I have a ps1 script that dumps out local groups, with focus on administrators group. It uses Quest/Dell cmdlets to further dump out the contents of AD groups with the -indirect switch, which tells it to do nested support.
I want to get the script to work so if a test-path fails, to try a copy of the script on a server that is in the correct domain. That different domain is not trusted. I am using invoke-command and discovered by using [Security.Principal.WindowsIdentity]::GetCurrent()
authentication type is kerberos when I run it locally, but when I use invoke-command, it sends over NTLM.
I have tried to use the -Authentication Kerberos argument on the invoke-command but end up getting,
[eg-issinf-a02.mgmt.tlrg.com] Connecting to remote server failed with the following error message : WinRM cannot process the
request. The following error occured while using Kerberos authentication: There are currently no logon servers available to
service the logon request.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTT
PS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see
the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (:) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionStateBroken
Anyone been able to get a script to work on a remote system, passing the correct credentials using get-credentail when the target server is not part of the trust that the source server is in?
Here is a copy of my invoke-command block.
$cred = Get-Credential -Credential ("mydomain\$env:username") Invoke-Command
$rs = 'mytargetserver.mydomain.com'