Remote PowerShell between LAN and DMZ/Exchange Edge Server

Gerrit Deike 21

Hi!

I'm trying to configure a dashboard to get regular updates on the health of our Exchange Servers. Now I've run into a roadblock:

I want to connect from a local server, where our dashboard system is running to our Exchange Edge Servers via Remote PowerShell, but I can't seem to be able to connect. I've activated remote PowerShell on the Edge Servers and tested WinRM, to make sure that we get passed the firewall, but then I get the following errors, depending on how I try to connect:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<ServerName>/PowerShell/ -Authentication Kerberos -Credential $UserCredential``

New-PSSession : [app370300] Connecting to remote server <ServerName> failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: There are currently no logon servers available to service the logon request.``

Possible causes are:``

-The user name or password specified are invalid.``

-Kerberos is used when no authentication method and no user name are specified.``

-Kerberos accepts domain user names, but not local user names.``

-The Service Principal Name (SPN) for the remote computer name and port does not exist.``

-The client and remote computers are in different domains and there is no trust between the two domains. After checking for the above issues, try the following:``

-Check the Event Viewer for events related to authentication.``

-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.``

Note that computers in the TrustedHosts list might not be authenticated.`` ``

-For more information about WinRM configuration, run the following command: winrm help config. For more`` ``information, see the about_Remote_Troubleshooting Help topic.``

At line:1 char:12`` ``+ $Session = New-PSSession -ConfigurationName Microsoft.Exchange -Conne ...`` ``+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`` `` + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin`` `` gTransportException + FullyQualifiedErrorId : AuthenticationFailed,PSSessionOpenFailed

This error, I can understand. Exchange Online doesn't use IIS, so there is no URL to connect to, but then I tried Enter-PSSession and got this error:

Enter-PSSession -ComputerName <ServerName> -Credential $UserCredential``

Enter-PSSession : Connecting to remote server <ServerName> failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: There are`` ``currently no logon servers available to service the logon request.``

Possible causes are:``

-The user name or password specified are invalid.``

-Kerberos is used when no authentication method and no user name are specified.``

-Kerberos accepts domain user names, but not local user names.``

-The Service Principal Name (SPN) for the remote computer name and port does not exist.``

-The client and remote computers are in different domains and there is no trust between the two domains.`` ``After checking for the above issues, try the following:``

-Check the Event Viewer for events related to authentication.``

-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or`` ``use HTTPS transport.``

Note that computers in the TrustedHosts list might not be authenticated.`` ``

-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.`` ``At line:1 char:1`` ``+ Enter-PSSession -ComputerName <ServerName> -Credential $UserCredential`` ``+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`` `` + CategoryInfo : InvalidArgument: (<ServerName:String) [Enter-PSSession], PSRemotingTransportException`` `` + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

I also tried adding -Authentication Negotiate, but the result was the same. :(

Does anyone here have experience in connecting Remote PowerShell to Exchange Edge Servers? I would be greatful for any and all input.

Best Regards,

Gerrit Deike (System Engineer Exchange)

1 answer

Jake Zhang-MSFT 7,850 Reputation points Microsoft Vendor

2024-12-10T02:07:05.7433333+00:00
Hi @Gerrit Deike ,

Welcome to the Microsoft Q&A platform!

Based on your description, you are experiencing some common issues related to remote PowerShell connections to Exchange Edge Servers. Let's troubleshoot this issue step by step:

Make sure that the username and password you are using are correct and have the necessary permissions.

Verify that Kerberos authentication is configured correctly. Kerberos requires that both the client and server are in the same domain or that there is a trust relationship between the domains.

Make sure that the SPN for the remote computer name and port exists. You can use the setspn command to check and set the SPN.

Make sure that WinRM is configured correctly on both the client and server. You can run winrm quickconfig on both machines to set the necessary settings.

If the target computer is not in the same domain, add it to the WinRM TrustedHosts list. Use the following command:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "<ServerName>"

If using HTTPS, make sure that the SSL certificate is configured correctly and trusted.

Verify that the firewall settings allow traffic on the necessary ports (the default value for HTTP is 5985 and the default value for HTTPS is 5986).

Make sure there are no network issues preventing communication between the client and server.

If Kerberos does not work, try using Basic or NTLM authentication. Note that Basic authentication requires HTTPS to be secure:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<ServerName>/PowerShell/ -Authentication Basic -Credential $UserCredential

Make sure that remote PowerShell is enabled and configured correctly on the Exchange Edge server. You can enable it with the following command:

Enable-PSRemoting -Force

Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.

Best,

Jake Zhang
Please sign in to rate this answer.
Gerrit Deike 21 Reputation points

2024-12-10T08:54:08.02+00:00

Hi Jake,

thanks for your input. Just to clarify, the Exchange Edge Servers are NOT AD-members, so Kerberos is not an option. Should we still set the SPN eventhough the servers are not part of any domain?

I did all the other steps, without success. :(

Jake Zhang-MSFT 7,850 Reputation points Microsoft Vendor

2024-12-11T02:48:15.7666667+00:00

Hi @Gerrit Deike ,

Welcome to the Microsoft Q&A platform!

