为 powershell 多跳问题正确设置 CredSSP [英] Setting up CredSSP properly for powershell multi-hop issue
问题描述
我在编写的脚本中遇到了双跳问题.现在的问题是,当我在远程计算机上访问 New-PSSession 时,出现以下错误:
I've encountering the double-hop issue with a script I'm writing. Issue right now is that when I get to New-PSSession on the computer remoting in. I get the following error:
图片链接如果太难阅读
这是在原始服务器上运行的代码:
Here's the code that runs on the original server:
$password = ConvertTo-SecureString "password" -AsPlainText -Force
$cred= New-Object System.Management.Automation.PSCredential ("domain\admin", $CApassword)
$sesh = new-pssession -computername "MSSCA" -credential $CAcred -Authentication CredSSP
这个 $sesh 变量返回 null 并抛出上面的错误.
This $sesh variable comes back null and throws the error above.
执行 powershell 脚本/远程处理的服务器设置为将新凭据委托给 mssca(我 DID 指定了此目标服务器的 FQDN),同样 mssca 设置为接收.
Server executing powershell script/remoting is set to delegate fresh credentials to mssca (I DID specify the FQDN for this target server), and likewise mssca is set to receive.
我按照错误消息的说明修改组策略,在Configuration->下启用,该凭据已设置为将新凭据委派给 Allow Delegating Fresh Credentials;管理模板 ->系统 ->凭证委托 ->允许委派新凭据mssca.
I followed the instructions of the error message to modify the group policy, enabling Allow Delegating Fresh Credentials under Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Delegating Fresh Credentials which was already set up to delegate fresh credentials to mssca.
有什么想法可以解决这个问题吗?
Any ideas how I can fix this?
推荐答案
想通了.尽管错误消息说使用 FQDN,但我的脚本并未使用 FQDN.在使用仅 NTLM 服务器身份验证"选项并将组策略设置更改为仅 mssca 而不是 FQDN 后,它起作用了.
Figured it out. Though the error message said to use the FQDN, my script was not using the FQDN. After using the "NTLM-only server authentication" option instead as well as changing the the group policy setting to just mssca and NOT the FQDN, it worked.
这篇关于为 powershell 多跳问题正确设置 CredSSP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
