当前位置：文江博客话题详情

powershell remote-access invoke-command

Invoke-Command未能在远程计算机上运行另一个Invoke-Command

发布于 2025-01-23 07:33:16 字数 2378 浏览 0 评论 0 原文

我的设置。我有三个PC：myComp，server1和server2和两个使用Invoke-command command remtest1.ps1的类似脚本，在远程server1上调用remtest2.ps1。 Remtest2使用Invoke-Command在Server2上运行脚本块。我在PowerShell版本5.1上当我从MyComp到Server1运行脚本时，它可以正常运行。当我从Server1到Server2运行时，它也可以正常运行。但是，当我从MyComp到Server1运行时，必须运行然后在Server2上运行，我会收到以下消息：

[server2]连接到远程服务器2 错误消息：WINRM无法处理请求。使用Kerberos身份验证时发生了以下错误代码0x8009030E的错误：不存在指定的登录会话。它可能已经终止。

这三台计算机都位于同一域中。我没有管理特权。我尝试将Server2添加到Server1上的TrustedHosts。它没有帮助。我添加了用户名的脚本打印，以确保在使用域用户的所有PC上。

如果有人可以帮助解决这个问题，请提供帮助。为了重现问题，我创建了一个非常简单的我的脚本示例。

remtest1.ps1

$LocalRepDir  = 'D:\Reps'
$RemoteWrkDir = 'D:\wrk'
$Server1      = 'Server1'

#script block to run on remote Server1
$Run = {
    "Script block from RemTest1"
    $env:COMPUTERNAME + " User = $(whoami)" 
    cd $using:RemoteWrkDir
    ls
    # call script from remote server1
    .\RemTest2.ps1

}

$env:COMPUTERNAME + " RemTest1 User = $(whoami)" | Out-File -FilePath "$LocalRepDir\res.txt"

$Output = @()  # to grab an output from remote servers

$Output = Invoke-Command -ComputerName $Server1 -ScriptBlock $Run
$Output | Out-File -FilePath "$LocalRepDir\res.txt" -Append

remtest2.ps1

$LocalRepDir  = 'D:\Reps'
$RemoteWrkDir = 'D:\wrk'
$Server2      = 'Server2'

#script block to run on remote Server2
$Run = {
    "Script block from RemTest2"
    $env:COMPUTERNAME +" User = $(whoami)" 
    cd $using:RemoteWrkDir
    ls
}

$env:COMPUTERNAME +" script RemTest2 User = $(whoami)"
$Output = @()  # to grab output from remote servers


$Output = Invoke-Command -ComputerName $Server2 -ScriptBlock $Run
$Output | Out-File -FilePath "$RemoteWrkDir\res.txt

这些脚本的输出

MyComp RemTest1 User = MyDomain\MyLogin
Script block from RemTest1
SERVER1 User = MyDomain\MyLogin


    Directory: D:\wrk


Mode                 LastWriteTime         Length Name            PSComputerName 
----                 -------------         ------ ----            -------------- 
-a---          4/23/2022  12:09 AM            490 RemTest2.ps1    SERVER1        
-a---          4/23/2022  12:06 AM              0 res.txt         SERVER1        
SERVER1 script RemTest2 User = MyDomain\MyLogin

您看不到我没有从server2中从remtest2脚本块中收到输出。相反，我收到了错误消息。请帮助

原文

My setup. I have three PCs : MyComp, Server1, and Server2 and two similar scripts used invoke-command RemTest1.ps1, which calls RemTest2.ps1 on remote Server1. And RemTest2 use invoke-command to run script block on Server2. I am on Powershell version 5.1
When I run script from MyComp to Server1 it works fine.
When I run from Server1 to Server2 it also runs fine.
But when I run from MyComp to Server1, which have to run then on Server2 I receive the following message:

[Server2] Connecting to remote server Server2 failed with the following
error message : WinRM cannot process the request. The following error with errorcode 0x8009030e occurred while using Kerberos authentication: A specified logon session does not exist. It may already have been terminated.

All three computers are in the same domain. I don't have Admins privileges. I tried to add Server2 to TrustedHosts on Server1. It did not help. I added to scripts print of username to make sure on all PCs used the domain user.

If somebody can help with the problem, please help.
To reproduce the problem I created a very simple example of my two scripts.

