New-PSSession to reach server in a cloud (different subnet / tunnel) (Network Steve Forum)

New-PSSession to reach server in a cloud (different subnet / tunnel)

Hello!

we work in a big company and have a lot of clouds which are isolated from each other, each cloud is reachable via one jumphost which is reachable and accessible from the local network. Each cloud contains a lot of hosts which are only reachable from the jumphost.

I need to readout or change files etc. from/on the hosts inside the clouds.
I have tried the following to make it work (hostname1 = jumphost, hostname2 = host inside the cloud):

$s = New-PSSession -ComputerName hostname1 -credential ad\username
Import-PSSession -Session $s -CommandName Invoke-Command, New-PSSession -prefix RS

$p = New-RSPSSession -ComputerName hostname2 -credential ad\username
Invoke-RSCommand -session $p -ScriptBlock {Get-ChildItem C:\}
remove-RSpssession $p
remove-pssession $s

It fails with the following error:

Der Parameter "Session" kann nicht gebunden werden. Der Wert "[PSSession]Session1" vom Typ

"Deserialized.System.Management.Automation.Runspaces.PSSession" kann nicht in den Typ

"System.Management.Automation.Runspaces.PSSession" konvertiert werden.

+ CategoryInfo : InvalidArgument: (:) [Invoke-Command], ParameterBindingException

+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerShell.Commands.InvokeCommandCommand

+ PSComputerName : hostname1

The following works without problems (it's only a readout of the jumphost):

$cred = Get-Credential ad\username -Message "Geben Sie das Passwort fr den Server ein"
$gh = New-PSSession -ComputerName hostname1 -Credential $cred
$sb1 = {Get-ChildItem C:\}
$result = Invoke-Command -Session $gh -ScriptBlock $sb1

I have also tried to nest New-PSSession in invoke-command from here on to reach the host in the cloud, which also fails with an error.

I have tried a lot of things and searched through google to find a solution, but I have to seek your assistance and hope somebody is able to help me.

Thanks a lot!

Regards,

Marc

Edited by Marc Tschapek Friday, August 28, 2015 11:09 AM

August 28th, 2015 10:51am

Hey Fred,

this was what I had tried the first time and this was what I mean with "nested" New-Pssession in New-Pssession...it unfortunately does not work, the -session $session2 it shows the error that it contains no data (NULL):

$cred = Get-Credential ad\username -Message "Geben Sie das Passwort fr den hostname 1 ein" $session1 = New-PSSession -ComputerName hostname1 -Credential $cred $cldhost = Read-Host "Geben Sie bitte den hostname2 ein" $cred2 = Get-Credential ad\username -Message "Geben Sie das Passwort fr den Host ein" $sb1 = {$session2 = New-PSSession -ComputerName $cldhost -Credential $cred2} Invoke-Command -Session $session1 -ScriptBlock $sb1 $result = Invoke-Command -Session $session2 -ScriptBlock {Get-ChildItem C:\}

Remove-PSSession $session2, $session1

But maybe I can try like you did to add the command directly behind the New-Pssession command.

Then the second invoke-command in my script is not needed.

Thanks

Marc

Edited by Marc Tschapek Friday, August 28, 2015 3:51 PM

Free Windows Admin Tool Kit Click here and download it now

August 28th, 2015 3:49pm

Hi Fred,

thanks for the hint with the old and new line, I have tried this variant (invoke nested in invoke) and it seems that the New-Pssession was opened to the host in the cloud after the following line:

Invoke-Command -Session $session -ScriptBlock $sb1

It shows:

Id Name            ComputerName    State         ConfigurationName     Availability PSComputerName
-- ----            ------------    -----         -----------------     ------------ --------------
2 Session2        hostname2   Opened        Microsoft.PowerShell     Available hostname1

Anyway, when I then enter:

$result = Invoke-Command -Session $session1 -ScriptBlock {Invoke-Command -Session $Session2 -ScriptBlock { Get-ChildItem C:\} }

I unfortunately get the C:\ output of the jumphost again instead of the host in the cloud which I need...

