Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot enter/create PSSession from linux to windows machine #6647

Open
KaloferovLab opened this issue Apr 13, 2018 · 30 comments
Open

Cannot enter/create PSSession from linux to windows machine #6647

KaloferovLab opened this issue Apr 13, 2018 · 30 comments

Comments

@KaloferovLab
Copy link

@KaloferovLab KaloferovLab commented Apr 13, 2018

Steps to reproduce

From LInux to WIn :

enter-PSSession -ConfigurationName powershell.6.1.0-preview.1

Expected behavior

Enter the pssession on the Windows box. Same error when i try to create new pesssession on the windows box.


Actual behavior

Error

New-PSSession : MI_RESULT_ACCESS_DENIED
At line:1 char:1
Enter-PSSession -ComputerName <IP> -Credential <username>
  + CategoryInfo          : InvalidOperation: (:) [New-PSSession], PSInvalidOperationException
  + FullyQualifiedErrorId : InvalidOperation,Microsoft.PowerShell.Commands.NewPSSessionCommand

Environment data

WIndows server:

Name                           Value
----                           -----
PSVersion                      6.1.0-preview.1
PSEdition                      Core
GitCommitId                    v6.1.0-preview.1
OS                             Microsoft Windows 10.0.14393
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

LInux Server:

Name                           Value
----                           -----
PSVersion                      6.1.0-preview.1
PSEdition                      Core
GitCommitId                    v6.1.0-preview.1
OS                             Linux 3.10.0-514.e17.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

The alpha vesion of the plugin didn't support PSCredential Object and WinRM. Does it support them now?
Found this from last year.
#5742
Does cross platform remoting work now in 6.1.0?

@SteveL-MSFT

This comment has been minimized.

Copy link
Member

@SteveL-MSFT SteveL-MSFT commented Apr 14, 2018

@KaloferovLab remoting over WSMan is supported, but much more limited than what you get with Windows and WinRM. From Linux, you should use -Credential as unlike Windows you can't use the current security context. Also, use -Authentication Basic.

@brunobml

This comment has been minimized.

Copy link

@brunobml brunobml commented Dec 11, 2018

I have tried many times establishing a new session from linux RHEL7 to windows server 2016.
Always get the same error.
I also tried , athentication Kerberos, Basic, Negotiable, etc....

Enter-PSSession : MI_RESULT_ACCESS_DENIED
At line:1 char:1

  • Enter-PSSession -ComputerName WSRVPRD001 -Credential (Get-Credential) ...
  • CategoryInfo : InvalidArgument: (WSRVPRD001:String) [Enter-PSSession], PSInvalidOperationException
  • FullyQualifiedErrorId : CreateRemoteRunspaceFailed
@nomoresecrets

This comment has been minimized.

Copy link

@nomoresecrets nomoresecrets commented Mar 12, 2019

Did anyone manage to establish the connection?

@tekniko24

This comment has been minimized.

Copy link

@tekniko24 tekniko24 commented Mar 13, 2019

New-PSSession -ComputerName remotehost -Credential $credential -Authentication Negotiate

Use Negotiate for authentication. I don't recommend using basic as that would send your password in plain text over the network and you would also need to manually allow the remote host to accept basic authentication as it is not allowed by default. Specifying Negotiate results in using NTLM authentication which can be verified by checking $PSSenderInfo.UserInfo.Identity.AuthenticationType

@danports

This comment has been minimized.

Copy link

@danports danports commented Apr 1, 2019

If you are seeing this error on Debian or Ubuntu, see #7342 (comment).

@mgseelan

This comment has been minimized.

Copy link

@mgseelan mgseelan commented Jul 16, 2019

I also facing same problem when I am accessing from ubuntu 16.04, with powershell version and details are included

Name Value


PSVersion 6.2.1
PSEdition Core
GitCommitId 6.2.1
OS Linux 4.15.0-1036-gcp #38~16.04.1-Ubuntu SMP Tue Jun 25 15:30:46 UTC 2019
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

My error output :
PowerShell credential request
Enter your credentials.
Password for user XXXXXXXXXXXX: **********

enter-pssession : MI_RESULT_ACCESS_DENIED
At line:1 char:1

  • enter-pssession -credential XXXXXXXXXXXX
  • CategoryInfo : InvalidArgument: (:String) [Enter-PSSession], PSInvalidOperationException
  • FullyQualifiedErrorId : CreateRemoteRunspaceFailed
@dheitsc

This comment has been minimized.

Copy link

@dheitsc dheitsc commented Aug 2, 2019

I also face this Issue on Centos 7 and Server 2012r2 / 2016

@jorioux

This comment has been minimized.

Copy link

@jorioux jorioux commented Aug 23, 2019

Same issue on Centos 7 and WinServer 2019

Invoke-Command gives the same error.

@aric49

This comment has been minimized.

