Home / server / Questions / 362860
Accepted
Bubnoff
Asked: 2012-02-23 16:52:58 +0800 CST

Powershell authentication over VLAN

  • 772

Problem

I'd like to enable remote powershell scripting for all workstation hosts on a VLAN. There's no Active Directory or Directory services whatsoever. So HOST A on subnet 192.168.1.x would like to query HOST B 192.168.2.x.

I've already run:

Enable-PSRemoting -force

A prompt for credentials would be the desired result for any workstation on the VLAN. The admin stations are on subnet 192.168.1.x and fall in the IP range 192.168.1.10-20.

Question

Is it possible to allow powershell remote auth for hosts in that range, or any IP coming from a particular subnet?:

192.168.1.0/24

To clarify: I am setting up workstations to deploy and I'd like them to be set up to allow me remote powershell powers out in the field. My admin stations are at one subnet and the workstations to be deployed are at numerous others.

RTFM

I'm looking at this link from Microsoft:

http://technet.microsoft.com/en-us/magazine/ff700227.aspx

This suggests that I need to run the following for each admin computer:

winrm s winrm/config/client '@{TrustedHosts="RemoteComputer"}'

Can someone confirm or refute this?

powershell remote-access

3 Answers

  1. Best Answer

    If you are not using Kerberos/AD authentication, which you are not, then you will have to add each machine to your TrustedHosts configuration -OR- you will have to set up SSL between each node. The best way to achieve the former would be with a script of course. A script that uses a list of machine names from a file, probably.

    Secondly, you can run a PSRemoting session with "Negotiate" authentication, which will prompt you for creds, like so:

    enter image description here

    The only reason I did not get prompted for creds in the above screenshot is because I had already stored the credentials in the $creds variable. Otherwise it will prompt you.

    I don't mean to be self-promoting, but I covered all of these topics in great detail on my blog here, (parts 1 and 2,) and I'm sure it will help you out some:

    http://www.myotherpcisacloud.com/post/2012/01/26/Monitoring-with-Windows-Remote-Management-(WinRM)-and-Powershell-Part-I.aspx

    The reason why you have to add a host to the TrustedHosts list on the computer trying to make the connection, is because of the inherent lack of mutual authentication in a non-Kerberos or SSL environment.

    (Edited for clarity.)

    • 4

  2. its hard to understand exactly what it is your requesting, but if I understand it correctly, this might help. Basically looping through 192.168.2.0/24, pinging it, if it responds, running the command you posted.

    $fourthoctet = 0..255

Foreach ($fo in $fourthoctet)
    {
    $ip = (new-object System.Net.Networkinformation.Ping).Send("192.168.2.$fo") | where-object {$_.Status -eq "success"} | select Address
    If ($ip -ne $null)
        {
        Enable-PSRemoting -force $($ip.address)
        }
    }
    • 1

  3. The * actually works as a wildcard with IP-Addesses. E.g>

    winrm set winrm/config/client @{TrustedHosts="10.1.0.*"}
    • 1