Since your Exchange Edge Server is not part of an Active Directory domain, Kerberos authentication and SPNs are not applicable. Instead, you should focus on using NTLM or Basic authentication. Here are some steps you can take:

NTLM can be used for authentication in a workgroup environment. You can try to connect using NTLM by specifying the -Authentication parameter:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<ServerName>/PowerShell/ -Authentication Negotiate -Credential $UserCredential

Since the server is not in a domain, you need to add the Edge server to the TrustedHosts list on the client computer:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "<ServerName>"

If you have multiple servers, you can separate them with commas:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "Server1,Server2"

If you decide to use Basic Authentication, make sure to encrypt the credentials using HTTPS:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://<ServerName>/PowerShell/ -Authentication Basic -Credential $UserCredential

Make sure PowerShell is enabled on the Edge server Remoting:

Enable-PSRemoting -Force

Verify that WinRM is configured correctly on both the client and server. Run winrm quickconfig on both machines to ensure that the necessary settings are applied.

Ensure that the firewalls on both the client and server allow traffic on the necessary ports (the default port is 5985 for HTTP and 5986 for HTTPS).

By following these steps, you should be able to establish remote PowerShell sessions with Exchange Edge servers, even if they are not part of an AD domain.

Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.

Best,

Jake Zhang

Gerrit Deike 21 Reputation points

2024-12-11T07:22:01.9466667+00:00

Good Morning Jake,

thanks for the clairification. I followed your instructions and this is the result:

I checked with our firewall guys and they confirmed that ports 5985 and 5986 are open and being used. I also did Enable-PSRemoting -Force (again ;) ) on all of the Edge Servers. I then used New-PSSession with the -Negotiate flag, because Basic-Auth is disabled in our system.

As I expected, it failed, because the Edge Servers do not use IIS and don't have a /PowerShell virutal directory. Next I tried Enter-PSSession, with the following result:

Now you're up. ;)

P.S. I also tried turning off the Firewall on the Edge Server, just in case. I got the same Access is denied error. :(

Jake Zhang-MSFT 7,850 Reputation points Microsoft Vendor

2024-12-12T02:46:43.0766667+00:00

Hi @Gerrit Deike ,

Thanks for the detailed update!

It looks like you're running into a couple of specific issues. Let's address them one by one.

Issue with New-PSSession

Since the Edge Servers do not use IIS and lack a /PowerShell virtual directory, New-PSSession with the -ConfigurationName Microsoft.Exchange won't work. This is expected behavior for Edge Servers.

Issue with Enter-PSSession

The "Access is denied" error when using Enter-PSSession suggests a permissions issue. Here are some steps to troubleshoot and resolve this:

Ensure that the user account you're using has the necessary permissions to perform remote operations on the Edge Servers. The account should be a member of the local Administrators group on the Edge Servers.

Verify that the WinRM service is running on the Edge Servers. You can check this by running:

Get-Service WinRM

If the service is not running, start it with:

Start-Service WinRM

Ensure that the local security policy on the Edge Servers allows remote management. You can configure this in the Local Group Policy Editor (gpedit.msc):

Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service.

Enable Allow remote server management through WinRM.

Double-check that the Edge Servers are correctly added to the TrustedHosts list on the client machine:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "<ServerName>"

Since Basic authentication is disabled, ensure that NTLM or Negotiate is properly configured. You can explicitly specify NTLM:

Enter-PSSession -ComputerName <ServerName> -Credential $UserCredential -Authentication Negotiate

Look at the Event Viewer on both the client and Edge Servers for any related error messages. This can provide more specific information about why the access is denied.

Although you mentioned the firewall ports are open, ensure there are no other network issues or policies blocking the connection.

Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.

Best,

Jake Zhang

Gerrit Deike 21 Reputation points

2024-12-12T09:44:21.8866667+00:00

Hi Jake,

I checked WinRM. It is running:

I also enabled the Policy:

The Edge Server names (not FQDN or IP-Adresses) are added to the TrustedHosts list on the client machine. There are no entries in the Event Viewer (System / Application / Security) that apply to this problem, and as far as I can tell, there are no policies or other network issues blocking the connection. But I still get this error:

Just to be sure, these are the Auth-Settings...

...on the cleint:

...on the Edge Server:

From my understanding, Negotiate should work. Since I'm copying the username and password from KeyPass to log onto the Edge and for the remote session, there can't be an error their either.

Jake Zhang-MSFT 7,850 Reputation points Microsoft Vendor

2024-12-16T09:51:32.2633333+00:00

Thanks for the detailed information. It looks like you've covered most of the bases. Given that Negotiate should work and you've verified the settings, let's try a few more troubleshooting steps:

Ensure that the WinRM listener is configured correctly on the Edge Server. Run the following command on the Edge Server:

winrm enumerate winrm/config/listener

You should see a listener configured for HTTP (port 5985) or HTTPS (port 5986). If not, you can create one:

winrm create winrm/config/Listener?Address=*+Transport=HTTP

Verify that the WinRM service allows Negotiate authentication. Run the following command on the Edge Server:

winrm get winrm/config/service

Ensure that Auth includes Negotiate. If not, you can set it:

winrm set winrm/config/service/auth @{Negotiate="true"}

Ensure that the local group policy on the Edge Server allows remote management. You can configure this in the Local Group Policy Editor (gpedit.msc):

Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service.