RemTest1.ps1

$LocalRepDir  = 'D:\Reps'
$RemoteWrkDir = 'D:\wrk'
$Server1      = 'Server1'

#script block to run on remote Server1
$Run = {
    "Script block from RemTest1"
    $env:COMPUTERNAME + " User = $(whoami)" 
    cd $using:RemoteWrkDir
    ls
    # call script from remote server1
    .\RemTest2.ps1

}

$env:COMPUTERNAME + " RemTest1 User = $(whoami)" | Out-File -FilePath "$LocalRepDir\res.txt"

$Output = @()  # to grab an output from remote servers

$Output = Invoke-Command -ComputerName $Server1 -ScriptBlock $Run
$Output | Out-File -FilePath "$LocalRepDir\res.txt" -Append

RemTest2.ps1

$LocalRepDir  = 'D:\Reps'
$RemoteWrkDir = 'D:\wrk'
$Server2      = 'Server2'

#script block to run on remote Server2
$Run = {
    "Script block from RemTest2"
    $env:COMPUTERNAME +" User = $(whoami)" 
    cd $using:RemoteWrkDir
    ls
}

$env:COMPUTERNAME +" script RemTest2 User = $(whoami)"
$Output = @()  # to grab output from remote servers


$Output = Invoke-Command -ComputerName $Server2 -ScriptBlock $Run
$Output | Out-File -FilePath "$RemoteWrkDir\res.txt

Output of these scripts

MyComp RemTest1 User = MyDomain\MyLogin
Script block from RemTest1
SERVER1 User = MyDomain\MyLogin


    Directory: D:\wrk


Mode                 LastWriteTime         Length Name            PSComputerName 
----                 -------------         ------ ----            -------------- 
-a---          4/23/2022  12:09 AM            490 RemTest2.ps1    SERVER1        
-a---          4/23/2022  12:06 AM              0 res.txt         SERVER1        
SERVER1 script RemTest2 User = MyDomain\MyLogin

As you can see I did not receive output from the RemTest2 script block from SERVER2. Instead I received error message.
Please help.Invoke-Command

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

中性美 2025-01-30 07:33:16

出于安全目的，Windows不会让您从远程会话内传递凭据。

如果您将其传递基于密码的凭据，它可能会起作用。我的环境是基于证书的，我永远无法使其正常工作。

最好只是让第一台机器向两个服务器发送相同的命令。

Invoke命令可以同时使用两个机器名称。

您也许可以通过SSH来完成您的工作，Windows现在可以支持这一点。但是您的命令将完全不同，仍然需要密码或SSH键。

对于Invoke命令到第二台计算机中，您可以尝试...

Invoke-Command -ComputerName $Server2 -ScriptBlock $Run -Credential (get-credential)

您还应该在第二服务器上附加登录，否则您将覆盖它。或者只是将其打印到屏幕上，而初始Invoke命令也应保存其输出。

$Output | Out-File -FilePath "$RemoteWrkDir\res.txt" -Append

但是据我所知，您无法做自己的目标。

本文解释了它是什么。和利弊。我强烈建议您反对。通常，如果您想自动化此功能，则必须将凭据存储在第二个脚本中。

它还指出您还必须认为一个值得这样做的帐户。它是高度复杂的，应在100％必要的情况下使用。一个例子是，如果您要创建一个僵尸网络来扩展某些配置。但是使用MECM之类的工具，这在企业中是不必要的

For security purposes, windows won't let you pass credentials from inside a remote session.

It might work if you pass it password based credentials. My environment is certificate based and I was never able to make it work.

You're better off just having the first machine sending the same commands to both servers.

Invoke command can take both machine names simultaneously.

You might be able to do what you're doing via ssh, windows now supports that. But your commands would be completely different and still need passwords or ssh keys.

For invoke command into the second computer, you might can try...

Invoke-Command -ComputerName $Server2 -ScriptBlock $Run -Credential (get-credential)

Also you should append your log on the second server otherwise you'll overwrite it. Or just have it print to the screen and the initial invoke command should save it's output as well.

$Output | Out-File -FilePath "$RemoteWrkDir\res.txt" -Append

But as far as I'm aware you can't do what you're aiming to do.

This article explains what it is. And pros and cons. I highly advise against it. As generally you have to store credentials in the second script if you wanna automate this.

https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-7.2

It also states you have to deem an account worthy to do this. It's highly convoluted and should be used in 100% necessary scenarios. One example would be if you are creating a botnet to mass spread certain configurations. But with tools like mecm, this is sort of not necessary in an enterprise

回复收藏 0 原文

~没有更多了~