New-PSSession fails to connect to Windows Server 2016 PC

[spitfire]

Steps to reproduce

Install v6.0.0-alpha.18 on macOS 10.12.4 (16E195)
Run:

New-PSSession -ComputerName <computername> -Credential <domain\account>

Expected behavior

Works like this on Windows 10 1607 x64:

Id Name            ComputerName    ComputerType    State         ConfigurationName     Availability
-- ----            ------------    ------------    -----         -----------------     ------------
 2 WinRM2          <computername>     RemoteMachine   Opened        Microsoft.PowerShell     Available

Actual behavior

Windows PowerShell credential request
Enter your credentials.
Password for user <domain\account>: ************
New-PSSession : MI_RESULT_ACCESS_DENIED
At line:1 char:1
+ New-PSSession -ComputerName <computername> -Credential <domain\account>
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [New-PSSession], PSInvalidOperationException
    + FullyQualifiedErrorId : InvalidOperation,Microsoft.PowerShell.Commands.NewPSSessionCommand

Environment data

> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      6.0.0-alpha
PSEdition                      Core
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   3.0.0.0
GitCommitId                    v6.0.0-alpha.18
CLRVersion
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

[SteveL-MSFT]

Mac PSRP/WSMan only supports Basic auth, please try that and see if it works. Recommendation is to install OpenSSH on Windows and use PSRP/SSH

[MaximoTrinidad]

+1 with @SteveL-MSFT

And, after installing OpenSSH-Win32, then try using New-PSSession with the parameters: -HostName and -UserName (instead of -ComputerName and -Credential).

I'm using these parameters in Enter-PSSession and it works.

See if this works for you!

[spitfire]

@SteveL-MSFT if I wanted to use SSH, I would just use it. Is there a separate issue open on PSRemoting that I can subscribe to, or it's just this one?

[MaximoTrinidad]

@spitfire

FYI

Right now it is possible to connect using Enter-PSSession with parameters -HostName and
-UserName:

1. Linux to Linux
2. Windows to Linux
3. Linux to Windows
4. Windows to Windows

I don't have Mac OS so I can't confirmed that one.

The documentation haven't been updated to include "Windows to Linux".

This is all possible with the current version of PowerShell v6.0.0.0-alpha.18 and
OpenSSH-Win32 v 0.0.12.0

:)

[MaximoTrinidad]

Hum!

I can connect from PowerShell v6 to my Linux box using open ssh but when running PowerShell the readline gets messed up. When typing the command, it doesn't let me complete the line.
(See image)

I got connected but is not working right with PowerShell.
Where should I post this one?

:)

[spitfire]

1. Why would I want to use SSH to connect to Windows?
2. Why would I want to use PSRemoting to connect to Mac/Linux?

In both cases I'd have to:

• Install additional software
• Configure it
• Open additional attack surface

That's not the point.
I want to be able to connect to a Windows machine from my Mac (and I thought it should be possible, since there is Powershell 6 for everything).

[MartinAyla]

It would be really nice to be able to connect from Linux/Mac to Windows, without the use of SSH, for Powershell administration.

I hope this will be possible at some point.

[SteveL-MSFT]

@MaximoTrinidad I believe you're hitting PowerShell/Win32-OpenSSH#252

@spitfire @MartinAyla PowerShell remoting requires a transport and unfortunately there currently isn't the same one on Windows and Linux/Mac. The newest fast lane flights of Win10 has OpenSSH (beta) as an optional feature on demand, so OpenSSH is getting inbox on Windows so you won't have to install additional software (in the future). There are limitations that prevent us from having PowerShell remoting over WS-Man parity on Linux and Mac compared to Windows (specifically NTLM and Kerberos support). SSH solves these problems and many customers prefer key based auth which works fine on Windows (with OpenSSH installed).

[spitfire]

@SteveL-MSFT thanks for the information. Still, this seems pretty useless to me, as it does not work out of the box, and I would probably be better off running ssh session without having to install PowerShell on my Mac.

