我试图让Power
Shell远程处理与服务器一起使用它的CNAME而不是计算机名.本地和远程计算机都位于同一网络和域中.
我启用了PowerShell远程处理,它可以正常使用计算机名称.我已将TrustedHosts设置为CNAME,并为CNAME添加了SPN,但是当我发出Enter-PSSession CNAME时,我得到以下内容:
Enter-PSSession : Connecting to Remote Server CNAME Failed with the following error message : WinRM cannot process the request. The following error occurred while using Kerberos authentication: Cannot find the computer CNAME. Verify that the computer exists on the network and that the name provided is spelled correctly. For more information,see the about_Remote_Troubleshooting Help topic.
执行setspn -l COmpuTERNAME给了我这个:
Registered ServicePrincipalNames for CN=COmpuTERNAME,OU=SERVERS,DC=COMPANY,DC=private: WSMAN/CNAME WSMAN/COmpuTERNAME WSMAN/COmpuTERNAME.local TERMSRV/COmpuTERNAME TERMSRV/COmpuTERNAME.local HOST/COmpuTERNAME HOST/COmpuTERNAME.local
通过CNAME启用访问还需要什么?
我为解决这个问题所做的是为Enter-PSSession创建一个代理函数,为我解析CNAME.这可能不适用于您的情况,具体取决于您需要使用CNAME的原因,但这对我有用.
有关代理PowerShell功能的详细信息:http://www.windowsitpro.com/blog/powershell-with-a-purpose-blog-36/windows-powershell/powershell-proxy-functions-141413
全功能:
function Enter-PSSession {
[CmdletBinding(DefaultParameterSetName='ComputerName')]
param(
[Parameter(ParameterSetName='ComputerName',Mandatory=$true,Position=0,ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)]
[Alias('Cn')]
[ValidateNotNullOrEmpty()]
[string]
${ComputerName},[Parameter(ParameterSetName='Session',ValueFromPipelineByPropertyName=$true)]
[ValidateNotNullOrEmpty()]
[System.Management.Automation.Runspaces.PSSession]
${Session},[Parameter(ParameterSetName='Uri',Position=1,ValueFromPipelineByPropertyName=$true)]
[Alias('URI','CU')]
[ValidateNotNullOrEmpty()]
[uri]
${ConnectionUri},[Parameter(ParameterSetName='InstanceId',ValueFromPipelineByPropertyName=$true)]
[ValidateNotNull()]
[guid]
${InstanceId},[Parameter(ParameterSetName='Id',ValueFromPipelineByPropertyName=$true)]
[ValidateNotNull()]
[int]
${Id},[Parameter(ParameterSetName='Name',ValueFromPipelineByPropertyName=$true)]
[string]
${Name},[Parameter(ParameterSetName='Uri')]
[Parameter(ParameterSetName='ComputerName')]
[switch]
${EnableNetworkAccess},[Parameter(ParameterSetName='ComputerName',ValueFromPipelineByPropertyName=$true)]
[Parameter(ParameterSetName='Uri',ValueFromPipelineByPropertyName=$true)]
[system.management.automation.pscredential]
${Credential},[Parameter(ParameterSetName='ComputerName')]
[Validaterange(1,65535)]
[int]
${Port},[Parameter(ParameterSetName='ComputerName')]
[switch]
${UseSSL},ValueFromPipelineByPropertyName=$true)]
[string]
${ConfigurationName},ValueFromPipelineByPropertyName=$true)]
[string]
${ApplicationName},[Parameter(ParameterSetName='Uri')]
[switch]
${AllowRedirection},[Parameter(ParameterSetName='Uri')]
[Parameter(ParameterSetName='ComputerName')]
[ValidateNotNull()]
[System.Management.Automation.Remoting.PSSessionoption]
${Sessionoption},[Parameter(ParameterSetName='Uri')]
[Parameter(ParameterSetName='ComputerName')]
[System.Management.Automation.Runspaces.AuthenticationMechanism]
${Authentication},[Parameter(ParameterSetName='Uri')]
[Parameter(ParameterSetName='ComputerName')]
[string]
${CertificateThumbprint})
begin
{
try {
$outBuffer = $null
if ($PSBoundParameters.TryGetValue('OutBuffer',[ref]$outBuffer))
{
$PSBoundParameters['OutBuffer'] = 1
}
$PSBoundParameters['ComputerName'] = ([System.Net.Dns]::GetHostByName($PSBoundParameters['ComputerName'])).HostName
$wrappedCmd = $ExecutionContext.InvokeCommand.GetCommand('Microsoft.PowerShell.Core\Enter-PSSession',[System.Management.Automation.CommandTypes]::Cmdlet)
$scriptCmd = {& $wrappedCmd @PSBoundParameters }
$steppablePipeline = $scriptCmd.GetSteppablePipeline($myInvocation.CommandOrigin)
$steppablePipeline.Begin($PSCmdlet)
} catch {
throw
}
}
process
{
try {
$steppablePipeline.Process($_)
} catch {
throw
}
}
end
{
try {
$steppablePipeline.End()
} catch {
throw
}
}
<#
.ForwardHelpTargetName Enter-PSSession
.ForwardHelpCategory Cmdlet
#>
}
我添加的唯一一行是:
$PSBoundParameters['ComputerName'] = ([System.Net.Dns]::GetHostByName($PSBoundParameters['ComputerName'])).HostName
这只是在调用本机Enter-PSSession之前将CNAME解析为代理函数中的FQDN.
这允许我通过组策略在我的TrustedHosts中设置* .mydomain.local,我仍然可以使用“Enter-PSSession ShortName”或“Enter-PSSession CNAME”而不必混淆其他SPN等.
