summary: Running "mill-vimobjject" works fine on another computer but when I get "Ava-Command" -Wombojject ", I'm denied access.
In Detail: There is a workstation (computer-centric) at my center site, out of which I run inventory scripts. The inventory script ends up through several "get-wmi" commands for each IP on all our remote sites, if I log on as Computer Domain, as a domain administrator, then the script works properly.
Now I am one of those remote sites, my current workstation (computer site A) so I can not directly enter the computer-central; I have to put in the RDP. The problem is that, before the SDP session expires (it takes approximately 12 hours). That's why I can start scripting, not in RDP, and I can walk away. For various reasons, a scheduled task is also making.
PowerShell Remoting is enabled I have logged on to Computer-SiteA with my domain administrator account and run the following command:
invoke-command -computername computer-centric {Dir c:} This worked fine so I removed the inventory script with the following command (Again, run as a domain administrator on computer-site A): < / P>
invoke-command -computername computer-central-filecap c: \ inventory.ps1 Ript started and ran overnight. But get-wmi orders all produced "login denied" errors I run RDP'd in computer-central and run the following command:
get-wmiobject -class win32_computersystem -property name -computername computer - SiteB It worked properly to get me the WMI information back.
Then I logged into computer-site A and run the following command:
invoke-command -computername computer-centric {get-wmiobject-class win32_computersystem -property Name -computername computer-site B} this failed with "Access Denied". I logged on as a domain administrator and also to make sure that "PS console" was open as my domain administrator account, even "run as a different user".
I am very confused with this "Ava-Command" with the credentials used on the local PC, should start the power shield.exe process on the remote system. "Get-wmiobject" command should pass the WMI query on the target PC from the remote PC with the same credentials again. But it does not seem like this
Any thoughts?
EDIT: I run this command to make the computer-central query itself.
invoke-command -computername computer-centric {get-wmiobject -class win32_computersystem -property name -computername computer-centric} if it worked I call myself "mill-vimobijejt" on the remote system, so it works. If I say "get-wmiobject" to a third system targeted on the remote system, then it fails. I hope this will be helpful.
The problem is that you are using NTLM (Windows) authentication from a remote machine, and then Attempting to connect to another machine. This is the classic "double hop" problem: You are on the machine A, certifying for Machine B and then trying to connect to the machine from C (via WMI).
It works with RDP because you are connecting to A2B using RDP and give your username and password to B Should be typed for.) At this point, it is able to use NTL to connect to BC. When you do not use RDP, you are connecting from ATL to NTLM from A and you do not have permission to use NTLM for a second time from B to C after you have not given your username and password again.
Thankfully, PowerShell has its solution and it is called CredSSP authentication though it requires some extra work to set up, but once you do this you can do that Can do it. Here is a good practice:
Your username and password will send CRDAS "tunnels" to A to A so that you can authenticate with NTLM from C. You definitely have to give your certificate again - it can not determine your password from your initial login (probably your desktop or laptop.)
Hope this helps,
No comments:
Post a Comment