[SteveL-MSFT]

@spitfire you can absolutely just use PowerShell over SSH without installing PowerShell on your Mac. The benefit of using PowerShell on both ends is that you can get objects and not text over SSH so you can process results locally (which may or may not be what you want). We support both options.

[KeithGlidewell]

Let me make sure I have this right @MaximoTrinidad, @SteveL-MSFT.

Running on Ubuntu, trying to talk to Windows.

• Using "-Hostname" on enter-pssession causes powershell to call "ssh hostname -p 22 -s powershell"
• Enter-PSSession from Linux to Windows supports only Basic authentication. You can issue the command with -Computername, but it will fail with MI_RESULT_ACCESS_DENIED

Is that the current state? Kerberos not working from Linux to Windows?

[MaximoTrinidad]

Hi @KeithGlidewell,

It's been awhile. Let me try it later when I get home and give you an update.
:)

[MaximoTrinidad]

@KeithGlidewell,

From Ubuntu I can connect to Windows (Workgroup environment) using OpenSSH
powershell
Enter-PSSession -hostname win01 -username maxt

Then, I can use from Windows, do an ssh maxt@win1, then powershell and run the above command.

But, I can't use the -computername with the -credential parameters, as I will get the error message "MI_RESULT_ACCESS_DENIED".

I'm good using ssh!
:)

[SteveL-MSFT]

@KeithGlidewell WSMan from Linux also supports NTLM (not supported on MacOS) and Kerberos is not supported on Linux or Mac. Recommendation is to use SSH which is where we are investing.

[giordyb]

I'm having a hard time trying to configure a secure connection from Centos 7.3 to a windows server with the latest beta and I would like to avoid using basic/unencrypted auth.

Is there a document explaining how to configure WinRM NTLM support on Linux? Does it come out of the box with Powershell or does it need OMI and PSRP packages installed as well?

[SteveL-MSFT]

@giordyb see https://github.com/powershell/psl-omi-provider#connecting-from-linux-to-windows

[KeithGlidewell]

Thanks, Steve. Any idea if/when we'll be able to ssh from Linux to Windows with Kerberos authentication?

[MaximoTrinidad]

Beside the instructions for setting OMI/PSRP in Linux are hard to follow and leaves a lot unclear for person with no Linux experience. You'll have to go for a lot of trial and error. Gives a lot of headaches!!

I haven't still figured out how to make it work. So, using SSH is much simpler and I can get connected faster. The setup experience is much less tedious that OMI/PSRP.

:)

[JumpingYang001]

@MaximoTrinidad , for OMI/PSRP, you need to install following software on Linux:

• Install PowerShell from https://github.com/PowerShell/PowerShell/releases
• Install OMI from https://github.com/Microsoft/omi/releases
• Install PSRP from https://github.com/PowerShell/psl-omi-provider/releases

For Mac, you only need to install PowerShell and it only can remote to Linux/Windows. (I mean you cannot remote to Mac using OMI/PSRP.)

But there is a bug: "the entry point method used to call into PowerShell for PSRP is changed", and it is fixed only in code yesterday: PowerShell/psl-omi-provider@d435207 , that means you cannot do any remoting through OMI/PSRP with PowerShell v6.0.0-beta.3 now except you build the latest PSRP code yourself or wait the PSRP release binaries out.

For OMI/PSRP Basic authentication,

• You needn't do any configuration on Linux, but you need to run below commands using native(built-in Windows) PowerShell on your Windows Server if you want to remote to Windows Server:

  winrm quickconfig
  Enable-PSRemoting
  winrm set winrm/config/client/auth '@{Basic="true"}'
  winrm set winrm/config/service/auth '@{Basic="true"}'
  Set-Item "wsman:\localhost\client\trustedhosts" -Value '*' –Force
  winrm set winrm/config/client '@{AllowUnencrypted="true"}'
  winrm set winrm/config/service '@{AllowUnencrypted="true"}'
  

  Note: you need to use Windows Server's administrator as Credential for Enter-PSSession, and the administrator account need to enable/add to RDP.

