Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Powershell remoting with ip-address as target

I successfully enabled PSRemoting on my Server 2008 R2. I'm able to do a remote-pssession from within the same network using the hostname as target.

I'm failing when I try to use the IP-Address as target from any computer (within the network or from another network (for example via VPN)). I want to be able to use remoting through my VPN connection where I have to use the IP-Address since the hostname can't be resolved.

I don't want to add names into my hosts-file because there are a few other servers at our clients' that have the same dns-name and I don't want to remove and insert the name-ip-address-association again and again.

I hope someone can tell me how to allow the psremoting-target to be called via IP.

Edit: To be more specific, I want to be able to run this:

Enter-PSSession -Computername 192.168.123.123 -credentials $cred  

But I'm only able to run that command if I pass a hostname to "-Computername"

Edit2:
I'm getting following errormessage when I try to login using the ip instead of the hostname (from the internal network):

Enter-PSSession : Connecting to remote server failed with the following error message : The WinRM client cannot process  the request. Default authentication may be used with an IP address under the following conditions: the transport is HT TPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use winrm.cmd to configure T rustedHosts. Note that computers in the TrustedHosts list might not be authenticated. For more information on how to se t TrustedHosts run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting  Help topic. 

Edit3:
I know about the trusted-hosts setting of WSMan, but that doesn't seem to be the problem. It is already set to "*" (I did that right after enabling remoting), but I still can't connect to that server using the ip as target-computername, but I'm able to connect using the hostname as target-computername. Seems like there's something like the binding in IIS that prevents the listener to listen on requests that target the ip-number instead of the hostname. But IIS isn't installed. I don't know where to look for such a setting.

Update 2011-07-12:
Okay, I think that trustedhosts-setting is not the problem because I CAN connect from our DC via hostname but not if I use the ip-address of the destination for the computer-param.
I think, the problem must be the listener. Maybe the listener takes no requests that were targeted to the destination-ip instead of the destination-hostname. But I don't know how to change that.

like image 582
wullxz Avatar asked Jul 05 '11 18:07

wullxz


People also ask

Can you enter a PSSession with an IP address?

You can also pipe a computer name to Enter-PSSession . To use an IP address in the value of the ComputerName parameter, the command must include the Credential parameter.

How do you assign IP address in PowerShell?

The Set-NetIPAddress cmdlet modifies IP address configuration properties of an existing IP address. To create an IPv4 address or IPv6 address, use the New-NetIPAddress cmdlet.

How do you use PSSession?

Use a PSSession to run multiple commands that share data, such as a function or the value of a variable. To run commands in a PSSession, use the Invoke-Command cmdlet. To use the PSSession to interact directly with a remote computer, use the Enter-PSSession cmdlet. For more information, see about_PSSessions.


1 Answers

The error message is giving you most of what you need. This isn't just about the TrustedHosts list; it's saying that in order to use an IP address with the default authentication scheme, you have to ALSO be using HTTPS (which isn't configured by default) and provide explicit credentials. I can tell you're at least not using SSL, because you didn't use the -UseSSL switch.

Note that SSL/HTTPS is not configured by default - that's an extra step you'll have to take. You can't just add -UseSSL.

The default authentication mechanism is Kerberos, and it wants to see real host names as they appear in AD. Not IP addresses, not DNS CNAME nicknames. Some folks will enable Basic authentication, which is less picky - but you should also set up HTTPS since you'd otherwise pass credentials in cleartext. Enable-PSRemoting only sets up HTTP.

Adding names to your hosts file won't work. This isn't an issue of name resolution; it's about how the mutual authentication between computers is carried out.

Additionally, if the two computers involved in this connection aren't in the same AD domain, the default authentication mechanism won't work. Read "help about_remote_troubleshooting" for information on configuring non-domain and cross-domain authentication.

From the docs at http://technet.microsoft.com/en-us/library/dd347642.aspx

HOW TO USE AN IP ADDRESS IN A REMOTE COMMAND -----------------------------------------------------     ERROR:  The WinRM client cannot process the request. If the     authentication scheme is different from Kerberos, or if the client     computer is not joined to a domain, then HTTPS transport must be used     or the destination machine must be added to the TrustedHosts     configuration setting.  The ComputerName parameters of the New-PSSession, Enter-PSSession and Invoke-Command cmdlets accept an IP address as a valid value. However, because Kerberos authentication does not support IP addresses, NTLM authentication is used by default whenever you specify an IP address.   When using NTLM authentication, the following procedure is required for remoting.  1. Configure the computer for HTTPS transport or add the IP addresses    of the remote computers to the TrustedHosts list on the local    computer.     For instructions, see "How to Add a Computer to the TrustedHosts    List" below.   2. Use the Credential parameter in all remote commands.     This is required even when you are submitting the credentials    of the current user. 
like image 57
Don Jones Avatar answered Sep 30 '22 23:09

Don Jones