I want to administrate the company computers with Powershell from my laptop.
So I assume my laptop is the Server and the rest are Clients.
So I make my computer a server (the computer that I initiate all the remote connections)
Enable-WSManCredSSP -Role Server
+ I enter wsman/* in the GPO (which is needed on the machine that initiate the remote)
And then I make the rest of the computers clients as fallows:
Enable-WSManCredSSP -Role Client -DelegateComputer *
If everything goes as I suppouse I shold be able to connect from the Server to the Client , but I get an error.
But if I try the opposite, from the client to the server it works perfectly (after I set the wsman/* in the GPO of course ).
Can someone explain how Server/Client role are suppose to work ?.
P.S.
The error I get when trying to connect from Server > Client is the fallowing:
Enter-PSSession : Connecting to remote server failed with the following error message : The WinRM client cannot process
the request. CredSSP authentication is currently disabled in the client configuration. Change the client configuration
and try the request again. CredSSP authentication must also be enabled in the server configuration. Also, Group Policy
must be edited to allow credential delegation to the target computer. Use gpedit.msc and look at the following policy:
Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Delegating Fresh Crede
ntials. Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a t
arget computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.do
main.com For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:16
+ Enter-PSSession <<<< -ComputerName 192.168.30.122 -Credential IT -Authentication CredSSP
+ CategoryInfo : InvalidArgument: (192.168.30.122:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
Did you set your policy to allow delegation of Fresh Credentials?
Computer Configuration -> Administrative Templates -> System ->
Credentials Delegation -> Allow Delegating Fresh Credentials.
What is your Enter-PSSession invocation?
PS> $cred = Get-Credential
PS> Enter-PSSession 192.168.30.122 -Authentication CredSSP -Credential $cred
[xxxx.yyyy.local]: PS C:\Users\zzzz\Documents>
Related
I'm getting a bit strange situation with a 'Visual Studio Test Agent Deploment' in TFS2015 Update 2.1. When in Machine Group the protocol is set to HTTP everthing is ok, testagent deploys sucsefully. But when I'm trying to do the same task with HTTPS connection to remote machine i'm getting exception:
DistributedTests: Task 'DownloadTestAgent' on machine 'XYZ:5986' is being run
DistributedTests: Task 'DownloadTestAgent' on machine 'XYZ:5986' completed.
DistributedTests: Task 'DownloadTestAgent' for machine XYZ:5986's Error : System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server XYZ failed with the following error message :
Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
Machines are in the same domain. It's not a user/password problem because when I use HTTP it succesfully finishes the deployment, but when I edit 'Machine Group' to use HTTPS it failes.
Thanks for any ideas!
I'm afraid you didn't configure HTTPS for WinRM on the host machine, you would need to follow the directions for domain-joined machines:
If you choose HTTPS, you can use either a FQDN or an IP address to access the target machine(s). To use a FQDN to access the target machine(s), execute the following in a Command window with Administrative permissions:
ConfigureWinRM.ps1 {FQDN} https
To use an IP address to access the target machine(s), execute the following in a Command window with Administrative permissions:
ConfigureWinRM.ps1 {ipaddress} https
These commands create a test certificate by using MakeCert.exe, use
the certificate to create an HTTPS WinRM listener, and open port 5986
inbound for WinRM over HTTPS. The script also increases the WinRM
MaxEnvelopeSizekb setting. By default on Windows Server this is 500
KB, which can result in a "Request size exceeded the configured
MaxEnvelopeSize quota" error.
When i tried to connect to Exchange online by using powershell the following error arises for me.
$LiveCred = Get-Credential
Username
password
$Session = New-PSSession -ConfigurationName Microsoft.Exchange
-ConnectionUri https://ps.outlook.com/powershell/ -Credential
$LiveCred -Authentication Basic -AllowRedirection //While creating session the error
occurs."[ps.outlook.com] The WinRM client cannot process the request because the server name
cannot be resolved"..
i have configured the winrm correctly..
C:\Windows\system32>winrm quickconfig
WinRM is already set up to receive requests on this machine.
WinRM is already set up for remote management on this machine.
But still the error exists for me.
I came here with the same issue, however, I do notice the Uri value you are trying to use appears to have been updated to https://outlook.office365.com/powershell-liveid/.
The method given http://technet.microsoft.com/en-GB/library/jj984289%28v=exchg.150%29.aspx did work for me, but at the moment it's not. Surely MS aren't down!!!
i need a complete procedure on how to setup Oauth 2.0 authentification between my own IBM/Notes/Domino/XPages apps and my own Connections 4.5 server (no greenhouse or quick start connections over the web)
Have installed both are on the same machine same host name with different ports :
Connections 4.5 (HTTP 80/HTTPS 443)
Running secure mode ok
Domino 9 (HTTP 8088/ HTTPS 44388)
Accessing Connections in SSL works fine.
Runnig XPages SSL/Domino with specific ports too.
Follow the IBM SBT docs :
http://www-10.lotus.com/ldd/lcwiki.nsf/xpDocViewer.xsp?lookupName=IBM+Connections+4.5+Documentation#action=openDocument&res_title=Registering_an_OAuth_client_with_a_provider_ic45&content=pdcontent
Create a credential on the WAS 8.0.0.6 :
http://www-10.lotus.com/ldd/lcwiki.nsf/xpDocViewer.xsp?lookupName=IBM+Connections+4.5+Documentation#action=openDocument&res_title=Managing_the_client_application_list_ic45&content=pdcontent
but have question about the redirecturi to specify when creating credentials ? {opensocialSvcUrl}/gadgets/oauth2callback" stated is for gadget only no ?
