以 ip 地址为目标的 Powershell 远程处理
我在 Server 2008 R2 上成功启用了 PSRemoting。 我可以使用主机名作为目标从同一网络内执行远程 pssession。
当我尝试从任何计算机(在网络内或从另一个网络(例如通过 VPN))使用 IP 地址作为目标时,我失败了。 我希望能够通过 VPN 连接使用远程处理,但由于无法解析主机名,因此必须使用 IP 地址。
我不想将名称添加到我的主机文件中,因为我们客户的其他一些服务器具有相同的 dns 名称,并且我不想再次删除并插入名称-IP-地址关联又来了。
我希望有人能告诉我如何允许通过 IP 调用 psremoting-target。
编辑:更具体地说,我希望能够运行此命令:
Enter-PSSession -Computername 192.168.123.123 -credentials $cred
但只有在将主机名传递给“-Computername”时,我才能运行该命令
编辑2:
当我尝试使用 IP 而不是主机名(来自内部网络)登录时,收到以下错误消息:
Enter-PSSession : Connecting to remote server failed with the following error message : The WinRM client cannot process
the request. Default authentication may be used with an IP address under the following conditions: the transport is HT
TPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use winrm.cmd to configure T
rustedHosts. Note that computers in the TrustedHosts list might not be authenticated. For more information on how to se
t TrustedHosts run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting
Help topic.
Edit3:
我知道 WSMan 的受信任主机设置,但这似乎不是问题。它已经设置为“*”(我在启用远程处理后立即执行此操作),但我仍然无法使用 ip 作为目标计算机名连接到该服务器,但我可以使用主机名作为目标计算机名进行连接。似乎 IIS 中的绑定之类的东西会阻止侦听器侦听针对 ip 号而不是主机名的请求。但没有安装IIS。我不知道去哪里寻找这样的设置。
2011-07-12更新:
好的,我认为 trusthosts 设置不是问题,因为我可以通过主机名从我们的 DC 连接,但如果我使用计算机参数的目标 IP 地址则不行。
我想,问题一定出在听者身上。也许侦听器不会接受针对目标 IP 而不是目标主机名的请求。但我不知道如何改变它。
I successfully enabled PSRemoting on my Server 2008 R2.
I'm able to do a remote-pssession from within the same network using the hostname as target.
I'm failing when I try to use the IP-Address as target from any computer (within the network or from another network (for example via VPN)).
I want to be able to use remoting through my VPN connection where I have to use the IP-Address since the hostname can't be resolved.
I don't want to add names into my hosts-file because there are a few other servers at our clients' that have the same dns-name and I don't want to remove and insert the name-ip-address-association again and again.
I hope someone can tell me how to allow the psremoting-target to be called via IP.
Edit: To be more specific, I want to be able to run this:
Enter-PSSession -Computername 192.168.123.123 -credentials $cred
But I'm only able to run that command if I pass a hostname to "-Computername"
Edit2:
I'm getting following errormessage when I try to login using the ip instead of the hostname (from the internal network):
Enter-PSSession : Connecting to remote server failed with the following error message : The WinRM client cannot process
the request. Default authentication may be used with an IP address under the following conditions: the transport is HT
TPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use winrm.cmd to configure T
rustedHosts. Note that computers in the TrustedHosts list might not be authenticated. For more information on how to se
t TrustedHosts run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting
Help topic.
Edit3:
I know about the trusted-hosts setting of WSMan, but that doesn't seem to be the problem. It is already set to "*" (I did that right after enabling remoting), but I still can't connect to that server using the ip as target-computername, but I'm able to connect using the hostname as target-computername. Seems like there's something like the binding in IIS that prevents the listener to listen on requests that target the ip-number instead of the hostname. But IIS isn't installed. I don't know where to look for such a setting.
Update 2011-07-12:
Okay, I think that trustedhosts-setting is not the problem because I CAN connect from our DC via hostname but not if I use the ip-address of the destination for the computer-param.
I think, the problem must be the listener. Maybe the listener takes no requests that were targeted to the destination-ip instead of the destination-hostname. But I don't know how to change that.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(10)
错误消息为您提供了大部分您需要的内容。这不仅仅涉及 TrustedHosts 列表;还涉及 TrustedHosts 列表。也就是说,为了使用具有默认身份验证方案的 IP 地址,您还必须使用 HTTPS(默认情况下未配置)并提供显式凭据。我可以告诉你至少没有使用 SSL,因为你没有使用 -UseSSL 开关。
请注意,默认情况下未配置 SSL/HTTPS - 这是您必须执行的额外步骤。您不能只添加 -UseSSL。
默认的身份验证机制是 Kerberos,它希望看到 AD 中出现的真实主机名。不是 IP 地址,也不是 DNS CNAME 昵称。有些人会启用基本身份验证,这种身份验证不太挑剔 - 但您还应该设置 HTTPS,因为否则您会以明文形式传递凭据。 Enable-PSRemoting 仅设置 HTTP。
将名称添加到主机文件将不起作用。这不是名称解析的问题;而是名称解析的问题。它是关于计算机之间如何进行相互验证的。
此外,如果此连接涉及的两台计算机不在同一 AD 域中,则默认身份验证机制将不起作用。有关配置非域和跨域身份验证的信息,请阅读“help about_remote_troubleshooting”。
来自 http://technet.microsoft.com/en-us/library 的文档/dd347642.aspx
The error message is giving you most of what you need. This isn't just about the TrustedHosts list; it's saying that in order to use an IP address with the default authentication scheme, you have to ALSO be using HTTPS (which isn't configured by default) and provide explicit credentials. I can tell you're at least not using SSL, because you didn't use the -UseSSL switch.
