Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot enter/create PSSession from linux to windows machine #6647

Open
KaloferovLab opened this issue Apr 13, 2018 · 59 comments
Open

Cannot enter/create PSSession from linux to windows machine #6647

KaloferovLab opened this issue Apr 13, 2018 · 59 comments
Labels
Issue-Question WG-Remoting
Milestone

Comments

@KaloferovLab
Copy link

@KaloferovLab KaloferovLab commented Apr 13, 2018

Steps to reproduce

From LInux to WIn :

enter-PSSession -ConfigurationName powershell.6.1.0-preview.1

Expected behavior

Enter the pssession on the Windows box. Same error when i try to create new pesssession on the windows box.


Actual behavior

Error

New-PSSession : MI_RESULT_ACCESS_DENIED
At line:1 char:1
Enter-PSSession -ComputerName <IP> -Credential <username>
  + CategoryInfo          : InvalidOperation: (:) [New-PSSession], PSInvalidOperationException
  + FullyQualifiedErrorId : InvalidOperation,Microsoft.PowerShell.Commands.NewPSSessionCommand

Environment data

WIndows server:

Name                           Value
----                           -----
PSVersion                      6.1.0-preview.1
PSEdition                      Core
GitCommitId                    v6.1.0-preview.1
OS                             Microsoft Windows 10.0.14393
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

LInux Server:

Name                           Value
----                           -----
PSVersion                      6.1.0-preview.1
PSEdition                      Core
GitCommitId                    v6.1.0-preview.1
OS                             Linux 3.10.0-514.e17.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

The alpha vesion of the plugin didn't support PSCredential Object and WinRM. Does it support them now?
Found this from last year.
#5742
Does cross platform remoting work now in 6.1.0?

@iSazonov iSazonov added the Issue-Question label Apr 13, 2018
@SteveL-MSFT SteveL-MSFT added the WG-Remoting label Apr 14, 2018
@SteveL-MSFT
Copy link
Member

@SteveL-MSFT SteveL-MSFT commented Apr 14, 2018

@KaloferovLab remoting over WSMan is supported, but much more limited than what you get with Windows and WinRM. From Linux, you should use -Credential as unlike Windows you can't use the current security context. Also, use -Authentication Basic.

@brunobml
Copy link

@brunobml brunobml commented Dec 11, 2018

I have tried many times establishing a new session from linux RHEL7 to windows server 2016.
Always get the same error.
I also tried , athentication Kerberos, Basic, Negotiable, etc....

Enter-PSSession : MI_RESULT_ACCESS_DENIED
At line:1 char:1

  • Enter-PSSession -ComputerName WSRVPRD001 -Credential (Get-Credential) ...
  • CategoryInfo : InvalidArgument: (WSRVPRD001:String) [Enter-PSSession], PSInvalidOperationException
  • FullyQualifiedErrorId : CreateRemoteRunspaceFailed

@nomoresecrets
Copy link

@nomoresecrets nomoresecrets commented Mar 12, 2019

Did anyone manage to establish the connection?

@tekniko24
Copy link

@tekniko24 tekniko24 commented Mar 13, 2019

New-PSSession -ComputerName remotehost -Credential $credential -Authentication Negotiate

Use Negotiate for authentication. I don't recommend using basic as that would send your password in plain text over the network and you would also need to manually allow the remote host to accept basic authentication as it is not allowed by default. Specifying Negotiate results in using NTLM authentication which can be verified by checking $PSSenderInfo.UserInfo.Identity.AuthenticationType

@danports
Copy link

@danports danports commented Apr 1, 2019

If you are seeing this error on Debian or Ubuntu, see #7342 (comment).