Then i have tried the variant of your prior post (all in one go):

$cred = Get-Credential ad\username -Message "Geben Sie das Passwort fr den WTS ein"
$session = New-PSSession -ComputerName hostname1 -Credential $cred
$cred2 = Get-Credential ad\username -Message "Geben Sie das Passwort fr den Host ein"
$script = {

$ses = New-PSSession -ComputerName hostname2 -Credential $cred2
Get-ChildItem C:\
}

Invoke-Command -Session $session -ScriptBlock $script
Remove-PSSession $ses, $session

But again I get the output of the jumphost directory C:\ :(

It's a little bit frustrating...do you have any idea?

Regards,
Marc

Edited by Marc Tschapek 18 hours 46 minutes ago

August 31st, 2015 8:24am

Thanks for your response!
What do you mean with delegated seesions?
Enter-Pssession was working without problems, but I know that I can't use this in a script...
I thought I would need CredSSP only when I try to rech a network share.

Regards, Marc

Free Windows Admin Tool Kit Click here and download it now

August 31st, 2015 8:29am

Thanks for your response!
What do you mean with delegated seesions?
Enter-Pssession was working without problems, but I know that I can't use this in a script...
I thought I would need CredSSP only when I try to rech a network share.

Regards, Marc

You can set up remote delegated session on the jump host machine that run the commands in the session under a set of credentials you specify in the RunAs setting of the config.

Remote delegated sessions

Because the credentials being used to actually run the commands in the session haven't made a "hop" yet, you can get one more hop from the jump box to the cloud endpoint without using CredSSP. You can also get very granular in what scripts, functions, and commands are allowed to run in those sessions.

Once the session is created, you can then assign groups or individual users permission to use the session.

August 31st, 2015 9:53am

Hi Marc,

first of all, in your example you cannot use variables from outside the Scriptblock within the scriptblock, without passing them through as an argument ($cred2). Then you are not using the session you created within the scriptblock to query C:\. Here's a revised version:

$cred = Get-Credential ad\username -Message "Geben Sie das Passwort fr den WTS ein"
$session = New-PSSession -ComputerName hostname1 -Credential $cred
$cred2 = Get-Credential ad\username -Message "Geben Sie das Passwort fr den Host ein"
$script = {
    Param (
        $Credential
    )
    $ses = New-PSSession -ComputerName hostname2 -Credential $Credential
    Invoke-Command -Session $ses -ScriptBlock { Get-ChildItem C:\ }
    Remove-PSSession $ses
}

Invoke-Command -Session $session -ScriptBlock $script -ArgumentList $cred2
Remove-PSSession $session

Also note: I'm not sure passing through a credential object works out of the box with PowerShell version 2. If it doesn't, either pass through clear text (bad) or grant the account on hostname1 permission to access hostname2 is possible (that'll either require delegation or CredSSP).

Cheers,
Fred

Free Windows Admin Tool Kit Click here and download it now

August 31st, 2015 10:25am

$result = Invoke-Command -Session $session1 -ScriptBlock {Invoke-Command -Session $Session2 -ScriptBlock { Get-ChildItem C:\} }

I unfortunately get the C:\ output of the jumphost again instead of the host in the cloud which I need...

Then i have tried the variant of your prior post (all in one go):

$cred = Get-Credential ad\username -Message "Geben Sie das Passwort fr den WTS ein"
$session = New-PSSession -ComputerName hostname1 -Credential $cred
$cred2 = Get-Credential ad\username -Message "Geben Sie das Passwort fr den Host ein"
$script = {

$ses = New-PSSession -ComputerName hostname2 -Credential $cred2
Get-ChildItem C:\
}

Invoke-Command -Session $session -ScriptBlock $script
Remove-PSSession $ses, $session

But again I get the output of the jumphost directory C:\ :(

It's a little bit frustrating...do you have any idea?

