CNAMES、主机文件和 PowerShell 远程处理
有没有人获得 powershell 远程处理来处理 CNAMES 或主机文件。
一种测试方法,针对本地主机创建一个 PSsession 以确保其工作正常...然后将主机记录指向 127.0.0.1 并调用某个名称,然后尝试针对该记录创建一个 PSsession。
我收到这样的错误
[funkymonkey] Connecting to remote server failed with the following error message : WinRM cannot pr
ocess the request. The following error occured while using Kerberos authentication: The network pat
h was not found.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two d
omains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configu
ration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. F
or more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PS
RemotingTransportException
+ FullyQualifiedErrorId : PSSessionOpenFailed
Has anybody gotten powershell remoting to work against CNAMES or host files.
a way to test, create a PSsession against localhost to make sure its working fine... then have a host record to 127.0.0.1 called something, then try to create a pssession against that.
I get this sort of error
[funkymonkey] Connecting to remote server failed with the following error message : WinRM cannot pr
ocess the request. The following error occured while using Kerberos authentication: The network pat
h was not found.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two d
omains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configu
ration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. F
or more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PS
RemotingTransportException
+ FullyQualifiedErrorId : PSSessionOpenFailed
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果 NTLM 不起作用,我认为您会受到 Winsrv 2003 sp1+ 中添加的环回检查内容的影响。您可以将 CNAME 添加到特殊的注册表项,该注册表项会将它们包含在例外列表中(已包含 localhost)
。新项目 hklm:\system\currentcontrolset\control\Lsa\MSV1_0
返回连接主机名 `
-propertyType multistring -val "cname1","cname1.local"
有些人只是通过设置双字DisableLoopbackCheck(谷歌它)来完全关闭它(环回检查),但你真的应该用前一种方法更严格地控制它,而不是采取懒惰路线。
IIRC,此安全功能可防止一种称为“反射攻击”的特定类型的凭证盗窃。我不记得方法了,但我相信你可以在网上找到它。
If NTLM isn't working, I think you're getting hit by the loopback check stuff added in winsrv 2003 sp1+. You can add the CNAMEs to a special registry key that will include them in the exception list (which already includes localhost.)
ps> new-itemproperty hklm:\system\currentcontrolset\control\Lsa\MSV1_0
BackConnectionHostNames `
-propertyType multistring -val "cname1","cname1.local"
Some people just turn it off entirely (the loopback check) by setting a dword DisableLoopbackCheck (google it) but you really should control it tighter with the former method instead of taking the lazy route.
IIRC, this security feature prevents a particular type of credential theft called a "reflection attack." I don't remember the methodology but i'm sure you could find it online.