Last week, I had to enable someone in a domain to restart computers in a another domain.
I’ve first created a restricted endpoint on the Domain Controller itself.
I could enter the endpoint and use the only cmdlet exposed (Restart-Computer) with its limited parameters and values.
But, when I tried to use the endpoint from the computer in the other domain using valid credentials I had the following error:
WARNING: Failed to create and import session because Connecting to remote server server.fqdn failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: There are currently no logon servers available to service the logon request.
Possible causes are:
How can I have a no logon servers available for authentication with the DC itself?
To make it work, I only changed the way I entered credentials.
I initially typed
-Credential (Get-Credential NetBiosDomainName\UserName)
and replaced it with
-Credential (Get-Credential FullyQualifiedDomainName\UserName)
Fine but afterward I encountered the issue I reported a few weeks ago on this blog post D’oh!
Running the Get-Command command in a remote session reported the following error: A parameter cannot be found that matches parameter name ‘PowerShellVersion’
No problem, it’s easier to move the endpoint to a server that runs PowerShell 4.0 than to remove PowerShell 5.1 from client computers.
Again with this other server, I had the same error 0x80090311: no logon servers available for Kerberos authentication 😦
This time, I had to modify the target computer name where the endpoint is located and write it using the correct case that matches the way SPN (Service Principal Name) are identified in Active Directory.
The Test-WSMan cmdlet behaved the same way:
Test-WSMan -ComputerName TargetserverFqDNincorretcase -Authentication Kerberos -Credential (Get-Credential FullyQualifiedDomainName\UserName)
and replaced it with
Test-WSMan -ComputerName TargetServerFQDNCorretCase -Authentication Kerberos -Credential (Get-Credential FullyQualifiedDomainName\UserName)
Now that the authentication worked, I hit another unexpected road block.
Using domain admin credentials I could do on the DC:
Enter-PSSession -ComputerName localhost -ConfigurationName 'MySecureEndPoint'
But not on the member server. I got the following error: Enter-PSSession : AuthorizationManager check failed.
Well, I only found one configuration item that was inconsistent with the way my endpoint is configured that could explain the fact I get the equivalent of an “access denied”.
I’m using a RunAs account who is able to restart remote computers and both the DC and the member server have this policy set:
After removing the whole GPO that configured WinRM, I was finally able to deliver the reboot button:
Achievement unlocked 😉