Copy link

@aric49 aric49 commented Oct 14, 2019

So it appears this issue has been open for a while. I recently ran into this issue via #10764. Any plans to get this resolved in future releases? This holding up some progress to port some Windows automation over to Linux based environment.

@arnydo

This comment has been minimized.

Copy link

@arnydo arnydo commented Oct 18, 2019

Experiencing this ongoing issue as well.
image

Linux > Windows 2012 R2

Enter-PSSession -Credential $creds -ConfigurationName microsoft.exchange -ConnectionUri http://x.x.x.x/powershell -Authentication Negotiate -Verbose
Enter-PSSession : Connecting to remote server x.x.x.x failed with the following error message : MI_RESULT_ACCESS_DENIED For more information, see the about_Remote_Troubleshooting Help topic.     

Linux to Exchange 2013

 Enter-PSSession -Credential $creds -ComputerName x.x.x.x -Authentication Negotiate -Verbose
Enter-PSSession : Connecting to remote server x.x.x.x failed with the following error message : MI_RESULT_ACCESS_DENIED For more information, see the about_Remote_Troubleshooting Help topic.                                           
@SteveL-MSFT

This comment has been minimized.

Copy link
Member

@SteveL-MSFT SteveL-MSFT commented Oct 21, 2019

When remoting from Linux, you will likely need to explicitly use Basic auth. Negotiate requires additional libraries and configuration.

@arnydo

This comment has been minimized.

Copy link

@arnydo arnydo commented Oct 22, 2019

When remoting from Linux, you will likely need to explicitly use Basic auth. Negotiate requires additional libraries and configuration.

Are the extra libraries required on the Windows or Linux side. Or both?

@SteveL-MSFT

This comment has been minimized.

Copy link
Member

@SteveL-MSFT SteveL-MSFT commented Oct 22, 2019

Windows already has the necessary libs built into the OS. Here's an example where the docker image was updated with a lib to support NTLM on Linux: PowerShell/PowerShell-Docker#124. This issue seems to indicate Kerberos can work on Linux.

@arnydo

This comment has been minimized.

Copy link

@arnydo arnydo commented Oct 22, 2019

Windows already has the necessary libs built into the OS. Here's an example where the docker image was updated with a lib to support NTLM on Linux: PowerShell/PowerShell-Docker#124. This issue seems to indicate Kerberos can work on Linux.

Hmm. Checked to verify that the package is installed in the Docker image and still get the same issue as above.

PS /> apt show gss-ntlmssp
Package: gss-ntlmssp
Version: 0.7.0-4build3
Status: install ok installed
PS /> Enter-PSSession -Credential $cred -ComputerName xxxxx -Authentication Negotiate -Verbose
Enter-PSSession : Connecting to remote server xxxxx failed with the following error message : MI_RESULT_FAILED For more information, see the about_Remote_Troubleshooting Help topic
@RDIL

This comment has been minimized.

Copy link
Contributor

@RDIL RDIL commented Oct 22, 2019

Hey @arnydo,
All officially supported Docker images have gss-ntlmssp installed on them, except for Alpine and openSUSE. So as long as you are using one of the others, you should be good.

@arnydo

This comment has been minimized.

Copy link

@arnydo arnydo commented Oct 22, 2019

Hey @arnydo,
All officially supported Docker images have gss-ntlmssp installed on them, except for Alpine and openSUSE. So as long as you are using one of the others, you should be good.

I am using the latest Docker image for Powershell with no luck.

@danports

This comment has been minimized.

Copy link

@danports danports commented Oct 24, 2019

@arnydo Did you check whether /etc/services was the issue? See #7342 (comment).

@arnydo

This comment has been minimized.

Copy link

@arnydo arnydo commented Oct 28, 2019

@arnydo Did you check whether /etc/services was the issue? See #7342 (comment).

Hey, what does /etc/services have to do with this particular issue? That isn't sarcastic...

@danports

This comment has been minimized.

Copy link

@danports danports commented Oct 28, 2019

haha, yes, that's a fair question! There is an issue with the native OMI library PowerShell uses on Linux that only crops up with NTLM authentication when /etc/services is missing, as it is in some Docker images (like the official PowerShell images, IIRC). See microsoft/omi#623.

@arnydo

This comment has been minimized.

Copy link

@arnydo arnydo commented Oct 29, 2019

@danports I built a new image based on the latest Ubuntu 18.04 Powershell Dockerfile but with the addition of the RUN echo 'http 80/tcp www www-http' > /etc/services.

Same result...

@danports

This comment has been minimized.

Copy link

@danports danports commented Oct 29, 2019

Hmm, perhaps you're experiencing a different problem then. You might want to try enabling OMI logging inside the container - reviewing the OMI logs is what eventually helped me to diagnose my issue.

@arnydo

This comment has been minimized.

