-Connection -ComputerName $MS10 -Count 2 -Delay 1 -Quiet) {
        $MS10Run = $true
    } else {
        $MS10Run = $false
    }

    $ScriptBlock = {
        $DiskCTotal = Get-WmiObject -Class Win32_LogicalDisk -Filter "DeviceID='C:'" -Impersonation 3 | ForEach-Object {$_.size / 1GB}
        $DiskCFree = Get-WmiObject -Class Win32_LogicalDisk -Filter "DeviceID='C:'" -Impersonation 3 | ForEach-Object {$_.freespace / 1GB}
        $DiskZTotal = Get-WmiObject -Class Win32_LogicalDisk -Filter "DeviceID='Z:'" -Impersonation 3 | ForEach-Object {$_.size / 1GB}
        $DiskZFree = Get-WmiObject -Class Win32_LogicalDisk -Filter "DeviceID='Z:'" -Impersonation 3 | ForEach-Object {$_.freespace / 1GB}

        return @{
            'ZFreeSpace' = $DiskZFree
            'CFreeSpace' = $DiskCFree
            'ZTotalSize' = $DiskZTotal
            'CTotalSize' = $DiskCTotal
        }
    }
    if (($DC1Run -eq $true) -and ($MS10Run -eq $true)) {
        $ServerDC1 = Invoke-Command -ComputerName $DC1 -Credential $mycreds -ScriptBlock $ScriptBlock
        $ServerMS10 = Invoke-Command -ComputerName $MS10 -Credential $mycreds -ScriptBlock $ScriptBlock

        #Clear-Host
        Write-Host -ForegroundColor Yellow "$SchoolName - $SiteCode - ($Region)"
        Write-Host -ForegroundColor Cyan "Server $DC1 - Domain Controller"
        Write-Host "$([math]::round($ServerDC1.CFreeSpace,2)) GB free on C Drive (Total Size $([math]::round($ServerDC1.CTotalSize,2)) GB)"
        Write-Host "$([math]::round($ServerDC1.ZFreeSpace,2)) GB free on Z Drive (Total Size $([math]::round($ServerDC1.ZTotalSize,2)) GB)"
        Write-Host "" 
        Write-Host -ForegroundColor Cyan "Server $MS10 - Distribution Point"
        Write-Host "$([math]::round($ServerMS10.CFreeSpace,2)) GB free on C Drive (Total Size $([math]::round($ServerMS10.CTotalSize,2)) GB)"
        Write-Host "$([math]::round($ServerMS10.ZFreeSpace,2)) GB free on Z Drive (Total Size $([math]::round($ServerMS10.ZTotalSize,2)) GB)"
    } else {
        #Clear-Host
        Write-Host -ForegroundColor Yellow "$SchoolName - $SiteCode - ($Region)"
        Write-Host -ForegroundColor Cyan "Server $DC1 - Domain Controller"
        if ($DC1Run) {
            Write-Host "DC1 connection status is running" -ForegroundColor Green
        } else {
            Write-Host "DC1 connection status is down" -ForegroundColor Red
        }
        Write-Host "" 
        Write-Host -ForegroundColor Cyan "Server $MS10 - Distribution Point"
        if ($MS10Run) {
            Write-Host "MS10 connection status is running" -ForegroundColor Green
        } else {
            Write-Host "MS10 connection status is down" -ForegroundColor Red
            if ($DC1Run -eq $true) {
                $RDP = Read-Host -Prompt "Would you like to RDP to $DC1 'Y'"
                if ($RDP -eq "Y") {
                    Start-Process -FilePath "$env:windir\System32\mstsc.exe" -ArgumentList "/v:$DC1" -Wait -WindowStyle Maximized
                }
            }
        }
    }
    Write-Host ""
    Write-Host "What is the next schools 4 digit site code? -or- Press Enter to retry the above site again" -ForegroundColor Magenta
    $Entry = Read-Host
  if ($Entry -eq "") {
    # Do nothing
  } else {
    $Global:SiteCode = $Entry
  }
}

$x = 0

do {
    Main
} until ($x -gt 0)
编辑:卸载软件更新无法解决问题,因此除非与我无法卸载的这两个更新有关,否则它似乎不是软件更新。

1 个答案:

答案 0 :(得分:0)

事实证明,我尝试访问的域名不在WinRM的TrustedHosts配置中。

通过使用以下命令,我能够使用'*'通配符将域(我有很多域)添加到TrustedHosts。

注意:我已使用{String}替换了部分域名,因为出于保密原因,它通常会包含部分域名。

winrm set winrm/config/client @{TrustedHosts="<local>,*.{string}.edu.au"}
相关问题
最新问题