powershell - Powershell CredSSP 问题

问题描述

我正在尝试使用 DBATools 命令 install-DbaInstance 启动 SQL 服务器的远程安装，但是在使用 CredSSP 连接到远程服务器时出现错误。

这是下面的代码，$InstallationSources 是网络共享上的安装媒体列表，此代码从管理服务器运行，WMI 对其开放。

$Configuration = @{ UpdateSource = $UpdateSources[$Version]; USESQLRECOMMENDEDMEMORYLIMITS="True" }

$InstallationParameters = @{
    SqlInstance = $SqlInstance 
    Path = $InstallationSources[$Version]+'\'+$Edition
    Version = $Version
    Feature = $Features
    InstancePath = $InstancePath
    DataPath = $DataPath
    LogPath = $LogPath
    TempPath = $TempPath
    BackupPath = $BackupPath
    EngineCredential = $EngineCredential
    AgentCredential = $AgentCredential
    ISCredential  = $SSISCredential
    Credential = $InstallationCredential
    Configuration = $Configuration
    PerformVolumeMaintenanceTasks = $true
    AuthenticationMode = $Authentication 
    Restart = $true
    Confirm = $false 
    Verbose = $true
    enter code here

}

错误输出

VERBOSE: [11:40:04][Initialize-CredSSP] Configuring remote host to use CredSSP
VERBOSE: Performing the operation "Primary protocol (Credssp) failed, sending credentials via potentially unsecure protocol" on target "Server.domain.com".
VERBOSE: [11:40:04][Invoke-CommandWithFallback] Initial connection to Server.domain.com through Credssp protocol unsuccessful, falling back to PSSession configurations | Connecting to remote server Server.domain.com fai
led with the following error message : The WinRM client cannot process the request. A computer policy does not allow the delegation of the user credentials to the target computer because the computer is not trusted. The identity of the target computer can be veri
fied if you configure the WSMAN service to use a valid certificate using the following command: winrm set winrm/config/service '@{CertificateThumbprint="<thumbprint>"}'  Or you can check the Event Viewer for an event that specifies that the following SPN could no
t be created: WSMAN/<computerFQDN>. If you find this event, you can manually create the SPN using setspn.exe .  If the SPN exists, but CredSSP cannot use Kerberos to validate the identity of the target computer and you still want to allow the delegation of the us
er credentials to the target computer, use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication.  Verify that it is enab
led and configured with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. Try the request again after these changes. For
 more information, see the about_Remote_Troubleshooting Help topic.
VERBOSE: [11:40:06][Install-DbaInstance] Looking for installation files in \\ \INSTALLMEDIA\share  on remote machine Server.domain.com
VERBOSE: [11:40:06][Invoke-CommandWithFallback] Initial connection to Server.domain.com through Credssp protocol unsuccessful, falling back to PSSession configurations | Connecting to remote server Server.domain.com fai
led with the following error message : The WinRM client cannot process the request. A computer policy does not allow the delegation of the user credentials to the target computer because the computer is not trusted. The identity of the target computer can be veri
fied if you configure the WSMAN service to use a valid certificate using the following command: winrm set winrm/config/service '@{CertificateThumbprint="<thumbprint>"}'  Or you can check the Event Viewer for an event that specifies that the following SPN could no
t be created: WSMAN/<computerFQDN>. If you find this event, you can manually create the SPN using setspn.exe .  If the SPN exists, but CredSSP cannot use Kerberos to validate the identity of the target computer and you still want to allow the delegation of the us
er credentials to the target computer, use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication.  Verify that it is enab
led and configured with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. Try the request again after these changes. For
 more information, see the about_Remote_Troubleshooting Help topic.
WARNING: [11:40:07][Install-DbaInstance] Failed to enumerate files in \\installmedia\shareDeveloper | Connecting to remote server Server.domain.com failed with the fol
lowing error message : The WinRM client cannot process the request. A computer policy does not allow the delegation of the user credentials to the target computer because the computer is not trusted. The identity of the target computer can be verified if you conf
igure the WSMAN service to use a valid certificate using the following command: winrm set winrm/config/service '@{CertificateThumbprint="<thumbprint>"}'  Or you can check the Event Viewer for an event that specifies that the following SPN could not be created: WS
MAN/<computerFQDN>. If you find this event, you can manually create the SPN using setspn.exe .  If the SPN exists, but CredSSP cannot use Kerberos to validate the identity of the target computer and you still want to allow the delegation of the user credentials t
o the target computer, use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication.  Verify that it is enabled and configur
ed with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. Try the request again after these changes. For more informatio
n, see the about_Remote_Troubleshooting Help topic.

我也尝试将其添加到脚本中，但仍然出现相同的错误。

Enable-WSManCredSSP –Role Client –DelegateComputer $SQLinstance -Force
Enable-WSManCredSSP –Role Server -Force

标签： powershellpowershell-remotingdbatoolscredssp