Regards,
Marc

Edited by Marc Tschapek Monday, August 31, 2015 12:25 PM

August 31st, 2015 12:23pm

Hi Fred,

that was new to me, I have borrowed the param () version and also tried it with clear text credentials without a variable in the scriptblock, just to clarify if it works, but both is not working.
I always get the directory C:\ of the jumphost as the output..

I think the mistake is somewhere in the logic of the invoke-command statements and not a problem with the credentials...

Regards
Marc

Free Windows Admin Tool Kit Click here and download it now

August 31st, 2015 1:07pm

Hi,

thanks for the hint.
But I don't think that I need these delegated sessions, because I have admin rights on all these servers and don't get an error like "Access denied" or something else...
And CredSSP is not possible here, I get an error that I have to add the SPN, but that's not possible here in our environment.

September 4th, 2015 3:09am

By the way: I've tried to use CredSSP, because it is recommend to use it for second hops:

Enable-WSManCredSSP -Role Client -DelegateComputer jumphost -Force

$cred = Get-Credential ad\username -Message "Please insert the password for the jumphost and the cloudhost"
$session = New-PSSession -ComputerName jumphost -Credential $cred
Invoke-Command -Session $session -ScriptBlock {Enable-WSManCredSSP -Role Server Force; Set-Item wsman:\localhost\client\trustedhosts -value localcomputer -Force; Restart-Service winrm -Force}

$session2 = new-PSSession -ComputerName jumphost -Credential $cred -Authentication Credssp

After entering this last command I get the following error:

The WinRM client cannot 
process the request. A computer policy does not allow the delegation of the user credentials to the target computer because the 
computer is not trusted. The identity of the target computer can be verified if you configure the WSMAN service to use a valid 
certificate using the following command: winrm set winrm/config/service '@{CertificateThumbprint="<thumbprint>"}'  Or you can 
check the Event Viewer for an event that specifies that the following SPN could not be created: WSMAN/<computerFQDN>. If you find 
this event, you can manually create the SPN using setspn.exe .  If the SPN exists, but CredSSP cannot use Kerberos to validate 
the identity of the target computer and you still want to allow the delegation of the user credentials to the target computer, 
use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials 
Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication.  Verify that it is enabled and configured with an SPN 
appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the 
following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. Try the request again after these changes. Weitere Informationen 
finden Sie im Hilfethema "about_Remote_Troubleshooting".
In Zeile:1 Zeichen:13
+ $session2 = new-PSSession -ComputerName jumphost -Credential $cred -Aut ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportE 
   xception
    + FullyQualifiedErrorId : -2144108124,PSSessionOpenFailed

I do not know what to avtivate further to use CredSSP, anyway it would be better to make it work without CredSSP.

Free Windows Admin Tool Kit Click here and download it now

September 4th, 2015 5:58am

Hi,

thanks for the hint.
But I don't think that I need these delegated sessions, because I have admin rights on all these servers and don't get an error like "Access denied" or something else...
And CredSSP is not possible here, I get an error that I have to add the SPN, but that's not possible here in our environment.

Having admin rights is irrelevant in the context of your current problem. The problem is delegation of credentials across that second hop (regardless of whether it's an admin credential or not). What's important to understand is that if you use a delegated session, the set of credentials being used to actually execute the commands at the jump host originated on that jump host, so they can make the hop to the cloud endpoint without CredSSP.

