비 도메인 서버에서 원격 PS 세션이 실패 함

Win8 호스트 (동일한 서브넷, 로컬 VM)의 PS를 사용하여 도메인에 가입하지 않은 원격 Win2008R2 서버에 연결하려고합니다. 내가 찾을 수있는 모든 것을 시도했지만 아무것도 작동하지 않습니다.

섬기는 사람:

PS C:\Users\Administrator> winrm quickconfig
PS C:\Users\Administrator> enable-psremoting

고객:

PS C:\scripts> $cred = get-credential -username "administrator" -message "Enter password"

PS C:\scripts> $sess = new-pssession -computername 10.10.106.2 -credential $cred -authentication default
new-pssession : [10.10.106.2] Connecting to remote server 10.10.106.2 failed with the following error message : The
WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client
computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the
TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts
list might not be authenticated. You can get more information about that by running the following command: winrm help
config. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:9
  + $sess = new-pssession -computername 10.10.106.2 -credential $cred -authenticatio ...
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : ServerNotTrusted,PSSessionOpenFailed

PS C:\scripts> winrm set winrm/config/client '@{TrustedHosts="10.10.106.2"}'
WSManFault
Message = The client cannot connect to the destination specified in the request. Verify that the service on the dest
ination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running o
n the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the
destination to analyze and configure the WinRM service: "winrm quickconfig".
Error number:  -2144108526 0x80338012
The client cannot connect to the destination specified in the request. Verify that the service on the destination is run
ning and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destinat
ion, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination t
o analyze and configure the WinRM service: "winrm quickconfig".

PS C:\scripts> $sess = new-pssession -computername 10.10.106.2 -credential $cred -usessl
new-pssession : [10.10.106.2] Connecting to remote server 10.10.106.2 failed with the following error message : WinRM
cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over
the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By
default, the WinRM firewall exception for public profiles limits access to remote computers within the same local
subnet. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:9
  + $sess = new-pssession -computername 10.10.106.2 -credential $cred -usessl
  +         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin   gTransportException
    + FullyQualifiedErrorId : WinRMOperationTimeout,PSSessionOpenFailed

Oh와 RDP는 동일한 자격 증명을 가진 두 호스트간에 제대로 작동합니다.

이것조차도 작동합니다.

PS C:\scripts> Get-WinEvent -computername 10.10.106.2 -credential $cred

클라이언트 측

winrm quickconfig
winrm set winrm/config/client '@{TrustedHosts="Computer1,Computer2"}'

서버 측

Enable-PSRemoting -Force
winrm quickconfig

https

winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="_";CertificateThumbprint="_"}

http

winrm create winrm/config/Listener?Address=*+Transport=HTTP

로 테스트

Test-WsMan ComputerName
Test-WsMan ComputerName -UseSSL

편집 : PowerShell을 사용하여 TrustedHosts 설정

또는 PowerShell (관리자 권한)

Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value "Computer1,Computer2"

확인하십시오 (관리자가 필요하지 않음)

Get-Item WSMan:\localhost\Client\TrustedHosts

해당 오류 메시지 중 하나에서 발견 된 문제는 다음과 같습니다.

인증 체계가 Kerberos와 다르거 나 클라이언트 컴퓨터가 도메인에 가입되어 있지 않으면 HTTPS 전송을 사용하거나 대상 컴퓨터를 TrustedHosts 구성 설정에 추가해야합니다.

기본적으로 기본 HTTP가 아닌 HTTPS를 사용하도록 WinRM을 설정 하거나 연결중인 컴퓨터에서 연결중인 컴퓨터를 신뢰할 수있는 호스트로 추가해야합니다.

내 문제는 AWS에서 호스팅되는 인스턴스였습니다.

• 인스턴스 보안 그룹에서 5985를 열어야했습니다.

• 모든 프로필과 원격 주소에 5985를 허용하도록 방화벽 규칙을 수정해야했습니다.

  New-NetFirewallRule -Name PsRemotingHttp-방향 인바운드-액션 허용-프로토콜 tcp -LocalPort 5985 -DisplayName PsRemotingHttp

test-wsman을 실행할 때 이것을 해결했습니다.

"기본적으로 공개 프로필에 대한 WinRM 방화벽 예외는 동일한 로컬 서브넷 내의 원격 컴퓨터에 대한 액세스를 제한합니다."

나는 마침내 내 일을 얻었습니다 ... 여기서 xxx.xxx.xxx.xxx는 IP 주소입니다.

PS C:\Users\Administrator> winrm quickconfig
WinRM service is already running on this machine.
WinRM is already set up for remote management on this computer.
PS C:\Users\Administrator> Enable-PSRemoting -Force
WinRM is already set up to receive requests on this computer.
WinRM is already set up for remote management on this computer.
PS C:\Users\Administrator> winrm set winrm/config/client '@{TrustedHosts="xxx.xxx.xxx.xxx"}'
Client
    NetworkDelayms = 5000
    URLPrefix = wsman
    AllowUnencrypted = false
    Auth
        Basic = true
        Digest = true
        Kerberos = true
        Negotiate = true
        Certificate = true
        CredSSP = false
    DefaultPorts
        HTTP = 5985
        HTTPS = 5986
    TrustedHosts = xxx.xxx.xxx.xxx

PS C:\Users\Administrator> Enter-PSSession  -ComputerName xxx.xxx.xxx.xxx -Credential "~\Administrator"
[xxx.xxx.xxx.xxx]: PS C:\Users\Administrator\Documents>

이 문제가 몇 달이 지나면 원격 서버의 IP와 신뢰할 수있는 호스트에 DNS 이름을 모두 추가해야한다는 것이 밝혀졌습니다. IP를 추가하는 것만으로는 충분하지 않았습니다!