Note that SSL/HTTPS is not configured by default - that's an extra step you'll have to take. You can't just add -UseSSL.
The default authentication mechanism is Kerberos, and it wants to see real host names as they appear in AD. Not IP addresses, not DNS CNAME nicknames. Some folks will enable Basic authentication, which is less picky - but you should also set up HTTPS since you'd otherwise pass credentials in cleartext. Enable-PSRemoting only sets up HTTP.
Adding names to your hosts file won't work. This isn't an issue of name resolution; it's about how the mutual authentication between computers is carried out.
Additionally, if the two computers involved in this connection aren't in the same AD domain, the default authentication mechanism won't work. Read "help about_remote_troubleshooting" for information on configuring non-domain and cross-domain authentication.
From the docs at http://technet.microsoft.com/en-us/library/dd347642.aspx
尝试这样做:
Try doing this:
我在我的基础设施中测试了您的断言,IP 地址不是问题,以下内容对我有用:
如果您尝试跨 VPN 工作,您最好检查一下通往服务器的防火墙设置。 Windows 远程管理的安装和配置可以帮助你。 WinRM 正在等待的 TCP 端口是:
WinRM 1.1 及更早版本:默认 HTTP 端口是 80。WinRM
2.0:默认 HTTP 端口是 5985。
编辑:根据您的错误,您可以在客户端计算机上测试这一点:
I test your assertion in my infrastructure the IP address is not the problem the following works for me :
If you try to work accross a VPN you'd better have to have a look to the firewall settings on the way to your server. Installation and Configuration for Windows Remote Management can help you. The TCP port WinRM is waiting on are :
WinRM 1.1 and earlier: The default HTTP port is 80.
WinRM 2.0: The default HTTP port is 5985.
Edited : According to your error can you test this on youclient computer :
这些人给出了简单的解决方案,您应该看看帮助 - 它很好,看起来一口气很多,但实际上很快就能阅读:
The guys have given the simple solution, which will do be you should have a look at the help - it's good, looks like a lot in one go but it's actually quick to read:
在您的计算机上*运行
'Set-Item WSMan:\localhost\Client\TrustedHosts -Value "$ipaddress"*您运行 PSSession 的计算机
On your machine* run
'Set-Item WSMan:\localhost\Client\TrustedHosts -Value "$ipaddress"*Machine from where you are running PSSession
在 Windows 10 上,确保 WinRM 服务正在运行以调用
命令
Set-Item wsman:\localhost\Client\TrustedHosts -value '*' -ForceOn Windows 10 it is important to make sure the WinRM Service is running to invoke the
command
Set-Item wsman:\localhost\Client\TrustedHosts -value '*' -Force对于那些不关心 Microsoft 施加的任意限制的人,您只需将 主机文件条目 添加到您尝试连接的服务器的 IP,而不是使用该 IP 来绕过此限制:
For those of you who don't care about following arbitrary restriction imposed by Microsoft you can simply add a host file entry to the IP of the server your attempting to connect to rather then use that instead of the IP to bypass this restriction:
请在客户端上尝试以下操作:
运行以下命令来恢复侦听器配置:
运行以下命令来执行 Windows 远程管理服务及其侦听器的默认配置:
再次配置 winrm 后,请确保主机受信任:
尝试再次远程连接
参考
为 HTTPS 配置 winrm
Please try the following on the client:
Run the following command to restore the listener configuration:
Run the following command to perform a default configuration of the Windows Remote Management service and its listener:
After you configured winrm again, make sure host is trusted:
Try remote connect again
Reference
Configure winrm for HTTPS
正如 Don 谈到的那样,这里有更多信息
使用 IP 是 Kerberos 身份验证问题
如果您位于 AD 域中并且需要比允许 NTLM 和受信任主机更优雅的解决方案:https://learn.microsoft.com/en-us/windows-server/security/kerberos/configuring-kerberos-over-ip
" 从 Windows 10 版本 1507 和 Windows Server 2016 开始,Kerberos 客户端可以配置为支持 SPN 中的 IPv4 和 IPv6 主机名,
如果主机名是 IP 地址,Windows 将不会尝试对主机进行 Kerberos 身份验证。诸如 NTLM 之类的身份验证协议。”
请注意,域中可能存在限制/禁用 NTLM 的 GPO - 因为这可能存在安全风险。
要检查,请运行“RSOP”。
GPO 位于:计算机配置 >政策> Windows 设置 >安全设置>本地策略/安全选项 >网络安全
允许基本身份验证并允许受信任主机中的“*”让我有点畏缩:)
GL HF
As Don touched on this, here is more info
Using the IP is Kerberos authentication problem
If you are on a AD Domain and need a more elegant solution than allowing NTLM and trusted hosts: https://learn.microsoft.com/en-us/windows-server/security/kerberos/configuring-kerberos-over-ip
" Beginning with Windows 10 version 1507 and Windows Server 2016, Kerberos clients can be configured to support IPv4 and IPv6 hostnames in SPNs.
By default Windows will not attempt Kerberos authentication for a host if the hostname is an IP address. It will fall back to other enabled authentication protocols like NTLM. "
Note that there might be GPOs limiting / disabling NTLM in the domain - since this can be a security risk
To check run "RSOP".
GPOs are under: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies/Security Options > Network Security
Allowing basic auth and allowing "*" in Trusted hosts makes me cringe a bit :)
GL HF
我花了很多时间终于得到了解决方案。以下是解决此问题的步骤 -
I spend a great amount of time and finally got the solution. Following are the steps to do fix this -