是否有人使用powershell远程处理来对抗CNAMES或主机文件。
一种测试方法,创建一个针对localhost的PSsession,以确保其工作正常......然后将主机记录调用到127.0.0.1,然后尝试创建一个pssession。
我遇到了这种错误
[funkymonkey] Connecting to remote server failed with the following error message : WinRM cannot pr
ocess the request. The following error occured while using Kerberos authentication: The network pat
h was not found.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two d
omains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configu
ration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. F
or more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PS
RemotingTransportException
+ FullyQualifiedErrorId : PSSessionOpenFailed
答案 0 :(得分:1)
如果NTLM无法正常工作,我认为你受到了winsrv 2003 sp1 +中添加的环回检查的影响。您可以将CNAME添加到特殊的注册表项中,该注册表项将它们包含在例外列表中(已包含localhost。)
PS> new-itemproperty hklm:\ system \ currentcontrolset \ control \ Lsa \ MSV1_0 BackConnectionHostNames` -propertyType multistring -val“cname1”,“cname1.local”
有些人只是通过设置dword DisableLoopbackCheck(google it)来完全关闭它(环回检查),但你真的应该用前一种方法控制它,而不是采用懒惰的路线。
IIRC,此安全功能可防止特定类型的凭据被盗称为“反射攻击”。我不记得方法,但我相信你可以在网上找到它。