@mgseelan
Copy link

@mgseelan mgseelan commented Jul 16, 2019

I also facing same problem when I am accessing from ubuntu 16.04, with powershell version and details are included

Name Value


PSVersion 6.2.1
PSEdition Core
GitCommitId 6.2.1
OS Linux 4.15.0-1036-gcp #38~16.04.1-Ubuntu SMP Tue Jun 25 15:30:46 UTC 2019
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

My error output :
PowerShell credential request
Enter your credentials.
Password for user XXXXXXXXXXXX: **********

enter-pssession : MI_RESULT_ACCESS_DENIED
At line:1 char:1

  • enter-pssession -credential XXXXXXXXXXXX
  • CategoryInfo : InvalidArgument: (:String) [Enter-PSSession], PSInvalidOperationException
  • FullyQualifiedErrorId : CreateRemoteRunspaceFailed

@dheitsc
Copy link

@dheitsc dheitsc commented Aug 2, 2019

I also face this Issue on Centos 7 and Server 2012r2 / 2016

@jorioux
Copy link

@jorioux jorioux commented Aug 23, 2019

Same issue on Centos 7 and WinServer 2019

Invoke-Command gives the same error.

@aric49
Copy link

@aric49 aric49 commented Oct 14, 2019

So it appears this issue has been open for a while. I recently ran into this issue via #10764. Any plans to get this resolved in future releases? This holding up some progress to port some Windows automation over to Linux based environment.

@arnydo
Copy link

@arnydo arnydo commented Oct 18, 2019

Experiencing this ongoing issue as well.
image

Linux > Windows 2012 R2

Enter-PSSession -Credential $creds -ConfigurationName microsoft.exchange -ConnectionUri http://x.x.x.x/powershell -Authentication Negotiate -Verbose
Enter-PSSession : Connecting to remote server x.x.x.x failed with the following error message : MI_RESULT_ACCESS_DENIED For more information, see the about_Remote_Troubleshooting Help topic.     

Linux to Exchange 2013

 Enter-PSSession -Credential $creds -ComputerName x.x.x.x -Authentication Negotiate -Verbose
Enter-PSSession : Connecting to remote server x.x.x.x failed with the following error message : MI_RESULT_ACCESS_DENIED For more information, see the about_Remote_Troubleshooting Help topic.                                           

@SteveL-MSFT
Copy link
Member

@SteveL-MSFT SteveL-MSFT commented Oct 21, 2019

When remoting from Linux, you will likely need to explicitly use Basic auth. Negotiate requires additional libraries and configuration.

@arnydo
Copy link

@arnydo arnydo commented Oct 22, 2019

When remoting from Linux, you will likely need to explicitly use Basic auth. Negotiate requires additional libraries and configuration.

Are the extra libraries required on the Windows or Linux side. Or both?

@SteveL-MSFT
Copy link
Member

@SteveL-MSFT SteveL-MSFT commented Oct 22, 2019

Windows already has the necessary libs built into the OS. Here's an example where the docker image was updated with a lib to support NTLM on Linux: PowerShell/PowerShell-Docker#124. This issue seems to indicate Kerberos can work on Linux.

@arnydo
Copy link

@arnydo arnydo commented Oct 22, 2019

Windows already has the necessary libs built into the OS. Here's an example where the docker image was updated with a lib to support NTLM on Linux: PowerShell/PowerShell-Docker#124. This issue seems to indicate Kerberos can work on Linux.

Hmm. Checked to verify that the package is installed in the Docker image and still get the same issue as above.

PS /> apt show gss-ntlmssp
Package: gss-ntlmssp
Version: 0.7.0-4build3
Status: install ok installed
PS /> Enter-PSSession -Credential $cred -ComputerName xxxxx -Authentication Negotiate -Verbose
Enter-PSSession : Connecting to remote server xxxxx failed with the following error message : MI_RESULT_FAILED For more information, see the about_Remote_Troubleshooting Help topic

@RDIL
Copy link
Contributor

@RDIL RDIL commented Oct 22, 2019

Hey @arnydo,
All officially supported Docker images have gss-ntlmssp installed on them, except for Alpine and openSUSE. So as long as you are using one of the others, you should be good.

