logo标签列表

WinRM无法处理请求 - 仅在特定域上失败

powershellpowershell-2.0powershell-remotingwinrm
16

我们的一些服务器(W2K8 R2)上周被迁移到了云端,此后我的Powershell脚本开始失效(之前正常工作),异常出现在尝试建立连接的那一行代码上。

$ExSession = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri     "http://$g_strExchangeServer/PowerShell" `
-Credential $Credentials –Authentication Kerberos

使用以下信息,

[subd.staging.com] Connecting to remote server failed with the following error message : 
**WinRM cannot process the request**. The following error occured while using Kerberos authentication: There are currently no logon servers available to service the logon request.  
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help onfig. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionOpenFailed

只有当我试图针对我们的测试域名时才会出现这种情况,如果我将脚本指向我们的生产域名,那么它就可以工作。

所有已经迁移到云端的服务器上都显示相同的错误。

请注意,所有尚未迁移到云端的服务器都能够在两个域上运行脚本而没有任何问题。

我已经尝试了以下方法,但没有成功。

//Add the destination computer to the WinRM TrustedHosts configuration setting. 
c:\>WinRM set winrm/config/client @{TrustedHosts="stagingserver"} 


//Confirm that WinRM is properly configured.  
c:\>Winrm quickconfig  

//Make sure that the remote server allows commands from any machine. 
PS c:\>Set-item wsman:localhost\client\trustedhosts -value *

使用 Powershell v2 和 WinRM v2

欢迎任何评论。

很可能是这个问题:“客户端和远程计算机在不同的域中,并且两个域之间没有信任关系。”试试使用CredSSP。以下是启用它的方法:http://technet.microsoft.com/en-us/library/hh849872.aspx - user1578107
@user1578107,我尝试了但没有成功,c:> enable-wsmancredssp -role client -delegatecomputer stagingserver。这个命令已经成功执行,因为在PS中我没有收到任何错误信息,但是脚本仍然以相同的错误消息失败了。谢谢。 - g3n1t0
我不确定enable-wsmancredssp是否允许转发新的凭据。您可以尝试手动启用它(请参见http://msdn.microsoft.com/en-us/library/windows/desktop/ee309365(v=vs.85).aspx) - user1578107
1个回答
30

在客户端计算机上运行这些命令,然后尝试连接到远程主机:

首先我们需要检查客户端计算机上的 TrustedHosts:

PS C:\> WinRM get winrm/config/client
Client
    NetworkDelayms = 5000
    URLPrefix = wsman
    AllowUnencrypted = false
    Auth
        Basic = true
        Digest = true
        Kerberos = true
        Negotiate = true
        Certificate = true
        CredSSP = false
    DefaultPorts
        HTTP = 5985
        HTTPS = 5986
    TrustedHosts

如果像示例一样为空,请在客户端计算机上运行以下命令:

PS C:> Set-item wsman:localhost\client\trustedhosts -value *

这将在 TrustedHosts 参数中写入 *,允许客户端计算机连接到任何主机,或者您可以使用目标服务器的IP地址和/或主机名配置此值。

PS C:\> WinRM get winrm/config/client
Client
    NetworkDelayms = 5000
    URLPrefix = wsman
    AllowUnencrypted = false
    Auth
        Basic = true
        Digest = true
        Kerberos = true
        Negotiate = true
        Certificate = true
        CredSSP = false
    DefaultPorts
        HTTP = 5985
        HTTPS = 5986
    TrustedHosts = *
这个命令不起作用...请问执行完这个命令后我们需要重新启动机器吗? - vinay
7
需要注意的是,这个命令需要在客户端机器上执行,即发起连接的那台机器上执行,而不是目标主机上执行。之后可能需要重新启动WinRM服务。 - w128
2
需要使用PowerShell作为管理员来运行第二个命令(右键单击,“以管理员身份运行”)。 - jzhang22
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接