For OMI/PSRP Negotiate authentication,

• It is same setting as Basic authentication for Windows Server. For Linux, need to do lots of configuration shows in setup-ntlm-omi.

For OMI/PSRP Kerberos authentication,

• This feature is developing in progress on https://github.com/Microsoft/omi and Kerberos configuration documents is here:setup-kerberos-omi

[giordyb]

Just so you know, I was able to get the Negotiate authentication working on a clean Centos7 with the latest Powershell (beta4) by installing the following additional packages :

• krb5-workstation
• krb5-devel
• gssntlmssp (requires epel-release to be installed beforehand)
• powershell

I don't know why krb5-devel is needed (it's not listed as a required package in the omi instructions but without it I would get the following error

New-PSSession : [xx.xx.xxx.xxx] Connecting to remote server xx.xx.xxx.xxx failed with the following error message : Could not start request

edit: krb5-devel is needed to create a required symlink, see this issue: #3329

I did not have to create the NTLM_USER_FILE mentioned in the omi instructions, I was able to run an enter-pssession agains both a windows 2012r2 and windows 2016 (both domain joined) without setting anything up.

[lf-]

What @giordyb said is also true on Fedora 27: either krb5-workstation or gssntlmssp (I installed both and can't get to my machine to test which one, if not both, is required) are required to avoid an unhelpful MI_ACCESS_DENIED error on connection with negotiate. Really needs a better error message.

[hurricanehrndz]

Can confirm this solution works on ubuntu 18.04 with the latest preview, the exact install command was as follows:

sudo apt install krb5-multidev libkrb5-dev gss-ntlmssp

Although the packages are installed and work with the deb version, it doesn't work with the snap version.

[SteveL-MSFT]

@hurricanehrndz the snap version carries all of its dependencies with it similar to a container so it's not surprising it won't use the OS libraries and is expected

[CaledoniaProject]

I have a Windows 2008 R2 server with WINRM enabled, no domain joined.

Then I tried to connect from Ubuntu 16.04 + pwsh 6.2 preview.

It works but Enter-PSSession takes 2min to connect, and 1min for any command to execute.

PS /tmp/powershell-6.2.0-preview.1-linux-x64> Enter-PSSession -ComputerName 172.16.177.120 -Authentication Negotiate -Credential WIN-XXXX\admin

PowerShell credential request
Enter your credentials.
Password for user WIN-XXXX\admin: *************

hostname
[172.16.177.120]: PS C:\Users\admin\Documents> hostname
WIN-XXXX
hostname

Is there anything like name resolution going on?

[brandonkirsch]

Working successfully on Fedora 29 with the addition of a couple packages:

dnf install krb5-workstation gssntlmssp

Then in a PowerShell:

Enter-PSSession -ComputerName Server2012DC -Authentication Negotiate -Credential bkirsch@mydomain.com

This works great for me.

[SteveL-MSFT]

@joeyaiello perhaps you can add this to the documentation you were working on for remoting support matrix?

[MaximoTrinidad]

@joeyaiello

I got the Kerberos working for Ubuntu 18.04.

But, I notice that (of course) it opens Windows PowerShell and there's no tab-completion enabled.
I mean.. at least it works!

I just did a post about it: http://www.maxtblog.com/2019/02/powerhell-core-ubuntu-18-04-psremoting-to-an-active-directory-machine/

By the way! Is there a way to use PowerShell Core in a WinRm connection??