Enable Allow remote server management through WinRM.

Even though the Edge Servers are not part of a domain, try using the FQDN or IP address instead of just the server name in your Enter-PSSession command:

Enter-PSSession -ComputerName <FQDN_or_IP> -Credential $UserCredential -Authentication Negotiate

If your client machine is not directly connected to the Edge Server, there might be a double-hop issue. Ensure that CredSSP is enabled if this is the case:

Enable-WSManCredSSP -Role Client -DelegateComputer <ServerName>

Gerrit Deike 21 Reputation points

2024-12-16T10:26:35.06+00:00

Hi Jake,

here is what I got:

PS C:\Windows\system32> winrm enumerate winrm/config/listener Listener [Source="GPO"] Address = * Transport = HTTP Port = 5985 Hostname Enabled = true URLPrefix = wsman CertificateThumbprint ListeningOn = 127.0.0.1, <IP-Address>, <IP-Address>, ::1 Listener Address = * Transport = HTTPS Port = 5986 Hostname = <ServerName> Enabled = true URLPrefix = wsman CertificateThumbprint = e5b1e7a9dc77caa142c54c729d83b2902b8a25e4 ListeningOn = 127.0.0.1, <IP-Address>, <IP-Address>, ::1

PS C:\Windows\system32> winrm get winrm/config/service Service RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD) MaxConcurrentOperations = 4294967295 MaxConcurrentOperationsPerUser = 1500 EnumerationTimeoutms = 240000 MaxConnections = 300 MaxPacketRetrievalTimeSeconds = 120 AllowUnencrypted = false [Source="GPO"] Auth Basic = false [Source="GPO"] Kerberos = true Negotiate = true Certificate = false CredSSP = false CbtHardeningLevel = Relaxed DefaultPorts HTTP = 5985 HTTPS = 5986 IPv4Filter = * [Source="GPO"] IPv6Filter = * [Source="GPO"] EnableCompatibilityHttpListener = false EnableCompatibilityHttpsListener = false CertificateThumbprint AllowRemoteAccess = true [Source="GPO"]

PS C:\WINDOWS\system32> Enable-WSManCredSSP -Role Client <ServerName> CredSSP Authentication Configuration for WS-Management CredSSP authentication allows the user credentials on this computer to be sent to a remote computer. If you use CredSSP authentication for a connection to a malicious or compromised computer, that computer will have access to your user name and password. For more information, see the Enable-WSManCredSSP Help topic. Do you want to enable CredSSP authentication? [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): cfg : http://schemas.microsoft.com/wbem/wsman/1/config/client/auth lang : en-US Basic : Basic Digest : Digest Kerberos : true Negotiate : true Certificate : true CredSSP : true

In the end I'm still getting:

Enter-PSSession -ComputerName <ServerName> -Credential $UserCredential -Authentication Negotiate Enter-PSSession : Connecting to remote server <ServerName> failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:1 + Enter-PSSession -ComputerName <ServerName> -Credential $UserCredential - ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (<ServerName>:String) [Enter-PSSession], PSRemotingTransportException + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

Jake Zhang-MSFT 7,850 Reputation points Microsoft Vendor

2024-12-18T08:27:16.81+00:00

Thanks for the detailed information. It looks like you've done a thorough job troubleshooting so far. Given the "Access is denied" error and the steps you've already taken, let's try a few more specific checks and configurations:

Ensure that the user account you're using is a member of the local Administrators group on the Edge Server. You can check this by running:

net localgroup Administrators

Explicitly set the permissions for the WinRM service to allow the user account. Run the following command on the Edge Server:

winrm configSDDL default

This will display the current permissions. Ensure that your user account has the necessary permissions. You can modify the permissions using the Set-ACL cmdlet if needed.

Ensure that the client machine's TrustedHosts list includes the Edge Server and vice versa. On the Edge Server, add the client machine to the TrustedHosts list:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "<ClientMachineName>"

Sometimes, using the IP address instead of the hostname can bypass DNS resolution issues. Try connecting using the IP address of the Edge Server:

Enter-PSSession -ComputerName <EdgeServerIP> -Credential $UserCredential -Authentication Negotiate

Try using a different user account that has administrative privileges on the Edge Server to rule out any account-specific issues.

Example Command with IP Address

Here's an example of how you might use Enter-PSSession with the IP address:

Enter-PSSession -ComputerName <EdgeServerIP> -Credential $UserCredential -Authentication Negotiate

Jake Zhang-MSFT 7,850 Reputation points Microsoft Vendor

2024-12-20T07:31:27.8766667+00:00

Hi @Gerrit Deike

Please kindly consider this comment as a warm follow up, I want to know if your problem has been solved. If you still have any other questions, please feel free to comment here and I'm glad to provide further support.If the above info is helpful to this question, you can click "Accept Answer". Have a nice day!

Best,

Jake Zhang
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.