Cannot enter/create PSSession from linux to windows machine

[KaloferovLab]

Steps to reproduce

From LInux to WIn :

enter-PSSession -ConfigurationName powershell.6.1.0-preview.1

Expected behavior

Enter the pssession on the Windows box. Same error when i try to create new pesssession on the windows box.

Actual behavior

Error

New-PSSession : MI_RESULT_ACCESS_DENIED
At line:1 char:1
Enter-PSSession -ComputerName <IP> -Credential <username>
  + CategoryInfo          : InvalidOperation: (:) [New-PSSession], PSInvalidOperationException
  + FullyQualifiedErrorId : InvalidOperation,Microsoft.PowerShell.Commands.NewPSSessionCommand

Environment data

WIndows server:

Name                           Value
----                           -----
PSVersion                      6.1.0-preview.1
PSEdition                      Core
GitCommitId                    v6.1.0-preview.1
OS                             Microsoft Windows 10.0.14393
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

LInux Server:

Name                           Value
----                           -----
PSVersion                      6.1.0-preview.1
PSEdition                      Core
GitCommitId                    v6.1.0-preview.1
OS                             Linux 3.10.0-514.e17.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

The alpha vesion of the plugin didn't support PSCredential Object and WinRM. Does it support them now?
Found this from last year.
#5742
Does cross platform remoting work now in 6.1.0?

[SteveL-MSFT]

@KaloferovLab remoting over WSMan is supported, but much more limited than what you get with Windows and WinRM. From Linux, you should use -Credential as unlike Windows you can't use the current security context. Also, use -Authentication Basic.

[brunobml]

I have tried many times establishing a new session from linux RHEL7 to windows server 2016.
Always get the same error.
I also tried , athentication Kerberos, Basic, Negotiable, etc....

Enter-PSSession : MI_RESULT_ACCESS_DENIED
At line:1 char:1

• Enter-PSSession -ComputerName WSRVPRD001 -Credential (Get-Credential) ...
• CategoryInfo : InvalidArgument: (WSRVPRD001:String) [Enter-PSSession], PSInvalidOperationException
• FullyQualifiedErrorId : CreateRemoteRunspaceFailed

[nomoresecrets]

Did anyone manage to establish the connection?

[tekniko24]

New-PSSession -ComputerName remotehost -Credential $credential -Authentication Negotiate

Use Negotiate for authentication. I don't recommend using basic as that would send your password in plain text over the network and you would also need to manually allow the remote host to accept basic authentication as it is not allowed by default. Specifying Negotiate results in using NTLM authentication which can be verified by checking $PSSenderInfo.UserInfo.Identity.AuthenticationType

[danports]

If you are seeing this error on Debian or Ubuntu, see #7342 (comment).

[mgseelan]

I also facing same problem when I am accessing from ubuntu 16.04, with powershell version and details are included

Name Value

---

PSVersion 6.2.1
PSEdition Core
GitCommitId 6.2.1
OS Linux 4.15.0-1036-gcp #38~16.04.1-Ubuntu SMP Tue Jun 25 15:30:46 UTC 2019
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

My error output :
PowerShell credential request
Enter your credentials.
Password for user XXXXXXXXXXXX: **********

enter-pssession : MI_RESULT_ACCESS_DENIED
At line:1 char:1

• enter-pssession -credential XXXXXXXXXXXX
• CategoryInfo : InvalidArgument: (:String) [Enter-PSSession], PSInvalidOperationException
• FullyQualifiedErrorId : CreateRemoteRunspaceFailed

[dheitsc]

I also face this Issue on Centos 7 and Server 2012r2 / 2016

[jorioux]

Same issue on Centos 7 and WinServer 2019

Invoke-Command gives the same error.

[aric49]

So it appears this issue has been open for a while. I recently ran into this issue via #10764. Any plans to get this resolved in future releases? This holding up some progress to port some Windows automation over to Linux based environment.

[arnydo]

Experiencing this ongoing issue as well.

Linux > Windows 2012 R2

Enter-PSSession -Credential $creds -ConfigurationName microsoft.exchange -ConnectionUri http://x.x.x.x/powershell -Authentication Negotiate -Verbose

Enter-PSSession : Connecting to remote server x.x.x.x failed with the following error message : MI_RESULT_ACCESS_DENIED For more information, see the about_Remote_Troubleshooting Help topic.     

Linux to Exchange 2013

 Enter-PSSession -Credential $creds -ComputerName x.x.x.x -Authentication Negotiate -Verbose

Enter-PSSession : Connecting to remote server x.x.x.x failed with the following error message : MI_RESULT_ACCESS_DENIED For more information, see the about_Remote_Troubleshooting Help topic.                                           

[SteveL-MSFT]

When remoting from Linux, you will likely need to explicitly use Basic auth. Negotiate requires additional libraries and configuration.

[arnydo]

When remoting from Linux, you will likely need to explicitly use Basic auth. Negotiate requires additional libraries and configuration.

Are the extra libraries required on the Windows or Linux side. Or both?

[SteveL-MSFT]

Windows already has the necessary libs built into the OS. Here's an example where the docker image was updated with a lib to support NTLM on Linux: PowerShell/PowerShell-Docker#124. This issue seems to indicate Kerberos can work on Linux.

[arnydo]

Windows already has the necessary libs built into the OS. Here's an example where the docker image was updated with a lib to support NTLM on Linux: PowerShell/PowerShell-Docker#124. This issue seems to indicate Kerberos can work on Linux.

Hmm. Checked to verify that the package is installed in the Docker image and still get the same issue as above.