September 4th, 2015 6:35am

Ahhh ok nice to know...
So if I try it this way, it brokes the pssession $session after I have entered "Invoke-Command -Session $session -ScriptBlock {Register-PSSessionConfiguration -Name PowerShell.Session -RunAsCredential 'ad\adminuserforcloud ' Force}":

$cred = Get-Credential ad\adminuserforcloud -Message "Please insert password for jumphost and cloudhost"

$session = New-PSSession -ComputerName jumphost -Credential $cred

Invoke-Command -Session $session -ScriptBlock {Register-PSSessionConfiguration -Name PowerShell.Session -RunAsCredential 'ad\adminuserforcloud ' Force}

$cldhost = Read-Host "Please insert the cloudhost name"

$script = {
    Param (
        $Credential,
        $Hostname2
    )
    $ses = New-PSSession -ComputerName $Hostname2 -Credential $Credential
    Invoke-Command -Session $ses -ScriptBlock { Get-ChildItem C:\ }
    Remove-PSSession $ses
}

Invoke-Command -Session $session -ScriptBlock $script -ArgumentList $cred, $cldhost
Remove-PSSession $session

Is this the wrong way to use the Register-PSSessionConfiguration cmdlet?

I really appreciate your help.

Thanks a lot

Marc

Edited by Marc Tschapek 18 hours 12 minutes ago

Free Windows Admin Tool Kit Click here and download it now

September 4th, 2015 8:58am

$cred = Get-Credential ad\adminuserforcloud -Message "Please insert password for jumphost and cloudhost"

$session = New-PSSession -ComputerName jumphost -Credential $cred

Invoke-Command -Session $session -ScriptBlock {Register-PSSessionConfiguration -Name PowerShell.Session -RunAsCredential 'ad\adminuserforcloud ' Force}

$cldhost = Read-Host "Please insert the cloudhost name"

$script = {
    Param (
        $Credential,
        $Hostname2
    )
    $ses = New-PSSession -ComputerName $Hostname2 -Credential $Credential
    Invoke-Command -Session $ses -ScriptBlock { Get-ChildItem C:\ }
    Remove-PSSession $ses
}

Invoke-Command -Session $session -ScriptBlock $script -ArgumentList $cred, $cldhost
Remove-PSSession $session

Is this the wrong way to use the Register-PSSessionConfiguration cmdlet?

I really appreciate your help.

Thanks a lot

Marc

Edited by Marc Tschapek 18 hours 6 minutes ago

September 4th, 2015 9:04am

You need to be a lot more specific than "it broke the session" for someone who's not there to be able to diagnose the problem.

I typically use a PSSession configuration file to create remote delegated sessions.

New-PSSessionConfigurationFile

Build Constrained PowerShell Endpoint Using Configuration File

then restart WinRM after the new session is configured and registered.

Free Windows Admin Tool Kit Click here and download it now

September 4th, 2015 9:20am

It's a little bit strange, sometimes it simply breaks the psssession after the command:

Id Name            ComputerName    State         ConfigurationName     Availability
-- ----            ------------    -----         -----------------     ------------
1 Session1        jumphost          Broken        Microsoft.PowerShell          None

But the register-pssessionconfiguration command was successfull, no error message.

And sometimes it shows the follwoing error after entering the register-pssessionconfiguration :

"The I/O operation has been aborted because of either a thread exit or an application request."

I will also try with the configuration file, but actually it should work without it.

September 4th, 2015 10:57am

It may be the configuration name you're using conflicting with a default session. Try something unique like "CloudJump".

Also, make sure you're assigning permissions to use the session.

And restart the WinRM service on the jump server after you've registered the configuration.

Free Windows Admin Tool Kit Click here and download it now

September 4th, 2015 10:59am

I tried this way:

Register-PSSessionConfiguration -Name Jumphost
$session = New-PSSession -ConfigurationName Jumphost -ComputerName jumphostname -Credential $cred

Invoke-Command -Session $session -ScriptBlock {Register-PSSessionConfiguration -Name PowerShell.Session -RunAsCredential 'ad\username' Force; Restart-Service winrm -Force}

But whe executing new-pssession I have got the error that the jumphost configuration can not be found in the jumphost-computer:

New-PSSession : [jumphostname] Beim Verbinden mit dem Remoteserver "jumphostname" ist folgender Fehler aufgetreten: Der WS-Verwaltungsdienst 
kann die Anforderung nicht verarbeiten. Die Jumphost-Sitzungskonfiguration kann im WSMan:-Laufwerk auf dem jumphostname-Computer nicht 
gefunden werden. Weitere Informationen finden Sie im Hilfethema "about_Remote_Troubleshooting".
In Zeile:1 Zeichen:12
+ $session = New-PSSession -ConfigurationName Jumphost -ComputerName sd ...
+            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportE 
   xception
    + FullyQualifiedErrorId : InvalidResourceUri,PSSessionOpenFailed

That means I have to configure this on the jumphost in wsman as well?