Copy link

@arnydo arnydo commented Oct 30, 2019

Doesn't look like omi is present at all in the Powershell images...is that even used in this case?

@danports

This comment has been minimized.

Copy link

@danports danports commented Oct 30, 2019

What do you mean by not present? You'll probably need to create the OMI log and configuration directories to enable logging - I don't think they are there by default.

@jameskirsop

This comment has been minimized.

Copy link

@jameskirsop jameskirsop commented Nov 22, 2019

@SteveL-MSFT, This is all well and good:

When remoting from Linux, you will likely need to explicitly use Basic auth. Negotiate requires additional libraries and configuration.

Except, it's not supported:

> Enter-PSSession -Credential $creds -ComputerName <HOSTNAME> -Authentication Basic -Verbose
Enter-PSSession : Basic authentication is not supported over HTTP on Unix.
At line:1 char:1
....

You'd think that such a useful feature, with multiple bug reports, would have been implemented and/or documented properly a year and a half later after the issue was first reported...

@mgseelan

This comment has been minimized.

Copy link

@mgseelan mgseelan commented Nov 22, 2019

Which version of the Power shell

@elandmancrs

This comment has been minimized.

Copy link

@elandmancrs elandmancrs commented Dec 5, 2019

Just bumped against this too, using a rhel7.7 azure devops agent that needs to remote into a windows 2016 vm

@shneorc

This comment has been minimized.

Copy link

@shneorc shneorc commented Dec 6, 2019

Same issue.
Any solution or workaround?
CentOS 7 --> Server 2016

PS /tmp> Enter-PSSession -ComputerName "HostName"
Enter-PSSession : MI_RESULT_ACCESS_DENIED
At line:1 char:1
+ Enter-PSSession -ComputerName "HostName"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : InvalidArgument: (HostName:String) [Enter-PSSession], PSInvalidOperationException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
@MrHariSharma

This comment has been minimized.

Copy link

@MrHariSharma MrHariSharma commented Dec 13, 2019

I am also facing same issue
CentOS 7 --> Windows Server 2019
PowerShell 6.0.0 Beta 6

PS /root> Enter-PSSession -ComputerName "TEST.mydomain.com"
Enter-PSSession : MI_RESULT_ACCESS_DENIED
At line:1 char:1

  • Enter-PSSession -ComputerName "TEST.mydomain.com"
  • CategoryInfo : InvalidArgument: (TEST.mydomain.com:String) [Enter-PSSession], PSInvalidOperationException
  • FullyQualifiedErrorId : CreateRemoteRunspaceFailed

But if I try Invoke-Command it works
$dn='DomainName\Administrator'
$pwsd='GiveYourPassword'
$ip='192.168.20.119'
$secpasswd = ConvertTo-SecureString $pwsd -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential -argumentlist $dn, $secpasswd

Now I have another interesting issue i.e. latency
Can someone please help?
If I use Powershell 6.2.3 RC build, Invoke-Command takes approx 30 sec. For more details #6531

@Nateb1121

This comment has been minimized.

Copy link

@Nateb1121 Nateb1121 commented Dec 16, 2019

The reason this wasn't working for me was that I didn't have the NTLM authentication package ( gssntlmssp) for my distro (CentOS) installed. Rather than fiddling with installing the correct packages, I took a look at the official Microsoft PowerShell docker image. Currently the folks over there have been working on adding NTLM support into the docker container (PowerShell/PowerShell-Docker#124) and have every platform but Photon which prevents it from being added to latest.

Here's a workaround I used, YMMV. To run the PowerShell docker container on CentOS that should allow you to Enter-PSSession into Windows computers run the following
docker run -it mcr.microsoft.com/powershell:7.0.0-preview.6-centos-7 or docker run -it mcr.microsoft.com/powershell:preview (which should work on any platform), this will start up a docker container interactively and will give you a PowerShell command line at the end, which suited my needs (I did have to add -Authentication Negotiate on the Enter-PSSession though). When you exit the PowerShell terminal the docker container will stop and you'll need to rerun that command. Keep in mind it is a container so be mindful when attempting to use files. If a container doesn't suit your needs, read on.

I was able to successfully remote into things using that Docker container as a workaround. If you don't want to use the docker container then have a look at the Docker file in the PowerShell-Docker repo under /release/preview/ for the corresponding architecture and see what commands it's running to get the container up.

TL;DR Use the latest preview tagged Docker image for your architecture which will include the proper NTLM libraries. Alternatively, install gss-ntlmssp/gssntlmssp on your machine and it should solve most issues with Enter-PSSession.

@BitDesert

This comment has been minimized.

Copy link

@BitDesert BitDesert commented Jan 16, 2020

Installing gss-ntlmssp as stated in #11374 solved this issue for me.
I'm using -Authentication Negotiate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
You can’t perform that action at this time.