powershell - Powershell CredSSP 问题
问题描述
我正在尝试使用 DBATools 命令 install-DbaInstance 启动 SQL 服务器的远程安装,但是在使用 CredSSP 连接到远程服务器时出现错误。
这是下面的代码,$InstallationSources 是网络共享上的安装媒体列表,此代码从管理服务器运行,WMI 对其开放。
$Configuration = @{ UpdateSource = $UpdateSources[$Version]; USESQLRECOMMENDEDMEMORYLIMITS="True" }
$InstallationParameters = @{
SqlInstance = $SqlInstance
Path = $InstallationSources[$Version]+'\'+$Edition
Version = $Version
Feature = $Features
InstancePath = $InstancePath
DataPath = $DataPath
LogPath = $LogPath
TempPath = $TempPath
BackupPath = $BackupPath
EngineCredential = $EngineCredential
AgentCredential = $AgentCredential
ISCredential = $SSISCredential
Credential = $InstallationCredential
Configuration = $Configuration
PerformVolumeMaintenanceTasks = $true
AuthenticationMode = $Authentication
Restart = $true
Confirm = $false
Verbose = $true
enter code here
}
错误输出
VERBOSE: [11:40:04][Initialize-CredSSP] Configuring remote host to use CredSSP
VERBOSE: Performing the operation "Primary protocol (Credssp) failed, sending credentials via potentially unsecure protocol" on target "Server.domain.com".
VERBOSE: [11:40:04][Invoke-CommandWithFallback] Initial connection to Server.domain.com through Credssp protocol unsuccessful, falling back to PSSession configurations | Connecting to remote server Server.domain.com fai
led with the following error message : The WinRM client cannot process the request. A computer policy does not allow the delegation of the user credentials to the target computer because the computer is not trusted. The identity of the target computer can be veri
fied if you configure the WSMAN service to use a valid certificate using the following command: winrm set winrm/config/service '@{CertificateThumbprint="<thumbprint>"}' Or you can check the Event Viewer for an event that specifies that the following SPN could no
t be created: WSMAN/<computerFQDN>. If you find this event, you can manually create the SPN using setspn.exe . If the SPN exists, but CredSSP cannot use Kerberos to validate the identity of the target computer and you still want to allow the delegation of the us
er credentials to the target computer, use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication. Verify that it is enab
led and configured with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. Try the request again after these changes. For
more information, see the about_Remote_Troubleshooting Help topic.
VERBOSE: [11:40:06][Install-DbaInstance] Looking for installation files in \\ \INSTALLMEDIA\share on remote machine Server.domain.com
VERBOSE: [11:40:06][Invoke-CommandWithFallback] Initial connection to Server.domain.com through Credssp protocol unsuccessful, falling back to PSSession configurations | Connecting to remote server Server.domain.com fai
led with the following error message : The WinRM client cannot process the request. A computer policy does not allow the delegation of the user credentials to the target computer because the computer is not trusted. The identity of the target computer can be veri
fied if you configure the WSMAN service to use a valid certificate using the following command: winrm set winrm/config/service '@{CertificateThumbprint="<thumbprint>"}' Or you can check the Event Viewer for an event that specifies that the following SPN could no
t be created: WSMAN/<computerFQDN>. If you find this event, you can manually create the SPN using setspn.exe . If the SPN exists, but CredSSP cannot use Kerberos to validate the identity of the target computer and you still want to allow the delegation of the us
er credentials to the target computer, use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication. Verify that it is enab
led and configured with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. Try the request again after these changes. For
more information, see the about_Remote_Troubleshooting Help topic.
WARNING: [11:40:07][Install-DbaInstance] Failed to enumerate files in \\installmedia\shareDeveloper | Connecting to remote server Server.domain.com failed with the fol
lowing error message : The WinRM client cannot process the request. A computer policy does not allow the delegation of the user credentials to the target computer because the computer is not trusted. The identity of the target computer can be verified if you conf
igure the WSMAN service to use a valid certificate using the following command: winrm set winrm/config/service '@{CertificateThumbprint="<thumbprint>"}' Or you can check the Event Viewer for an event that specifies that the following SPN could not be created: WS
MAN/<computerFQDN>. If you find this event, you can manually create the SPN using setspn.exe . If the SPN exists, but CredSSP cannot use Kerberos to validate the identity of the target computer and you still want to allow the delegation of the user credentials t
o the target computer, use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication. Verify that it is enabled and configur
ed with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. Try the request again after these changes. For more informatio
n, see the about_Remote_Troubleshooting Help topic.
我也尝试将其添加到脚本中,但仍然出现相同的错误。
Enable-WSManCredSSP –Role Client –DelegateComputer $SQLinstance -Force
Enable-WSManCredSSP –Role Server -Force
解决方案
推荐阅读
- java - Java Socket 已连接但无法通过 OutputStream.write() 发送消息,但 PrintStream 将工作
- android - 从一个活动向另一个活动发送和接收arraylist
- php - 从 laravel 5.8 的数据库中搜索功能
- android - 使用 NavController 的 BottomNavigation 无法正确检索/解析参数
- haskell - 初学者 Haskell 问题 - 无法将类型 'Bool' 与 '[Char]' 匹配
- mongodb - 使用身份验证为 mongoDB 4.2 创建 Dockerfile
- android - 我可以让一个editText看起来像四个吗
- javascript - 搜索框以在折线图中显示信息
- java - 为什么流位置走到最后
- eclipse - 功能文件未以 Cucumber 格式格式化