@arnydo
Copy link

@arnydo arnydo commented Oct 22, 2019

Hey @arnydo,
All officially supported Docker images have gss-ntlmssp installed on them, except for Alpine and openSUSE. So as long as you are using one of the others, you should be good.

I am using the latest Docker image for Powershell with no luck.

@danports
Copy link

@danports danports commented Oct 24, 2019

@arnydo Did you check whether /etc/services was the issue? See #7342 (comment).

@arnydo
Copy link

@arnydo arnydo commented Oct 28, 2019

@arnydo Did you check whether /etc/services was the issue? See #7342 (comment).

Hey, what does /etc/services have to do with this particular issue? That isn't sarcastic...

@danports
Copy link

@danports danports commented Oct 28, 2019

haha, yes, that's a fair question! There is an issue with the native OMI library PowerShell uses on Linux that only crops up with NTLM authentication when /etc/services is missing, as it is in some Docker images (like the official PowerShell images, IIRC). See microsoft/omi#623.

@arnydo
Copy link

@arnydo arnydo commented Oct 29, 2019

@danports I built a new image based on the latest Ubuntu 18.04 Powershell Dockerfile but with the addition of the RUN echo 'http 80/tcp www www-http' > /etc/services.

Same result...

@danports
Copy link

@danports danports commented Oct 29, 2019

Hmm, perhaps you're experiencing a different problem then. You might want to try enabling OMI logging inside the container - reviewing the OMI logs is what eventually helped me to diagnose my issue.

@arnydo
Copy link

@arnydo arnydo commented Oct 30, 2019

Doesn't look like omi is present at all in the Powershell images...is that even used in this case?

@danports
Copy link

@danports danports commented Oct 30, 2019

What do you mean by not present? You'll probably need to create the OMI log and configuration directories to enable logging - I don't think they are there by default.

@jameskirsop
Copy link

@jameskirsop jameskirsop commented Nov 22, 2019

@SteveL-MSFT, This is all well and good:

When remoting from Linux, you will likely need to explicitly use Basic auth. Negotiate requires additional libraries and configuration.

Except, it's not supported:

> Enter-PSSession -Credential $creds -ComputerName <HOSTNAME> -Authentication Basic -Verbose
Enter-PSSession : Basic authentication is not supported over HTTP on Unix.
At line:1 char:1
....

You'd think that such a useful feature, with multiple bug reports, would have been implemented and/or documented properly a year and a half later after the issue was first reported...

@mgseelan
Copy link

@mgseelan mgseelan commented Nov 22, 2019

Which version of the Power shell

@ghost
Copy link

@ghost ghost commented Dec 5, 2019

Just bumped against this too, using a rhel7.7 azure devops agent that needs to remote into a windows 2016 vm

@iSazonov
Copy link
Collaborator

@iSazonov iSazonov commented Jan 31, 2020

@SteveL-MSFT Please look previous comment. I believe we can close the issue and fix it in #11374

@waljlopez2019
Copy link

@waljlopez2019 waljlopez2019 commented Apr 17, 2020

Installing gss-ntlmssp as stated in #11374 solved this issue for me.
I'm using -Authentication Negotiate.

It's solution.....

@sliddjur
Copy link

@sliddjur sliddjur commented May 15, 2020

I still have this issue, on Ubuntu 20.04
Powershell installed today with snap.
I'm trying to Enter-PSSession -Authenthication Negotiate using my $creds.

~> snap list powershell
Name        Version  Rev  Tracking       Publisher              Notes
powershell  7.0.1    129  latest/stable  microsoft-powershell✓  classic
~> apt info gss-ntlmssp
Package: gss-ntlmssp
Version: 0.7.0-4build3
...
APT-Manual-Installed: yes

The error message is:

Enter-PSSession: Connecting to remote server 172.18.42.64 failed with the following error message : acquiring creds with username only failed Unspecified GSS failure.  Minor code may provide more information SPNEGO cannot find mechanisms to negotiate For more information, see the about_Remote_Troubleshooting Help topic.

