Hello,

I have configured WNLB between 2 exchange 2013 client rule servers. LB is working for all needed rules except of remote connectivity to Exchange Management shell. When typing real server name instead of LB VIP, everything is working properly. WNLB has only DNS record. No AD account and Kerberos configured.

here is the command and error:

[PS] C:\Windows\system32>New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://vipname.domainname/PowerShell/

New-PSSession : [vipname.domainname] Connecting to remote server vipname.domainname failed with the following error
message : WinRM cannot process the request. The following error occurred while using Kerberos authentication: Cannot
find the computer usmail.comverse.com. Verify that the computer exists on the network and that the name provided is
spelled correctly. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://vipname.domainname ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
   gTransportException
    + FullyQualifiedErrorId : NetworkPathNotFound,PSSessionOpenFailed

Hi,

Looks to me a certificate issue.

Does your Exchange certificate has the vipname.domainname.com in the SAN list, is that certificate trusted.

• If you don't have the name, make sure you have that.(generate a new certificate, self-signed works for http)
• If you have the SAN name, install the certificate into the calling PC (client workstation) Trusted Root Certificates and ensure the certificate is showing using MMC.
• Use the -Credential Get-Credential with the New-PSSession cmdlet

Please note that I have not tested this yet.

I have see some articles saying, Its how the feature works. You have to connect to a server, not a CAS array.

Exchange 2010 provisioning via FIM fails with a HTTP 403 error using WinRM

Regards,

Satyajit

PleaseVote As Helpful if you find my contribution useful or MarkAs Answer if it does answer your question. That will encourage me - and others - to take time out to help you.

• Edited by Satyajit321 20 hours 43 minutes ago

Hi,

Looks to me a certificate issue.

Does your Exchange certificate has the vipname.domainname.com in the SAN list, is that certificate trusted.

• If you don't have the name, make sure you have that.(generate a new certificate, self-signed works for http)
• If you have the SAN name, install the certificate into the calling PC (client workstation) Trusted Root Certificates and ensure the certificate is showing using MMC.
• Use the -Credential Get-Credential with the New-PSSession cmdlet

Please note that I have not tested this yet.

I have see some articles saying, Its how the feature works. You have to connect to a server, not a CAS array.

Exchange 2010 provisioning via FIM fails with a HTTP 403 error using WinRM

Regards,

Satyajit

PleaseVote As Helpful if you find my contribution useful or MarkAs Answer if it does answer your question. That will encourage me - and others - to take time out to help you.

• Edited by Satyajit321 Monday, May 11, 2015 10:42 AM

Hi,

Looks to me a certificate issue.

Does your Exchange certificate has the vipname.domainname.com in the SAN list, is that certificate trusted.

• If you don't have the name, make sure you have that.(generate a new certificate, self-signed works for http)
• If you have the SAN name, install the certificate into the calling PC (client workstation) Trusted Root Certificates and ensure the certificate is showing using MMC.
• Use the -Credential Get-Credential with the New-PSSession cmdlet

Please note that I have not tested this yet.

I have see some articles saying, Its how the feature works. You have to connect to a server, not a CAS array.

Exchange 2010 provisioning via FIM fails with a HTTP 403 error using WinRM

Regards,

Satyajit

PleaseVote As Helpful if you find my contribution useful or MarkAs Answer if it does answer your question. That will encourage me - and others - to take time out to help you.

• Edited by Satyajit321 Monday, May 11, 2015 10:42 AM

Hi,

My SAN certificate has all needed names for connection- I checked it twice.

I am trying to connect to EMS from the same server even on which LB VIP installed.

It seems to be another issue

Hi,

If that's the case then, the articles I can see around points that it can't be easily done.

Either you need to figure out another way to choose server FQDN or enable Kerberos on the CAS array to use the load-balanced ViPname.

RPS URI stands for Remote PowerShell Uniform Resource Identifier.

The Exchange 2010 RPS feature is made available through the /powershell virtual directory (IIS). In order to properly access it, there are some requirements:

1. Access it using HTTP
2. Be authenticated using Kerberos

References:

Access /powershell through CAS Array

Kerberos enabled CAS array

Provisioning to Exchange 2010 SP1 load balanced CAS

How to Configure the Exchange 2010 RPS URI

NOTE- Same applies for Exchange 2013 as well

Hi,

Moreover if you use http Kerberos kicks in.

Try below let me know the error if any.

PS C:\Users\administrator.Contoso\Desktop> $exchangesession = New-PSSession -Credential $cred -ConnectionUri https://exch1.Contoso.com/PowerShell -ConfigurationName Microsoft.Exchange -AllowRedirection

If you get any error like "The WinRM client received an
HTTP bad request status (400), but the remote service did not include any other information about the cause of the failure."

Enable windows authentication for the /powershell virtual directory on IIS /Authentication

Hello,

When I run the command You wrote, I get the same error I posted.

Regarding Kerberos configuration for CasArray- I did not configure CasArray (just have dns record for LB VIP) since CasArray is not in use in Exchange 2013.

Hi,

Try this:

Go to the CAS Server IIS->Default Web Site->PowerShell->Authentication

Enable Windows and Basic (Only Basic should be enough, but I tested with both hence mentioned it)

NOTE:- I'm forcing the '-Authentication Basic'

$exchangesession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://mail.interfacettlabs.com/powershell -Authentication basic -Credential (Get-Credential)

If it works, you can plan to enable it using the below command for all servers correctly. (Remember we are not suppose to use EAC or EMS where ever possible.)

Get-PowerShellVirtualDirectory | Set-PowerShellVirtualDirectory -BasicAuthentication $true

Thanks to you, I have figured out many more things regarding this PowerShell endpoint. Got this working in my lab with DNS record only.

Hi,

Any Updates?