Home / server / Questions / 624762
In Process
Michael Sorens
Asked: 2014-08-29 07:54:47 +0800 CST

New-PSSession across domain boundaries

  • 772

I am trying to bring up a virtual machine that needs to be able to create new sessions (with New-PSSession). The highly engaging about_Remote_Troubleshooting is my constant companion, of course!

After bringing up a basic machine (Win 8.1 Enterprise):

  • My company's primary domain is, say, mycompany.com.
  • We have a development domain dev.mycompany.com so that developers have a sandbox to play with.
  • I added the new VM (named my-vm) to the development domain dev.mycompany.com.
  • I have a local account on the new VM, my-vm\msorens which is in the Administrators group on the local machine.

First Hurdle:

Attempting to run just New-PSSession failed with access denied because of cross-domain issues. Per the troubleshooting page referenced above:

When a user in another domain is a member of the Administrators group on the local computer, the user cannot connect to the local computer remotely with Administrator privileges.

I am not convinced this is true (due to my inexperience in domain issues) but applying the recipe for that remedy allowed the basic New-PSSession to work:

New-ItemProperty `
-Name LocalAccountTokenFilterPolicy `
-Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System `
-PropertyType DWord `
-Value 1

(And that, while less secure, is fine, as it is just a sandbox VM.)

Second Hurdle:

With the above patch in place I could successfully do any of these:

PS> New-PSSession
PS> New-PSSession -ComputerName localhost
PS> New-PSSession -ComputerName my-vm

However, my actual need is to give the FQDN of the machine:

PS> New-PSSession -ComputerName my-vm.dev.mycompany.com

That fails because of missing credentials. Which brings us to this:

PS> New-PSSession -ComputerName my-vm.dev.mycompany.com -Credential (Get-Credential)

I have tried my local (my-vm) credentials, which resulted in WinRM cannot process the request; no logon servers available.

I have tried my company domain credentials (note that is mycompany.com not the domain the VM is actually on dev.mycompany.com), which resulted in Access is denied.

Is there a way to make this work?

domain

1 Answers

  1. At work we have the same situation. Here a some steps we do at new coworker computers so they are able to connect to these server how are outside our domain.

    On client side

    winrm quickconfig
winrm set winrm/config/client '@{TrustedHosts="Computer1,Computer2"}'

    On server side

    Enable-PSRemoting -Force
winrm quickconfig

    For HTTPS

    winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="_";CertificateThumbprint="_"}

    For HTTP

    winrm create winrm/config/Listener?Address=*+Transport=HTTP

    Test with

    Test-WsMan ComputerName
Test-WsMan ComputerName -UseSSL

    Create a session with 

    New-PSSession -ComputerName Computer1 -Credential (Get-Credential)

    Of course you need to configure your firewall to let the server listen on the powershell remoting port.

    Edit: Set TrustedHosts with PowerShell

    Or with PowerShell (as Admin)

    Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value "Computer1,Computer2"

    And check (don't need Admin for that)

    Get-Item WSMan:\localhost\Client\TrustedHosts
    • 10