@Himura2la
Copy link
Contributor

@Himura2la Himura2la commented May 22, 2020

Same here. Ubuntu 20.04, PowerShell 7.0.1 from Store. I guess the Snap package should be changed to add gss-ntlmssp?

PS /home/himura> Enter-PSSession -ComputerName ... -Credential ... -Authentication Negotiate

PowerShell credential request
Enter your credentials.
Password for user ...: ***************

Enter-PSSession: Connecting to remote server ... failed with the following error message : acquiring creds with username only failed Unspecified GSS failure.  Minor code may provide more information SPNEGO cannot find mechanisms to negotiate For more information, see the about_Remote_Troubleshooting Help topic.

@manivannanpk
Copy link

@manivannanpk manivannanpk commented May 27, 2020

I am also facing the same issue with the latest version of PowerShell (7.0.1).

Trying to connect to Windows 2012 from CentOS Linux 7.

@manivannanpk
Copy link

@manivannanpk manivannanpk commented May 27, 2020

As suggested by @BitDesert above, it works for me after installing gss-ntlmssp and with -Authentication Negotiate.

But there is a huge latency. Authentication itself takes around 20 seconds. Both the Linux and Windows machines are in the same subnet.

Any suggestion on how to reduce the latency?

@jlam55555
Copy link

@jlam55555 jlam55555 commented May 31, 2020

Having the same issue here on Arch Linux with Powershell Core 7.0.0. Installing the gss-ntlmssp AUR package and using -Authentication Negotiate did not solve the problem. Still get:

PS /home/jon> Enter-PSSession -Credential $credentials -Authentication Negotiate -ComputerName 192.168.1.203
Enter-PSSession: Connecting to remote server 192.168.1.203 failed with the following error message : acquiring creds with username only failed Unspecified GSS failure.  Minor code may provide more information SPNEGO cannot find mechanisms to negotiate For more information, see the about_Remote_Troubleshooting Help topic.

@arizvisa
Copy link

@arizvisa arizvisa commented Jul 22, 2020

Hey guys, op of PowerShell/PowerShell-Docker#124 here.

You can literally just use the docker://mcr.microsoft.com/powershell:centos-7 container w/ podman/docker/rkt/whatev to get it to work. Just run the container w/ interactivity and a tty and it kicks you into pwsh. If it doesn't work, then check that the server you're trying to connect to is configured properly because tokens aren't exchanged across both platforms. Not all platforms support gssapi/ntlm, and I don't think they're any tests..but because of @RDIL's work, it's super straightforward regardless.

Downloading sha256:d06345b12b6 [=============================]   106 MB / 106 MB 
Downloading sha256:524b0c1e57f [=============================] 75.9 MB / 75.9 MB 
PowerShell 7.0.3
Copyright (c) Microsoft Corporation. All rights reserved.

https://aka.ms/powershell
Type 'help' to get help.

PS /> enter-pssession -computername 10.7.17.218 -Credential $u -Authentication negotiate

PowerShell credential request
Enter your credentials.
User: root
Password for user root: ************************************************

[10.7.17.218]: PS C:\Users\root\Documents> exit

This is literally what containers are for, so you don't have to fight with crazy deps to get a simple task handled.

If you're trying to get kerberos to work with it (instead of ntlm), I don't think the containers will work (despite gssapi supporting it) because you'll need to get your tgt with kinit and then get the gssapi library to see it. You can probably do some clever mounting to get its library to see your tgt w/ the container though.

@MysticRyuujin
Copy link

@MysticRyuujin MysticRyuujin commented Aug 17, 2020

I'd like to add that Linux Mint 20 has the same issue as Ubuntu 20.04.

