Closed john-d-reynolds closed 6 years ago
rzander
commented
6 years ago Are you able to connect with PowerShell directly? e.g. Enter-PSSession <Hostname>
I think PowerShell remoting is configured per default to use Kerberos authentication only... Let me know if you can connect with PowerShell directly....
john-d-reynolds
commented
6 years ago Thanks so much for getting back to me.
If I use a command like:
Enter-PSSession -ComputerName WKSXXXXX -Credential WKSXXXXX\administrator
I do get prompted for a password but then get the same output as I did in client center: [cid:image001.png@01D413B0.53448BC0]
So it’s a limitation of PS?
From: Roger Zander notifications@github.com Sent: 04 July 2018 15:49 To: rzander/sccmclictr sccmclictr@noreply.github.com Cc: Reynolds, John john.reynolds@bauerservices.co.uk; Author author@noreply.github.com Subject: Re: [rzander/sccmclictr] Client Center with LAPS (Local Administrator Password Solution) (#73)
Are you able to connect with PowerShell directly? e.g. Enter-PSSession
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://protect-eu.mimecast.com/s/AWDyCL947hN9ZMWtBBvE_?domain=github.com, or mute the threadhttps://protect-eu.mimecast.com/s/0tUiCM84wux3AVrtkwiyv?domain=github.com.
Bauer Media UK reaches over 25 million UK consumers through a portfolio of world-class, multi-platform media and entertainment brands including heat, Kiss, Grazia, Empire, TV Choice, Take a Break, Bella, Magic and Absolute Radio. It creates and curates entertaining media content that audiences love whenever, wherever and however they want through a multi-channel strategy and a focus on product excellence and audience insight. The result is an exciting array of influential brands, content and talent that provide compelling and engaging advertising opportunities with valuable audiences for UK commercial partners. Bauer Media UK is part of the Bauer Media Group, one of the world’s largest privately owned media businesses with media assets all over the globe. www.bauermedia.co.ukhttp://www.bauermedia.co.uk.co.uk
For subscriptions and gift offers, please visit www.greatmagazines.co.ukhttp://www.greatmagazines.co.uk.
The information in this email is intended only for the addressee(s) named above. Access to this email by anyone else is unauthorised. If you are not the intended recipient of this message any disclosure, copying, distribution or any action taken in reliance on it is prohibited and may be unlawful. Bauer Media and/or its subsidiaries do not warrant that any attachments are free from viruses or other defects and accept no liability for any losses resulting from infected email transmissions.
Please note that any views expressed in this email may be those of the originator and do not necessarily reflect those of this organisation.
Bauer Consumer Media Ltd, Company number: 01176085 (England and Wales), Registered Office: Media House, Peterborough Business Park, Lynch Wood, Peterborough, PE2 6EA H Bauer Publishing, Company number: LP003328 (England and Wales), Registered Office: Academic House, 24-28 Oval Road, London, NW1 7DT Bauer Radio Ltd, Company number: 1394141 (England and Wales), Registered Office: Media House, Peterborough Business Park, Lynch Wood, Peterborough, PE2 6EA
rzander
commented
6 years ago I would not say limitation, as I'm sure that you can change the configuration. But if you enable Basic authentiction without encryption , you may open other doors… So the default configuration and requirement to use Kerberos makes sense in most cases.
theaquamarine
commented
6 years ago Normally psremoting uses kerberos, which means a domain account must be used- laps accounts are local, so can't do that. You can set winrm to use https with a trustedhost list, but it's quite a lot of work and not usually worth it/desirable given how powershell remoting works compared to, for example, rdp.
Edit: SO link talking about it in more detail. https://stackoverflow.com/questions/26532102/powershell-remoting-using-a-remote-local-account-on-a-computer-on-the-same-domai
Edit again: https://4sysops.com/archives/powershell-remoting-over-https-with-a-self-signed-ssl-certificate/
john-d-reynolds
commented
6 years ago Thanks for your input Roger, you are right this was limitation of PS Remoting (I maybe should have figured that out myself).
On the very small number of PCs that we use client center on we just needed to enable alternative (NTLM) authentication by trusting the target PCs (or in this case private subnet) like:
Set-Item wsman:\localhost\client\trustedhosts 10.*
Then using the IP or FQDN of the target PC and defining the local username and LAPS pw in connection properties it connects fine.
Many Thanks to you indeed!!
We have implemented LAPS a Microsoft tech that essentially forces you to use a local admin account when connecting to and administering domain PCs with a randomly generated PW which is stored in AD. This is no different than using just a standard local admin account and PW. When I try to connect to machines with this local user and PW in the connection settings I get connection failure:
WinRM cannot process the request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: There are currently no logon servers available to service the logon request.
This works perfectly if we use a domain account that has local admin rights on the same computer. Is Client center restricted from using local admin accounts?
Many Thanks indeed John