New-PSSession to reach server in a cloud (different subnet / tunnel) (Network Steve Forum)

New-PSSession to reach server in a cloud (different subnet / tunnel)

Hello!

we work in a big company and have a lot of clouds which are isolated from each other, each cloud is reachable via one jumphost which is reachable and accessible from the local network. Each cloud contains a lot of hosts which are only reachable from the jumphost.

I need to readout or change files etc. from/on the hosts inside the clouds.
I have tried the following to make it work (hostname1 = jumphost, hostname2 = host inside the cloud):

$s = New-PSSession -ComputerName hostname1 -credential ad\username
Import-PSSession -Session $s -CommandName Invoke-Command, New-PSSession -prefix RS

$p = New-RSPSSession -ComputerName hostname2 -credential ad\username
Invoke-RSCommand -session $p -ScriptBlock {Get-ChildItem C:\}
remove-RSpssession $p
remove-pssession $s

It fails with the following error:

Der Parameter "Session" kann nicht gebunden werden. Der Wert "[PSSession]Session1" vom Typ

"Deserialized.System.Management.Automation.Runspaces.PSSession" kann nicht in den Typ

"System.Management.Automation.Runspaces.PSSession" konvertiert werden.

+ CategoryInfo : InvalidArgument: (:) [Invoke-Command], ParameterBindingException

+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerShell.Commands.InvokeCommandCommand

+ PSComputerName : hostname1

The following works without problems (it's only a readout of the jumphost):

$cred = Get-Credential ad\username -Message "Geben Sie das Passwort fr den Server ein"
$gh = New-PSSession -ComputerName hostname1 -Credential $cred
$sb1 = {Get-ChildItem C:\}
$result = Invoke-Command -Session $gh -ScriptBlock $sb1

I have also tried to nest New-PSSession in invoke-command from here on to reach the host in the cloud, which also fails with an error.

I have tried a lot of things and searched through google to find a solution, but I have to seek your assistance and hope somebody is able to help me.

Thanks a lot!

Regards,

Marc

Edited by Marc Tschapek Friday, August 28, 2015 11:09 AM

August 28th, 2015 10:51am

Hey Fred,

this was what I had tried the first time and this was what I mean with "nested" New-Pssession in New-Pssession...it unfortunately does not work, the -session $session2 it shows the error that it contains no data (NULL):

$cred = Get-Credential ad\username -Message "Geben Sie das Passwort fr den hostname 1 ein" $session1 = New-PSSession -ComputerName hostname1 -Credential $cred $cldhost = Read-Host "Geben Sie bitte den hostname2 ein" $cred2 = Get-Credential ad\username -Message "Geben Sie das Passwort fr den Host ein" $sb1 = {$session2 = New-PSSession -ComputerName $cldhost -Credential $cred2} Invoke-Command -Session $session1 -ScriptBlock $sb1 $result = Invoke-Command -Session $session2 -ScriptBlock {Get-ChildItem C:\}

Remove-PSSession $session2, $session1

But maybe I can try like you did to add the command directly behind the New-Pssession command.

Then the second invoke-command in my script is not needed.

Thanks

Marc

Edited by Marc Tschapek Friday, August 28, 2015 3:51 PM

Free Windows Admin Tool Kit Click here and download it now

August 28th, 2015 3:49pm

Hi Fred,

thanks for the hint with the old and new line, I have tried this variant (invoke nested in invoke) and it seems that the New-Pssession was opened to the host in the cloud after the following line:

Invoke-Command -Session $session -ScriptBlock $sb1

It shows:

Id Name            ComputerName    State         ConfigurationName     Availability PSComputerName
-- ----            ------------    -----         -----------------     ------------ --------------
2 Session2        hostname2   Opened        Microsoft.PowerShell     Available hostname1

Anyway, when I then enter:

$result = Invoke-Command -Session $session1 -ScriptBlock {Invoke-Command -Session $Session2 -ScriptBlock { Get-ChildItem C:\} }

I unfortunately get the C:\ output of the jumphost again instead of the host in the cloud which I need...