I installed the package with snap and manually installed gss-ntlmssp via apt but I still get the error:

New-PSSession: [SERVER] Connecting to remote server SERVER failed with the following error message : acquiring creds with username only failed Unspecified GSS failure.  Minor code may provide more information SPNEGO cannot find mechanisms to negotiate For more information, see the about_Remote_Troubleshooting Help topic.

@se
Copy link

@se se commented Dec 11, 2020

I found the problem. Just install inetutils-ping and it will solve. Probably it is depending ping to resolve OP or something.

apt-get install inetutils-ping

🖖

@sliddjur
Copy link

@sliddjur sliddjur commented Jan 20, 2021

I found the problem. Just install inetutils-ping and it will solve. Probably it is depending ping to resolve OP or something.

apt-get install inetutils-ping

On ubuntu I have iputils-ping - but it does not work with either one of them installed.

@janegilring
Copy link

@janegilring janegilring commented Mar 13, 2021

I get the same error on Ubuntu 20.04 (running in WSL2), even though inetutils-ping and gss-ntlmssp is installed.

Enter-PSSession: This parameter set requires WSMan, and no supported WSMan client library was found. WSMan is either not installed or unavailable for this system.

@VGerris
Copy link

@VGerris VGerris commented Apr 17, 2021

unfortunately it seems this kind of situations are terribly poorly documented by Microsoft.
I got the following to work:

  • Setup FreeIPA for DNS and Kerberos (on Linux)
  • register the window host in FreeIPA (add host - type machine name and IP address - save)
  • setup the proper ciphers for Kerberos (GPO/regedit, everything but DES)
  • Setup windows to authenticate with Kerberos, with something like:
 ksetup /setdomain IPA.YOURDOMAIN.COM
ksetup /addkdc IPA.YOURDOMAIN.COM idm.ipa.yourdomain.com
ksetup /addkpasswd IPA.YOURDOMAIN.COM idm.ipa.yourdomain.com
ksetup /setcomputerpassword SecretMachinePassword
ksetup /mapuser * *
  • Login to the FreeIPA host and generate the keytab:
    ipa-getkeytab -s ipa.yourdomain.com -p host/windows-hostname.ipa.yourdomain.com -e arcfour-hmac -k krb5.keytab.windows-hostname -P
  • now install a Linux host you will use to connect with Powershell - then register it with the FreeIPA Kerberos server and install powershell and the gssntlmssp package
  • on that same host you should be able to connect now:
    start powershell (pwsh / powershell in bash) then :
  $credential = get-credential user@IPA.YOURDOMAIN.COM
Enter-PSSession -ComputerName windows-hostname.ipa.yourdomain.com -Authentication Negotiate -Credential $credential

A few other notes :

  • user needs to exist in FreeIPA, password is the password of the user in FreeIPA. The user also needs to exist as a local user on the Windows machine
  • while this worked from Linux, from Windows to Windows I only got it to work with Administrator accounts, then the format for the user is windows-hostname\Administrator
  • the Windows machines are showing the Kerberos Realm as a Workgroup, so they are not in a Domain like with an AD server
  • winrm service needs to run on host, setup and network has to be private (not public)
winrm quickconfig
Enable-PSRemoting
Set-NetConnectionProfile -NetworkCategory Private

Finally, the output on CentOS 7 to connect looks like :

 pwsh
PowerShell 7.1.3
Copyright (c) Microsoft Corporation.

https://aka.ms/powershell
Type 'help' to get help.

PS /home/user> $credential = get-credential user@IPA.YOURDOMAIN.COM

PowerShell credential request
Enter your credentials.
Password for user user@IPA.YOURDOMAIN.COM: ****************

PS /home/user> Enter-PSSession -ComputerName windows-hostname.ipa.yourdomain.com -Authentication Negotiate -Credential $credential
[windows-hostname.ipa.yourdomain.com]: PS C:\Users\user.WINDOWS-HOSTNAME\Documents>

All this was put together by pulling information from all over the net.
This does not contain all details but should give you enough info to get it to work.
I have not tried Basic authentication and I think it is not safe.
The better approach is to use SSH to manage Windows, because Microsoft seems to be unwilling to deliver proper cross platform authentication support (NTLM does not work and Kerberos not the same as in a domain setting).

