PowerShell Remoting to a Workgroup Computer

Question

I'm trying to remote powershell from my domain joined PC to a server in our DMZ but I cannot figure out how to get it working.

The DMZ server has a listener configured for HTTP on the default port 5985 that is enabled. The two NIC's in the machine are both labeled for Public networks so I changed the Windows Remote Management (HTTP-In) firewall rule for the Public profile to accept connections from my IP as well as the Local subnet that was already configured.

On my client machine (Windows 10) I added the server's hostname to the WSMan:\localhost\Client\TrustedHosts and I added the LocalAccountTokenFilterPolicy (Value: 1, Type: DWORD) to the registry.

I create a credential object with my local credentials for the server (servername\username) and then I try $Sess = New-PSSession -ComputerName DMZCOMPUTER -Port 5985 -Credential $Cred the connection always tries to use Kerberos to connect to the machine which is obviously not going to work.

If I try $Sess = New-PSSession -ComputerName DMZCOMPUTER -Port 5985 -Credential $Cred -Authentication Basic I get an error that unecrypted traffic is currently disabled. Other Authetication schemes produce different error messages but I've never been able to remote.

Am I missing a configuration somewhere? What are the settings needed (server & client) to use remote powershell connect to a workgroup server from a domain joined client.

Answer 1

I eventually figured this out, there were a couple of issues with what I was doing. First the link at https://blogs.msdn.microsoft.com/wmi/2009/07/24/powershell-remoting-between-two-workgroup-machines/ has some incorrect information. It states that the LocalAccountTokenFilterPolicy registry entry should be on the client machine, this is incorrect, it should be on the server machine.

The other fix was just me being a bonehead using the FQDN of the server in the TrustedHosts value and then using just the hostname when trying to create the session.

If anyone else is trying to get this working the steps to follow are:

1. Run Enable-PSRemoting on the server machine
   • This will start the WinRM service and set its startup to automatic
   • It will create an HTTP listener
     • You can verify this by running winrm enumerate winrm/config/listener
   • It will enable the Windows Remote Management firewall rules
   • It will create and configure the LocalAccountTokenFilterPolicy registry key
   • It will reset the permissions on the four sessions hosts
     • You can verify this by running Get-PSSessionConfiguration
2. Start the WinRM service on the client machine
3. Run Set-Item WSMan:\localhost\Client\TrustedHosts -Value <hostname or FQDN or server>
   • You can add -Concatenate to the end of Set-Item if you're trying to add a server to the list
4. Run $Cred = Get-Credential I just entered a username and password (not servername\username) as suggested by kevmar
5. Run a command such as $S = New-PSSession -ComputerName <same name exactly that you put in the TrustedHosts> -Credential $Cred
6. If everything is working properly the command should just return
7. If you get an error that mentions Kerberos check that you're using the same name in your ComputerName parameter and the TrustedHosts
8. If you get an access denied error check that the LocalAccountTokenFilterPolicy is configured on the server

Answer 2

First try creating a credential object with just your username and password. Skip trying to designate a domain or server name in the credential.

Then try connecting with the IP address instead of computer name. You will still need to add it into the trusted hosts values.

The last thing to use is Test-WSMan for troubleshooting your issue. The error message that provides should give you a strong hint as to what the issue is.