:)

[LinoRS]

Still not working on macOS

$PSVersionTable
Name Value
PSVersion 6.1.3
PSEdition Core
GitCommitId 6.1.3
OS Darwin 18.2.0 Darwin Kernel Version 18.2.0: Thu Dec 20 20:46:53 PST 2018; root:xnu-4903.241.1~1/RELEASE_X86_64
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

Error:
Enter-PSSession : MI_RESULT_ACCESS_DENIED
At line:2 char:1

• Enter-PSSession -ComputerName x.x.x.x `
• CategoryInfo : InvalidArgument: (x.x.x.x:String) [Enter-PSSession], PSInvalidOperationException
• FullyQualifiedErrorId : CreateRemoteRunspaceFailed

thanks

[MaximoTrinidad]

@LinoRS

You are missing the steps to reproduce the issue. What's the full Enter-PSSession command line you're trying to execute?

Which Window system environment configuration?

Also, make sure WinRM service is running. At the same time, and every time after upgrading PowerShell Core you need to run the following command: (in Windows)

Enable-PSRemoting -force

This happened to me after upgrading from 6.2.0-Preview.4 to RC1.

:)

[LinoRS]

@MaximoTrinidad

Yeah i'm trying to connect to a PEP session

Full Command i'm using is:
$cred = get-Credential
Enter-PSSession -ComputerName x.x.x.x `
-ConfigurationName PrivilegedEndpoint -Credential $cred

I wont have access to these servers to run that command though.. and WinRm is running as i can connect from a Windows10 and it connects just fine to the PEP server... i was reading that mac only supports basic auth and maybe the commands dont work as well ?

[MaximoTrinidad]

@LinoRS

Thanks for the additional information. Yes! MacOS seems limited for now but I'm sure it will get there.
Microsoft Team is always looking at these issues and I'm sure it will be addressed soon.

cc: @SteveL-MSFT / @joeyaiello

[LinoRS]

@LinoRS

Thanks for the additional information. Yes! MacOS seems limited for now but I'm sure it will get there.
Microsoft Team is always looking at these issues and I'm sure it will be addressed soon.

cc: @SteveL-MSFT / @joeyaiello

@MaximoTrinidad

thanks, i really hope they do... ;-) and maybe someone can update us here once they do....

[SteveL-MSFT]

The problem with macOS is there aren't Open Source libraries we can use for NTLM nor Kerberos. So macOS today is limited to just Basic auth. Recommendation is to install OpenSSH on the Windows machines and use SSH instead of WSMan based remoting.

[jackassplus]

@SteveL-MSFT why not have Samba as a dependency? That will take care of the Kerberos problem.

[yugaa22]

@MaximoTrinidad Does not work ... If I connect from a Windows 2012 VM, there's no delay at all.

Also, on Ubuntu there's a notable delay after command execution, it takes ~20s to display the next command prompt, e.g

pls tell me how did you get that output you have shown in .in ubuntu

[yugaa22]

MI_RESULT_ACCESS_DENIED as error while connecting .... What to do ? please any one help me...

[yugaa22]

@MaximoTrinidad Does not work ... If I connect from a Windows 2012 VM, there's no delay at all.
Also, on Ubuntu there's a notable delay after command execution, it takes ~20s to display the next command prompt, e.g

pls tell me how did you get that output you have shown in .in ubuntu

[MaximoTrinidad]

@yugaa22

If you follow my blog post: http://www.maxtblog.com/2019/02/powerhell-core-ubuntu-18-04-psremoting-to-an-active-directory-machine/

It tells you what I did to connect my Ubuntu to an AD Server. This is a Windows Server 2019 AD controller, which security for remoting are different. Essentially, if you have an Windows Controller and allow remoting to another Windows client then it should work, You should be able to at least ping between Ubuntu and the Windows server before you can try connecting to via winrm remoting thru AD.

I currently don't have the time to setup a Windows 2012 server as my full-time job it's been very demanding lately. So, I try it later on!

I will copy again @SteveL-MSFT and @joeyaiello to see what they think about the issue you're experiencing.

[yugaa22]

Thanks you very much for your reply I will follow your instructions ...once again thank you...