Edited by Marc Tschapek 14 hours 47 minutes ago

September 4th, 2015 12:26pm

I tried this way:

Register-PSSessionConfiguration -Name Jumphost
$session = New-PSSession -ConfigurationName Jumphost -ComputerName jumphostname -Credential $cred

Invoke-Command -Session $session -ScriptBlock {Register-PSSessionConfiguration -Name PowerShell.Session -RunAsCredential 'ad\username' Force; Restart-Service winrm -Force}

But whe executing new-pssession I have got the error that the jumphost configuration can not be found in the jumphost-computer:

New-PSSession : [jumphostname] Beim Verbinden mit dem Remoteserver "jumphostname" ist folgender Fehler aufgetreten: Der WS-Verwaltungsdienst 
kann die Anforderung nicht verarbeiten. Die Jumphost-Sitzungskonfiguration kann im WSMan:-Laufwerk auf dem jumphostname-Computer nicht 
gefunden werden. Weitere Informationen finden Sie im Hilfethema "about_Remote_Troubleshooting".
In Zeile:1 Zeichen:12
+ $session = New-PSSession -ConfigurationName Jumphost -ComputerName sd ...
+            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportE 
   xception
    + FullyQualifiedErrorId : InvalidResourceUri,PSSessionOpenFailed

That means I have to configure this on the jumphost in wsman as well?

Edited by Marc Tschapek 14 hours 41 minutes ago

Free Windows Admin Tool Kit Click here and download it now

September 4th, 2015 12:32pm

$cred = Get-Credential ad\adminuserforcloud -Message "Please insert password for jumphost and cloudhost"

$session = New-PSSession -ComputerName jumphost -Credential $cred

Invoke-Command -Session $session -ScriptBlock {Register-PSSessionConfiguration -Name PowerShell.Session -RunAsCredential 'ad\adminuserforcloud ' Force}

$cldhost = Read-Host "Please insert the cloudhost name"

$script = {
    Param (
        $Credential,
        $Hostname2
    )
    $ses = New-PSSession -ComputerName $Hostname2 -Credential $Credential
    Invoke-Command -Session $ses -ScriptBlock { Get-ChildItem C:\ }
    Remove-PSSession $ses
}

Invoke-Command -Session $session -ScriptBlock $script -ArgumentList $cred, $cldhost
Remove-PSSession $session

Is this the wrong way to use the Register-PSSessionConfiguration cmdlet?

I really appreciate your help.

Thanks a lot

Marc

Edited by Marc Tschapek Friday, September 04, 2015 1:00 PM

September 4th, 2015 12:55pm

You have to configure the security permissions there. The easiest way to do this is to run your Register-PSSessionConfiguration command locally on the jump host, and add the -ShowSecurityDescriptorUI parameter to your Register-PSSessionConfiguration command.

This will pop up permission UI (similar to what you see when you grant NTFS permissions through the Explorer UI). Choose the users or groups you want to give permission to use the session, and give them Read and Execute permission.