Then i have tried the variant of your prior post (all in one go):

$cred = Get-Credential ad\username -Message "Geben Sie das Passwort fr den WTS ein"
$session = New-PSSession -ComputerName hostname1 -Credential $cred
$cred2 = Get-Credential ad\username -Message "Geben Sie das Passwort fr den Host ein"
$script = {

$ses = New-PSSession -ComputerName hostname2 -Credential $cred2
Get-ChildItem C:\
}

Invoke-Command -Session $session -ScriptBlock $script
Remove-PSSession $ses, $session

But again I get the output of the jumphost directory C:\ :(

It's a little bit frustrating...do you have any idea?

Regards,
Marc

Edited by Marc Tschapek Monday, August 31, 2015 12:25 PM

August 31st, 2015 12:23pm

Ahhh ok nice to know...
So if I try it this way, it brokes the pssession $session after I have entered "Invoke-Command -Session $session -ScriptBlock {Register-PSSessionConfiguration -Name PowerShell.Session -RunAsCredential 'ad\adminuserforcloud ' Force}":

$cred = Get-Credential ad\adminuserforcloud -Message "Please insert password for jumphost and cloudhost"

$session = New-PSSession -ComputerName jumphost -Credential $cred

Invoke-Command -Session $session -ScriptBlock {Register-PSSessionConfiguration -Name PowerShell.Session -RunAsCredential 'ad\adminuserforcloud ' Force}

$cldhost = Read-Host "Please insert the cloudhost name"

$script = {
    Param (
        $Credential,
        $Hostname2
    )
    $ses = New-PSSession -ComputerName $Hostname2 -Credential $Credential
    Invoke-Command -Session $ses -ScriptBlock { Get-ChildItem C:\ }
    Remove-PSSession $ses
}

Invoke-Command -Session $session -ScriptBlock $script -ArgumentList $cred, $cldhost
Remove-PSSession $session

Is this the wrong way to use the Register-PSSessionConfiguration cmdlet?

I really appreciate your help.

Thanks a lot

Marc

Edited by Marc Tschapek Friday, September 04, 2015 1:00 PM

Free Windows Admin Tool Kit Click here and download it now

September 4th, 2015 12:55pm

I tried this way:

Register-PSSessionConfiguration -Name Jumphost
$session = New-PSSession -ConfigurationName Jumphost -ComputerName jumphostname -Credential $cred

Invoke-Command -Session $session -ScriptBlock {Register-PSSessionConfiguration -Name PowerShell.Session -RunAsCredential 'ad\username' Force; Restart-Service winrm -Force}

But whe executing new-pssession I have got the error that the jumphost configuration can not be found in the jumphost-computer:

New-PSSession : [jumphostname] Beim Verbinden mit dem Remoteserver "jumphostname" ist folgender Fehler aufgetreten: Der WS-Verwaltungsdienst 
kann die Anforderung nicht verarbeiten. Die Jumphost-Sitzungskonfiguration kann im WSMan:-Laufwerk auf dem jumphostname-Computer nicht 
gefunden werden. Weitere Informationen finden Sie im Hilfethema "about_Remote_Troubleshooting".
In Zeile:1 Zeichen:12
+ $session = New-PSSession -ConfigurationName Jumphost -ComputerName sd ...
+            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportE 
   xception
    + FullyQualifiedErrorId : InvalidResourceUri,PSSessionOpenFailed

That means I have to configure this on the jumphost in wsman as well?