…

On Tue 23 Jul, 2019, 9:23 PM Maximo Trinidad, ***@***.***> wrote: @yugaa22 <https://github.com/yugaa22> If you follow my blog post: http://www.maxtblog.com/2019/02/powerhell-core-ubuntu-18-04-psremoting-to-an-active-directory-machine/ It tells you what I did to connect my Ubuntu to an AD Server. This is a Windows Server 2019 AD controller, which security for remoting are different. Essentially, if you have an Windows Controller and allow remoting to another Windows client then it should work, You should be able to at least ping between Ubuntu and the Windows server before you can try connecting to via winrm remoting thru AD. I currently don't have the time to setup a Windows 2012 server as my full-time job it's been very demanding lately. So, I try it later on! I will copy again @SteveL-MSFT <https://github.com/SteveL-MSFT> and @joeyaiello <https://github.com/joeyaiello> to see what they think about the issue you're experiencing. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#3708?email_source=notifications&email_token=AMF6IQQY2B6JPZNMMPERFRDQA4SN3A5CNFSM4DKJI2GKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2TSMNQ#issuecomment-514270774>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AMF6IQRCIA35IZNZ4U2QBGTQA4SN3ANCNFSM4DKJI2GA> .

[yugaa22]

@yugaa22

If you follow my blog post: http://www.maxtblog.com/2019/02/powerhell-core-ubuntu-18-04-psremoting-to-an-active-directory-machine/

It tells you what I did to connect my Ubuntu to an AD Server. This is a Windows Server 2019 AD controller, which security for remoting are different. Essentially, if you have an Windows Controller and allow remoting to another Windows client then it should work, You should be able to at least ping between Ubuntu and the Windows server before you can try connecting to via winrm remoting thru AD.

I currently don't have the time to setup a Windows 2012 server as my full-time job it's been very demanding lately. So, I try it later on!

I will copy again @SteveL-MSFT and @joeyaiello to see what they think about the issue you're experiencing.

[SteveL-MSFT]

@yugaa22 so did following the blog post work?

[yugaa22]

@yugaa22 so did following the blog post work?

yes

[spitfire]

Still doesn't work for me on macOS 10.14.6 (18G95), PowerShell 6.2.0

[yugaa22]

I tried in Ubuntu

…

On Sun 1 Sep, 2019, 6:50 PM Mieszko Ślusarczyk, ***@***.***> wrote: Still doesn't work for me on macOS 10.14.6 (18G95), PowerShell 6.2.0 — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#3708?email_source=notifications&email_token=AMF6IQTTYXRGO3RRNTYNMHDQHO6TVA5CNFSM4DKJI2GKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5UCIFI#issuecomment-526918677>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AMF6IQUH7BORVSJADN2MOP3QHO6TVANCNFSM4DKJI2GA> .

[he852100]

I'm confused. No one is responsible for the problem. No one official has to solve the problem. I didn't find any effective way to set it up. I'm upset

The software was installed according to the above method. But I don't know what to do next. Now it doesn't work

I think the official team can just get rid of the ssh. Direct takeover of krb5, gsntlmsp open source project. Full implementation of powershell cross-platform communication. There's no need for ssh at all

[spitfire]

I also believe this should be re-opened. Installing ssh server on every server may not be an option for everyone (security, attack surface, etc.). If it is supposed to work, bundle necessary libraries/ create a working formula in homebrew, or do whatever it takes to really work out of box. Our stop bragging we have powershell on macOS/Linux if it's not functional.

[vinyar]

So is the official solution to install SSH on windows? Can we all agree this is a joke?

[he852100]

Regardless of the connection protocol used. The user's requirements are simple, universal, reliable and effective. It does not require any network connectivity tools to be installed.

In the operating system you produce. Even the latest version of the operating system. Sshd is not pre-installed.

Just imagine. Install a winserver2019, how to connect it with ssh？
2016?2012?

Pwershellcore has long since completely abandoned windows

[vinyar]

@SteveL-MSFT - can this issue be reopened? It's been nearly 3 years, and its not solved.

Installing SSH on production unnecessarily increases the attack surface, and is absolutely not acceptable.