Enable PowerShell Remoting with Client Outside of Server’s Domain (Trusted Host and Double Hop Issue)

To enable remote powershelling with servers not in the same domain as the client machine you will need to perform the following steps:
Note: Do not allow unencrypted communication for internet use.
On the client PC type:
PS c:\users\root> cd wsman:localhost\Client
PS WSMan:\localhost\Client> Set-Item AllowUnencrypted -Value $true -force
PS WSMan:\localhost\Client> Set-Item TrustedHosts -Value * -force
On the server PC type:
PS c:\users\root> Enable-PSRemoting
Then using regedit set the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Service\allow_unencrypted to 0x00000001

To connect from the client type:
PS WSMan:\localhost\Client> New-PSSession -name Server01 -computername boqsource -credential boq\spsetup  -Port 5985
PS WSMan:\localhost\Client> Enter-PSSession Server01

You should be on a command line on your server!

To add Sharepoint commands to your shell type:
[server] c:\> Add-PSSnapin Microsoft.Sharepoint.Powershell
Now you can execute any SP cmdlets!
But wait, you get access denied to the farm :O. This is due to a known issue in the double hop of credentials. My server credentials are different to my client credentials and my Powershell is using my client credentials. The solution is to configure CredSSP authentication.

Here are the steps to enable CredSSP on the server:
1. Login to your server.
2. In powershell type: PS C:\> Enable-WSManCredSSP -Role Server

Here are the steps to enable CredSSP on the client:
1. Enable CredSSP through powershell by typing: PS C:\> Enable-WSManCredSSP -Role Client -DelegateComputer
2. Run “gpedit.msc” drill down: Local Computer Policy > Computer Configuration > Administrative Templates > Credentials Delegation > Allow Delegating Fresh Credentials with NTLM-only.
3. Enable “Allow Delegating Fresh Credentials with NTLM-only” and click “Show” next to “Add servers to list:”. Add the server “WSMAN/*” this will add all servers, you can be specific if you wish.
4. Apply the new policy and click Start -> Run -> and type: “gpupdate”

Logging in using CredSSP:
PS C:> Enter-PSSession server -Authentication CredSSP -Credential (Get-Credential)
[server]: PS C:> Add-PSSnapin Microsoft.Sharepoint.Powershell
alternatively, put this into a ps1 script file:

$session = New-PSSession -Name server -ComputerName server -Authentication CredSSP -Credential (Get-Credential)
Invoke-Command -Session $session -ScriptBlock { Add-PSSnapin Microsoft.SharePoint.PowerShell }
Enter-PSsession $session
Now you have full access to the server and Sharepoint cmdlets!!

Reference: http://social.technet.microsoft.com/wiki/contents/articles/enable-powershell-remoting-with-client-outside-of-server-s-domain-trusted-host-and-double-hop-issue.aspx



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s