Dan Sanders
  • Home
  • About
  • Contact
  • – PowerShell
  • – SharePoint
  • – Workflow
Copyright © 2016 Dan Sanders. All Rights Reserved.
Dan Sanders
  • Home
  • About
  • Contact
  • – PowerShell
  • – SharePoint
  • – Workflow

Remote PowerShell with SharePoint 2010 Kerberos

byDan Sanders inPowershell, SharePoint posted31 July, 2013
224
0
Remote PowerShell with SharePoint 2010 Kerberos

I have a SharePoint 2010 environment set-up with Kerberos authentication, which works well, however I wanted to enable PowerShell Remoting to perform some tasks from another machine.

There are a lot of blog posts out there on how to accomplish this however I was encountering an issue I had trouble resolving.

To enable PowerShell Remoting type the following on the SharePoint server:

Enable-PSRemoting -Force

I was receiving the below Kerberos error:

Set-WSManQuickConfig : WinRM cannot process the request. The following error occured while using Negotiate authentication: An unknown security error occurred. 
Possible causes are: 

-The user name or password specified are invalid. 
-Kerberos is used when no authentication method and no user name are specified. 
-Kerberos accepts domain user names, but not local user names. 
-The Service Principal Name (SPN) for the remote computer name and port does not exist. 
-The client and remote computers are in different domains and there is no trust between the two domains. 
After checking for the above issues, try the following: 
-Check the Event Viewer for events related to authentication. 
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport. 
Note that computers in the TrustedHosts list might not be authenticated. 
-For more information about WinRM configuration, run the following command: winrm help config. 
At line:50 char:33 
+ Set-WSManQuickConfig <<<< -force 
+ CategoryInfo : InvalidOperation: (:) [Set-WSManQuickConfig], InvalidOperationException 
+ FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.SetWSManQuickConfigCommand

Checking the System event logs:

According to TechNet the Windows Remoting Windows Service uses the Network Service account. Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos. The HTTP service class is one of the built-in services that act as an alias to the HOST SPN. The HOST SPN is mapped to the host computer account. Therefore, when you use the default HTTP service class, the Kerberos protocol uses the computer account as the service account to request a service ticket.

When we attempt to use Enable-PSRemoting we see that the Keberos request is to HTTP/SP2010.domain.com. So the Network Service account is looking for HTTP/SP2010.domain.com, but in reality it wants the host computer account and is using the HTTP as the alias. In any event this will fail because we have this SPN mapped to our SharePoint service account, which is a best practice.

To locate/add the SPN:

On the SharePoint Server in your PowerShell window type:

Setspn.exe -s HTTP/<server> <server>

Using -S will verify that the SPN does not exist on any other account before adding it.
Using -q HTTP/<server> will locate the account where the SPN exists so is an acceptable alternative.

As you can see in my screen shot, my service account ‘FindIT Administrator’ has the SPN associated, in my case it is OK to remove the SPN as HTTP/Intranet is the main web application and an Alias to SP2010.

Note: If  using -S and you don’t have a duplicate, you will not need to delete and add the SPN as in the following steps, as it will add it for you.

To delete the HTTP SPN

Setspn.exe -d HTTP/<server>

where server is the netbios name

Setspn.exe -d HTTP/<Server.fqdn>

where server.fqdn is the fully qualified domain name of the server.

Now Add the SPN to the computer account as above:
Setspn.exe -s HTTP/<server> <server>

Once complete you could confirm running Setspn.exe -q HTTP/sp2010 

Now we should be sweet to enable PowerShell Remoting.

Enable-PSRemoting -Force

 Test PowerShell Remoting by jumping into local host:

Enter-PSSession -Computername localhost

To exit:

Exit-PSSession


On a remote computer you should now be able to create a remote PowerShell  session to the SharePoint Server.

Note, in my testing initially I temporarily removed the SPN from Find Administrator and Re-added back after successfully enabling PSRemoting. On the SharePoint server I could successfully remote into localhost however on the remote computer I was receiving an error 0x8033809D. To resolve I completed the above.

Dan.
PowerShellSharePointSharePoint 2010
Share this :

Related Posts

0
Fix SharePoint 2013 UPS Stuck on Starting
4 July, 2018
Fix SharePoint 2013 UPS Stuck on Starting

I have a SharePoint 2010 environment set-up with Kerberos authentication, which works well,...

54 Comments
0
Showcase: SharePoint 2013 Global Reusable Workflow using REST
14 March, 2016
Showcase: SharePoint 2013 Global Reusable Workflow using REST

I have a SharePoint 2010 environment set-up with Kerberos authentication, which works well,...

92 Comments
0
25 June, 2013
Deploying SharePoint 2010 Solutions with Powershell

I have a SharePoint 2010 environment set-up with Kerberos authentication, which works well,...

20 Comments
0
SharePoint Foundation 2013 Help-desk System
30 August, 2016
SharePoint Foundation 2013 Help-desk System

I have a SharePoint 2010 environment set-up with Kerberos authentication, which works well,...

No comment
0
PowerShell for every List in each Web of a SiteCollection
28 February, 2016
PowerShell for every List in each Web of a SiteCollection

I have a SharePoint 2010 environment set-up with Kerberos authentication, which works well,...

37 Comments
0
Adding a column to a Content Type (CT) at a library level with PowerShell.
10 February, 2016
Adding a column to a Content Type (CT) at a library level with PowerShell.

I have a SharePoint 2010 environment set-up with Kerberos authentication, which works well,...

67 Comments
0
4 February, 2016
Adding a ContentType to each Library with PowerShell

I have a SharePoint 2010 environment set-up with Kerberos authentication, which works well,...

30 Comments
0
Quick Edit button grayed out
3 February, 2016
Quick Edit button grayed out

I have a SharePoint 2010 environment set-up with Kerberos authentication, which works well,...

No comment
0
28 February, 2016
Publish SharePoint 2013 Workflow Globally

I have a SharePoint 2010 environment set-up with Kerberos authentication, which works well,...

No comment
0
Libraries with no Default View
27 January, 2016
Libraries with no Default View

I have a SharePoint 2010 environment set-up with Kerberos authentication, which works well,...

26 Comments

Leave a Comment! Cancel reply

You must be logged in to post a comment.

Recent Posts

  • SharePoint Add-in 401 Unauthorized
  • Content Database and Site Collection Report
  • SharePoint helpful hidden URLs

Tags

Config (1) Content Types (2) Design (3) Document Libraries (7) Document Sets (1) How-To (1) Lists (4) Office365 (1) PnP (1) PowerShell (12) Quick Edit (2) REST (1) SharePoint (11) SharePoint 2010 (11) SharePoint 2013 (14) SharePoint Foundation (2) SharePoint Online (1) SP2010 Workflow (2) SP2013 Workflow (3) Systems (2) User Profile Service (1) Views (5) Windows Server (1) Workflow (2)

Archives

  • November 2020
  • December 2018
  • September 2018
  • July 2018
  • September 2017
  • August 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • September 2013
  • July 2013
  • June 2013