PS /> apt show gss-ntlmssp
Package: gss-ntlmssp
Version: 0.7.0-4build3
Status: install ok installed

PS /> Enter-PSSession -Credential $cred -ComputerName xxxxx -Authentication Negotiate -Verbose
Enter-PSSession : Connecting to remote server xxxxx failed with the following error message : MI_RESULT_FAILED For more information, see the about_Remote_Troubleshooting Help topic

[RDIL]

Hey @arnydo,
All officially supported Docker images have gss-ntlmssp installed on them, except for Alpine and openSUSE. So as long as you are using one of the others, you should be good.

[arnydo]

Hey @arnydo,
All officially supported Docker images have gss-ntlmssp installed on them, except for Alpine and openSUSE. So as long as you are using one of the others, you should be good.

I am using the latest Docker image for Powershell with no luck.

[danports]

@arnydo Did you check whether /etc/services was the issue? See #7342 (comment).

[arnydo]

@arnydo Did you check whether /etc/services was the issue? See #7342 (comment).

Hey, what does /etc/services have to do with this particular issue? That isn't sarcastic...

[danports]

haha, yes, that's a fair question! There is an issue with the native OMI library PowerShell uses on Linux that only crops up with NTLM authentication when /etc/services is missing, as it is in some Docker images (like the official PowerShell images, IIRC). See microsoft/omi#623.

[arnydo]

@danports I built a new image based on the latest Ubuntu 18.04 Powershell Dockerfile but with the addition of the RUN echo 'http 80/tcp www www-http' > /etc/services.

Same result...

[danports]

Hmm, perhaps you're experiencing a different problem then. You might want to try enabling OMI logging inside the container - reviewing the OMI logs is what eventually helped me to diagnose my issue.

[arnydo]

Doesn't look like omi is present at all in the Powershell images...is that even used in this case?

[danports]

What do you mean by not present? You'll probably need to create the OMI log and configuration directories to enable logging - I don't think they are there by default.

[jameskirsop]

@SteveL-MSFT, This is all well and good:

When remoting from Linux, you will likely need to explicitly use Basic auth. Negotiate requires additional libraries and configuration.

Except, it's not supported:

> Enter-PSSession -Credential $creds -ComputerName <HOSTNAME> -Authentication Basic -Verbose
Enter-PSSession : Basic authentication is not supported over HTTP on Unix.
At line:1 char:1
....

You'd think that such a useful feature, with multiple bug reports, would have been implemented and/or documented properly a year and a half later after the issue was first reported...

[mgseelan]

Which version of the Power shell

[elandmancrs]

Just bumped against this too, using a rhel7.7 azure devops agent that needs to remote into a windows 2016 vm

[shneorc]

Same issue.
Any solution or workaround?
CentOS 7 --> Server 2016

PS /tmp> Enter-PSSession -ComputerName "HostName"
Enter-PSSession : MI_RESULT_ACCESS_DENIED
At line:1 char:1
+ Enter-PSSession -ComputerName "HostName"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : InvalidArgument: (HostName:String) [Enter-PSSession], PSInvalidOperationException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed

[MrHariSharma]

I am also facing same issue
CentOS 7 --> Windows Server 2019
PowerShell 6.0.0 Beta 6

PS /root> Enter-PSSession -ComputerName "TEST.mydomain.com"
Enter-PSSession : MI_RESULT_ACCESS_DENIED
At line:1 char:1

• Enter-PSSession -ComputerName "TEST.mydomain.com"
• CategoryInfo : InvalidArgument: (TEST.mydomain.com:String) [Enter-PSSession], PSInvalidOperationException
• FullyQualifiedErrorId : CreateRemoteRunspaceFailed

But if I try Invoke-Command it works
$dn='DomainName\Administrator'
$pwsd='GiveYourPassword'
$ip='192.168.20.119'
$secpasswd = ConvertTo-SecureString $pwsd -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential -argumentlist $dn, $secpasswd

Now I have another interesting issue i.e. latency
Can someone please help?
If I use Powershell 6.2.3 RC build, Invoke-Command takes approx 30 sec. For more details #6531

[Nateb1121]

The reason this wasn't working for me was that I didn't have the NTLM authentication package ( gssntlmssp) for my distro (CentOS) installed. Rather than fiddling with installing the correct packages, I took a look at the official Microsoft PowerShell docker image. Currently the folks over there have been working on adding NTLM support into the docker container (PowerShell/PowerShell-Docker#124) and have every platform but Photon which prevents it from being added to latest.

Here's a workaround I used, YMMV. To run the PowerShell docker container on CentOS that should allow you to Enter-PSSession into Windows computers run the following
docker run -it mcr.microsoft.com/powershell:7.0.0-preview.6-centos-7 or docker run -it mcr.microsoft.com/powershell:preview (which should work on any platform), this will start up a docker container interactively and will give you a PowerShell command line at the end, which suited my needs (I did have to add -Authentication Negotiate on the Enter-PSSession though). When you exit the PowerShell terminal the docker container will stop and you'll need to rerun that command. Keep in mind it is a container so be mindful when attempting to use files. If a container doesn't suit your needs, read on.

I was able to successfully remote into things using that Docker container as a workaround. If you don't want to use the docker container then have a look at the Docker file in the PowerShell-Docker repo under /release/preview/ for the corresponding architecture and see what commands it's running to get the container up.

TL;DR Use the latest preview tagged Docker image for your architecture which will include the proper NTLM libraries. Alternatively, install gss-ntlmssp/gssntlmssp on your machine and it should solve most issues with Enter-PSSession.

[BitDesert]

Installing gss-ntlmssp as stated in #11374 solved this issue for me.
I'm using -Authentication Negotiate.