There are tickets for that that have been open for months, I haven't checked those for a while, but feel free to try and get those done. Nobody wants to need a Windows server to manage other Windows servers ( or manage any windows server at all for that matter, but that's beyond the scope of the answer ;) ).

@VGerris
Copy link

@VGerris VGerris commented Apr 17, 2021

I still have this issue, on Ubuntu 20.04
Powershell installed today with snap.
I'm trying to Enter-PSSession -Authenthication Negotiate using my $creds.

~> snap list powershell
Name        Version  Rev  Tracking       Publisher              Notes
powershell  7.0.1    129  latest/stable  microsoft-powershell✓  classic
~> apt info gss-ntlmssp
Package: gss-ntlmssp
Version: 0.7.0-4build3
...
APT-Manual-Installed: yes

The error message is:

Enter-PSSession: Connecting to remote server 172.18.42.64 failed with the following error message : acquiring creds with username only failed Unspecified GSS failure.  Minor code may provide more information SPNEGO cannot find mechanisms to negotiate For more information, see the about_Remote_Troubleshooting Help topic.

you are not posting your whole command line. Make sure to use hostname and not IP and set up credentials as shown in my post above. it seems you only supply a user. Just google that error and look at examples otherwise. Make sure to post full info if you have the same issue, thanks

@ponchofiesta
Copy link

@ponchofiesta ponchofiesta commented Apr 22, 2021

yum install gssntlmssp
...
PS > $sesopt = New-PSSessionOption -SkipCACheck -SkipCNCheck
PS > Enter-PSSession -ComputerName 192.168.10.85 -Credential $cred -Authentication Negotiate -UseSSL -SessionOption $sesopt
Enter-PSSession: Connecting to remote server 192.168.10.85 failed with the following error message : Authorization failed For more information, see the about_Remote_Troubleshooting Help topic.

The Windows eventlog shows Error code 0xC000035B. That might be a version problem. Powershell on Linux seems to use NTLMv1. Windows Server needs a newer version.

Client: CentOS 7, Powershell 7.1.3
Server: Windows Server 2019

@azurezhang
Copy link

@azurezhang azurezhang commented Apr 23, 2021

In order to get the remote work, I have installed the following dependencies on ubuntu 20.4 (without Kerberos).
Install pwsh 7.1.3
Install OpenSSL
Install PSWSman : sudo pwsh -Command 'Install-Module -Name PSWSMan'
Install gss-ntlmssp : sudo apt-get install -y gss-ntlmssp

While I am trying to setup on RHEL with Kerberos, got the error of "acquiring creds with username only failed Unspecified GSS failure. Minor code may provide more information SPNEGO cannot find mechanisms to negotiate" from Invoke-Command, and "Authorization failed Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database For more information" from New-PSSession and Enter-PSSession command

This might be a Kerberos configure issue or still missing some other dependencies required on RHEL.

@VGerris
Copy link

@VGerris VGerris commented Apr 23, 2021

you need to have your Linux machine authenticate with Kerberos first. Depending if you use AD or Linux, you need to make sure that it works. As I wrote, it works with both the Windows and Linux host using a Linux Kerberos server.
So login on the machine with Kerberos and type klist, you should see a valid ticket there.
As far as I know, it will not work without that, correct me if I'm wrong.

@azurezhang
Copy link

@azurezhang azurezhang commented Apr 28, 2021

@VGerris Thank you for your comment, I am able to create/enter PSSession from Linux to windows server run after turn off FIPS on Linux. Tracing down to md5 hash error and find that gss-ntlmssp is not compatible with FIPS.
Now need find a FIPS compatible gss-ntlmssp package.