Edited by Marc Tschapek Friday, September 04, 2015 4:24 PM

September 4th, 2015 4:23pm

With your information I have entered the following on the Jumphost:

Register-PSSessionConfiguration -Name PowerShell.Session -SessionType DefaultRemoteShell -AccessMode Remote -RunAsCredential 'ad\username' -ShowSecurityDescriptorUI Force

And then granted access to the user 'ad\username' (Invoke and Read access).
After that I was able to use the session configuration on the jumphost with the follwoing commands:

$cred = Get-Credential ad\username -Message "Please enter the password for jumphost"

$session = New-PSSession -ConfigurationName PowerShell.Session -ComputerName jumphost -Credential $cred

(Is the delegated session now proper configurated?)

So the session was connected and I entered my other commands:

$cldhost = Read-Host "Please enter the cloudhost name"

$script = {
    Param (
        $Credential,
        $Hostname2
    )
    $ses = New-PSSession -ComputerName $Hostname2 -Credential $Credential
    Invoke-Command -Session $ses -ScriptBlock { Get-ChildItem C:\ }
    Remove-PSSession $ses
}

Invoke-Command -Session $session -ScriptBlock $script -ArgumentList $cred, $cldhost
Remove-PSSession $session

Unfortunately I get the output of Get-ChildItem C:\ of the jumphost again and not the output of the cloudhost...
Do you have any further idea? Is maybe the $script{} part somewhere wrong?

Thank you,
Marc

Edited by Marc Tschapek Monday, September 07, 2015 9:24 AM

Free Windows Admin Tool Kit Click here and download it now

September 7th, 2015 9:23am

Finally it works...I missed the forest for the trees:

$cred = Get-Credential ad\username -Message "Please insert the password for the jumphost"

$session = New-PSSession -ComputerName jumphost -Credential $cred

$cldhost = Read-Host "Please insert the cloudhost name"

$script = {
    Param (
        $Credential,
        $Hostname2
    )
    $ses = New-PSSession -ComputerName $Hostname2 -Credential $Credential
    Invoke-Command -Session $ses -ScriptBlock { Get-ChildItem C:\ }
    Remove-PSSession $ses
}

Invoke-Command -Session $session -ScriptBlock $script -ArgumentList $cred, $cldhost
Remove-PSSession $session

It was working since FWNs post...but it was a little bit confusing for me, because the output was always "PSComputername = jumphost". So I thought I have the wrong output, but it was the right one. Sorry for the inconveniences and thanks a lot for your great help here!!!
This means I do not need the delegated sessions or CredSSP. But anyway, it works as well by manual setting the delegated configuration on the jumphost:

Register-PSSessionConfiguration -Name PowerShell.Session -SessionType DefaultRemoteShell -AccessMode Remote -RunAsCredential 'ad\username' -ShowSecurityDescriptorUI Force

It is also working directly from the local host, but you have to use -SecurityDescriptorSddl and this requires a function which deletes the default credentials for the session configurations and adds the new credential with ACLs automatically...means a lot of work.

Thanks a lot for the help!

Marc

Marked as answer by Marc Tschapek 15 hours 27 minutes ago

September 9th, 2015 11:39am

Finally it works...I missed the forest for the trees:

$cred = Get-Credential ad\username -Message "Please insert the password for the jumphost"

$session = New-PSSession -ComputerName jumphost -Credential $cred

$cldhost = Read-Host "Please insert the cloudhost name"

$script = {
    Param (
        $Credential,
        $Hostname2
    )
    $ses = New-PSSession -ComputerName $Hostname2 -Credential $Credential
    Invoke-Command -Session $ses -ScriptBlock { Get-ChildItem C:\ }
    Remove-PSSession $ses
}

Invoke-Command -Session $session -ScriptBlock $script -ArgumentList $cred, $cldhost
Remove-PSSession $session

Register-PSSessionConfiguration -Name PowerShell.Session -SessionType DefaultRemoteShell -AccessMode Remote -RunAsCredential 'ad\username' -ShowSecurityDescriptorUI Force

Marked as answer by Marc Tschapek Wednesday, September 09, 2015 3:40 PM

Free Windows Admin Tool Kit Click here and download it now

September 9th, 2015 3:38pm

This topic is archived. No further replies will be accepted.