Question is how to create correct credential in websphere and how to configure it in the SBTPayground.nsf Lotus application (Open NTF) to succesfully log in via OAuth2.0 (only basic authentication works...)
Thanks for any help.
Here is the documentation to register an application with the Connections OAuth 2 provider. For step c the parameters are pretty self explanatory but you need to know the callback URL. The callback URL for the playground is /SBTPlayground.nsf/xsp/.sbtservice/oauth20_cb
create a file such as /local/qsi/bin/conx/oauthQSI.py
input these lines
import sys
execfile('oauthAdmin.py')
OAuthApplicationRegistrationService.addApplication(sys.argv[0],sys.argv[1],sys.argv[2])
clientSecret = OAuthApplicationRegistrationService.getApplicationById(sys.argv[0]).get('client_secret')
print clientSecret
Then change directory to you connection deployment manager profile
cd ${CON_PROFILE_DM}/bin/
Run this command
${CON_PROFILE_DM}/bin/wsadmin.sh -user $USER -password $PASSWORD -lang jython -port 8879 -conntype SOAP -f /local/qsi/bin/conx/oauthQSI.py $CLIENTID $APPID $URL
$CLIENTID = playground
$APPID = playground
$URL = https://XYZ.com/sbtplayground.nsf/xsp/.sbtservice/oauth20_cb
You can then edit the evironment properties to point to the echod clientsecret and the connections server at
https://abc.com:444/oauth2/endpoint/connectionsProvider/authorize
https://abc.com:444/oauth2/endpoint/connectionsProvider/token
if it fails saying filter invalid, make sure (if the cert is self signed) that you import it into the trust store for the cell you have on WebSphere
when I go to application tier, configure installed features ,start wizard,
it will ask whether I would like to have sharepoint on this machine or not, I go for it and the error displays is:
TF400081: Cannot connect to the Internet. An Internet connection is needed to be able to install SharePoint.
We are using a proxy on the network to access the internet, when I look in the log it says:
Exception Message: The remote server returned an error: (407) Proxy Authentication Required. (type WebException)Status: ProtocolError
Response Status Code: ProxyAuthenticationRequired
how can I run the standard configuration wizard do that it gets authenticated by the proxy?
This is because it's trying to download all the prerequisites for sharepoint. It may just be easier to do an offline install by manually installing the prereqs yourself.
http://blogs.technet.com/b/patrick_heyde/archive/2010/03/02/install-sharepoint-2010-without-internet-access.aspx
There is two ways:
1. switch off require authentication for your server on proxy
install your own intermediate proxy (Proxomitron.info for example) on you work computer and make TFS server to connect to you proxy instead of corporate.
And configure an intermediate proxy to bypass all connection without authentication.
Is anyone successfully using MsDeploy for deploying windows services with a preSync runCommand? I've got it working using an Administrator account, but can't for the life of me get it working on a standard user account. Unfortunately I can't use integrated authentication (we're deploying to an external box), and the thought of our Administrator password sitting in plaintext in logs on our build server doesn't exactly make me feel too comfortable. For that matter, neither does any user credentials - but I can't see a way around that.
The command I'm using is this:
"tools/deploy/msdeploy.exe" -verb:sync
-preSync:runCommand="tools\Deploy\PreSyncCommand.cmd",waitInterval=30000
-source:dirPath="C:\BuiltSourcePath"
-dest:computerName=https://server:8172/msdeploy.axd?site=dummysitename,userName=service-deploy,password=service-deploy-pass,authType=basic,dirPath="C:\DeployPath\"
-allowUntrusted
with rules set up in IIS for the dummy site to allow the authentication for the service-deploy windows account, with contentPath and runCommand permissions (for the moment set to C:\ as it's not entirely clear whether this needs to be set to the temporary path that MsDeploy streams to, or the deployment path?). The service-deploy account also has full control of the target directory. I get the following back:
Performing '-preSync'...
Info: Using ID '7a7d34a1-b5d8-49f1-960a-31c9cf825868' for connections to the remote server.
Info: Using ID '4d0b910c-aca4-4640-84bd-3597d22d99d1' for connections to the remote server.
Info: Updating runCommand (C:\TeamCity\buildAgent\work\aec989676b349656\tools\De
ploy\PreSyncCommand.cmd).
Warning: Access is denied.
Warning: The process 'C:\Windows\system32\cmd.exe' (command line '/c "C:\Windows
\ServiceProfiles\LocalService\AppData\Local\Temp\giz2t0kb.0ay.cmd"') exited with
code '0x1'.
This happens even if the contents of PreSyncCommand.cmd is blank. The same command runs fine if I pass in Administrator credentials. I've tried using ProcessMonitor to check if anything's being denied access but can't see any - so I'm guessing it's still a MsDeploy authentication rule. There's nothing in WmSvc.log (debugging is enabled), nor in the event log.
Any ideas? Thanks!
Since you're using Web Deploy via WmSvc, you need to setup appropriate delegation rules on the destination server:
Within IIS Manager, open the "Management Service Delegation" feature. Add a new rule which at least specifies the runCommand provider. In the Run As section, choose Specific User and provide credentials for a local administrator account on that machine. This is the identity under which your runCommand scripts will be executed. Finally, the user which you're specifying for the destination dirPath provider needs to be added to the delegation rule.
That allows you to invoke a deployment using a non-privileged account, and yet have it executed on the target machine under administrative credentials.
More information on IIS feature delegation: http://learn.iis.net/page.aspx/516/configure-the-web-deployment-handler/