@VOVELEE
Copy link

@VOVELEE VOVELEE commented Jun 8, 2021

I am experiencing similar issues with my setup - I simply cannot make Ubuntu 18.04 or 20.04 to connect to Windows Server 2019 using NTLM. Does anyone have any suggestions?

Looks like Ubuntu and Windows Server 2019 cannot negotiate the correct NTLM.
The same command opens a valid PSSession when it is executed on Windows 10 Client (standalone client, not joined to doimain).

Setup:

  • Enabled WinRM on Windows Server 2019. Windows Server is joined to an Azure Active Directory Domain Services domain
  • Installed Powershell 7.1.3 on Ubunbtu 18.04 following official Microsoft article
  • Installed gss-ntlmssp on Ubuntu 18.04 to enable NTML authentication as per PowerShell/PowerShell-Docker#124
  • Install PSWSMAN 2.2.0 (I tested it without it - the same issue occur)

Commands executed on Ubuntu server:

$PSSessionParameters = @{
  Authentication    = 'Negotiate'
  Credential        = [pscredential]::new('user@domaintest.onmicrosoft.com', ('Obfuscated' | ConvertTo-SecureString -AsPlainText))
  UseSSL            = $true
  Port              = 5986
  ConfigurationName = 'PowerShell.7'
  SessionOption     = New-PSSessionOption -SkipCACheck -SkipCNCheck
}
New-PSSession -ComputerName '10.0.104.201' @PSSessionParameters

Error received on Ubuntu:

New-PSSession: [10.0.104.201] Connecting to remote server 10.0.104.201 failed with the following error message : Authorization failed For more information, see the about_Remote_Troubleshooting Help topic.

Error in Windows Server Security log:

Event 4625
Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		user@domaintest.onmicrosoft.com
	Account Domain:		

Failure Information:
	Failure Reason:		An Error occured during Logon.
	Status:			0xC000035B
	Sub Status:		0x0

NTLM audit log on Windows Server:

NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked
Calling process PID: 3136
Calling process name: C:\Windows\System32\svchost.exe
Calling process LUID: 0x3E4
Calling process user identity: vm-gs-alt001$
Calling process domain identity: DOMAINTEST
Mechanism OID: 1.3.6.1.4.1.311.2.2.10
Audit NTLM authentication requests to this server that would be blocked if the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic is set to Deny all accounts or Deny all domain accounts.
If you want this server to allow NTLM authentication, set the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic to Allow all.

@VOVELEE
Copy link

@VOVELEE VOVELEE commented Jun 9, 2021

Please take a look into this threat - jborean93/omi#29
Looks like the limitation comes from the libraries which ship with different version of Windows. The workaround is to set the CbtHardeningLevel to None so Windows doesn't try to validate the value at all.

@netcore-jroger
Copy link

@netcore-jroger netcore-jroger commented Jul 14, 2021

if you using CentOS, please install gssntlmssp:

yum install gssntlmssp

if using Ubuntu, please install gss-ntlmssp:

sudo apt install gss-ntlmssp

@plao
Copy link

@plao plao commented Feb 9, 2022

New-PSSession -ComputerName remotehost -Credential $credential -Authentication Negotiate

Use Negotiate for authentication. I don't recommend using basic as that would send your password in plain text over the network and you would also need to manually allow the remote host to accept basic authentication as it is not allowed by default. Specifying Negotiate results in using NTLM authentication which can be verified by checking $PSSenderInfo.UserInfo.Identity.AuthenticationType

Thanks!

@hunter86bg
Copy link

@hunter86bg hunter86bg commented Feb 18, 2022

Obviously something is wrong with the PowerShell for Linux.
A very interesting blog that can shed the light , especially the topic where the PRs were rejected.