Free Windows Admin Tool Kit Click here and download it now

September 4th, 2015 1:42pm

I tried this way:

Register-PSSessionConfiguration -Name Jumphost
$session = New-PSSession -ConfigurationName Jumphost -ComputerName jumphostname -Credential $cred

Invoke-Command -Session $session -ScriptBlock {Register-PSSessionConfiguration -Name PowerShell.Session -RunAsCredential 'ad\username' Force; Restart-Service winrm -Force}

But whe executing new-pssession I have got the error that the jumphost configuration can not be found in the jumphost-computer:

New-PSSession : [jumphostname] Beim Verbinden mit dem Remoteserver "jumphostname" ist folgender Fehler aufgetreten: Der WS-Verwaltungsdienst 
kann die Anforderung nicht verarbeiten. Die Jumphost-Sitzungskonfiguration kann im WSMan:-Laufwerk auf dem jumphostname-Computer nicht 
gefunden werden. Weitere Informationen finden Sie im Hilfethema "about_Remote_Troubleshooting".
In Zeile:1 Zeichen:12
+ $session = New-PSSession -ConfigurationName Jumphost -ComputerName sd ...
+            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportE 
   xception
    + FullyQualifiedErrorId : InvalidResourceUri,PSSessionOpenFailed

That means I have to configure this on the jumphost in wsman as well?

Edited by Marc Tschapek Friday, September 04, 2015 4:24 PM

September 4th, 2015 4:23pm

With your information I have entered the following on the Jumphost:

Register-PSSessionConfiguration -Name PowerShell.Session -SessionType DefaultRemoteShell -AccessMode Remote -RunAsCredential 'ad\username' -ShowSecurityDescriptorUI Force

And then granted access to the user 'ad\username' (Invoke and Read access).
After that I was able to use the session configuration on the jumphost with the follwoing commands:

$cred = Get-Credential ad\username -Message "Please enter the password for jumphost"

$session = New-PSSession -ConfigurationName PowerShell.Session -ComputerName jumphost -Credential $cred

(Is the delegated session now proper configurated?)

So the session was connected and I entered my other commands:

$cldhost = Read-Host "Please enter the cloudhost name"

$script = {
    Param (
        $Credential,
        $Hostname2
    )
    $ses = New-PSSession -ComputerName $Hostname2 -Credential $Credential
    Invoke-Command -Session $ses -ScriptBlock { Get-ChildItem C:\ }
    Remove-PSSession $ses
}

Invoke-Command -Session $session -ScriptBlock $script -ArgumentList $cred, $cldhost
Remove-PSSession $session

Unfortunately I get the output of Get-ChildItem C:\ of the jumphost again and not the output of the cloudhost...
Do you have any further idea? Is maybe the $script{} part somewhere wrong?

Thank you,
Marc

Edited by Marc Tschapek 21 hours 42 minutes ago

Free Windows Admin Tool Kit Click here and download it now

September 7th, 2015 5:25am

With your information I have entered the following on the Jumphost:

Register-PSSessionConfiguration -Name PowerShell.Session -SessionType DefaultRemoteShell -AccessMode Remote -RunAsCredential 'ad\username' -ShowSecurityDescriptorUI Force

And then granted access to the user 'ad\username' (Invoke and Read access).
After that I was able to use the session configuration on the jumphost with the follwoing commands:

$cred = Get-Credential ad\username -Message "Please enter the password for jumphost"

$session = New-PSSession -ConfigurationName PowerShell.Session -ComputerName jumphost -Credential $cred

(Is the delegated session now proper configurated?)

So the session was connected and I entered my other commands:

$cldhost = Read-Host "Please enter the cloudhost name"

$script = {
    Param (
        $Credential,
        $Hostname2
    )
    $ses = New-PSSession -ComputerName $Hostname2 -Credential $Credential
    Invoke-Command -Session $ses -ScriptBlock { Get-ChildItem C:\ }
    Remove-PSSession $ses
}

Invoke-Command -Session $session -ScriptBlock $script -ArgumentList $cred, $cldhost
Remove-PSSession $session

Unfortunately I get the output of Get-ChildItem C:\ of the jumphost again and not the output of the cloudhost...
Do you have any further idea? Is maybe the $script{} part somewhere wrong?

Thank you,
Marc

Edited by Marc Tschapek Monday, September 07, 2015 9:24 AM

September 7th, 2015 9:23am

This topic is archived. No further replies will be accepted.