For my Ubuntu18.04 connecting to Win10 Pro over winrm (http port, not joined in AD) , the following worked:

sudo apt install  gss-ntlmssp powershell
pwsh -Command 'Install-Module -Name PSWSMan'
sudo pwsh -Command 'Install-WSMan'

Validation:

$cred=Get-Credential 
Enter-PSSession -ComputerName vmhostname.vmdomain -Credential $cred -Authentication Negotiate

File copy :

$pw = convertto-securestring -AsPlainText -Force -String PASS
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist "USER",$pw
$session = New-PSSession -ComputerName win10pro.localdomain -Credential $cred  -Authentication Negotiate
Copy-Item -Path 'C:\Users\USER\Desktop\somefile.txt' -Destination /tmp/ -FromSession $session

@VarunRajanna
Copy link

@VarunRajanna VarunRajanna commented Mar 4, 2022

The below steps worked for me on CentOS 7*

Install PowerShell for linux
DOCS: https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-linux?view=powershell-7.2

Register the Microsoft RedHat repository
curl https://packages.microsoft.com/config/rhel/8/prod.repo | sudo tee /etc/yum.repos.d/microsoft.repo

Install PowerShell

sudo yum install -y powershell

Confirm epel-release is installed

yum install -y epel-release

Update all packages

yum update -y

Install the below packages

yum install -y gssntlmssp less ncurses openssh-clients

Note: If gssntlmssp fails with the error Public key for gssntlmssp-0.7.0-1.el7.x86_64.rpm is not installed use the below command

yum install -y gssntlmssp --nogpgcheck

Install the PSWSMan on powershell

pwsh -Command "Install-Module -Name PSWSMan -Force

Learn about the Linux distributions supported by PowerShell.

@arizvisa
Copy link

@arizvisa arizvisa commented Mar 4, 2022

Obviously something is wrong with the PowerShell for Linux. A very interesting blog that can shed the light , especially the topic where the PRs were rejected.

For the record, the blog is definitely titled as being related to Linux..but if you look at the PRs microsoft/omi#669, microsoft/omi#670, and the blog, those are all related to building the library on MacOS (which is unsupported).

The troubleshooting of GSSAPI and everything else from the blog is definitely on-topic, though, and is probably useful for people who need help troubleshooting more details of how pwsh on linux interacts with GSSAPI. Still, though, it's super cool that the author is actively maintaining OMI for all of the platforms (including MacOS)...because honestly, it needs it.

@hunter86bg

This comment was marked as off-topic.

@celsolom
Copy link

@celsolom celsolom commented Mar 14, 2022

Obviously something is wrong with the PowerShell for Linux. A very interesting blog that can shed the light , especially the topic where the PRs were rejected.

For my Ubuntu18.04 connecting to Win10 Pro over winrm (http port, not joined in AD) , the following worked:

sudo apt install  gss-ntlmssp powershell
pwsh -Command 'Install-Module -Name PSWSMan'
sudo pwsh -Command 'Install-WSMan'

Validation:

$cred=Get-Credential 
Enter-PSSession -ComputerName vmhostname.vmdomain -Credential $cred -Authentication Negotiate

File copy :

$pw = convertto-securestring -AsPlainText -Force -String PASS
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist "USER",$pw
$session = New-PSSession -ComputerName win10pro.localdomain -Credential $cred  -Authentication Negotiate
Copy-Item -Path 'C:\Users\USER\Desktop\somefile.txt' -Destination /tmp/ -FromSession $session

Thanks!
Works for me on Manjaro with PS 7.2.1.

@hunter86bg

This comment was marked as off-topic.

@arizvisa
Copy link

@arizvisa arizvisa commented Mar 14, 2022

@hunter86bg not to police this thread, but that might be off-topic since we're in an issue tracker for keeping track of bugs and the thread could get closed or locked if it wanders too far from the original issue. this specific issue is with regards to entering/creating a PSsession and not necessarily performance issues encountered therein.

please create another issue describing your problem so that maybe the devers could look into it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Issue-Question WG-Remoting
Projects
None yet
Development

No branches or pull requests