Shell – PowerShell Remoting using CredSSP is broken

authenticationpowershell

I recently had PowerShell working perfectly with CredSSP, but now every time I try to establish a remoting session using CredSSP, I'm getting the following error:

Enter-PSSession : Connecting to remote server server01.contoso.com failed with the following error message : The WinRM
client received an HTTP server error status (500), but the remote service did not include any other information about
the cause of the failure. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName server01.contoso.com -Credential $cred -Authentication C …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (server01.contoso.com:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed

I've tried resetting the winrm service using winrm invoke restore winrm/config

I've tried disabling PowerShell remoting, disabling CredSSP (client and server), re-enabling PowerShell remoting, re-enabling CredSSP, disabling any GPOs related to configuring WinRM and credential delegation, and nothing has worked. Is there any way to dig into this further to figure out what's going on?

This is affecting all Windows Server 2012 systems in my lab environment, which are obviously running PowerShell v3.

In the client side, I'm seeing this in the Windows Remote Management event log: WSMan operation CreateShell failed, error code 2150859120

Configure Server

  • Disable-PSRemoting -Force;
  • Disable-WsmanCredssp -Role Client;
  • Disable-WsmanCredssp -Role Server;
  • Enable-PSRemoting -Force;
  • Set-WSmanQuickConfig -UseSSL -Force;
  • Enable-WsmanCredSSP -Role Server -Force;

Configure Client

  • Disable-PSRemoting -Force;
  • Disable-WsmanCredssp -Role Client;
  • Disable-WsmanCredssp -Role Server;
  • Enable-PSRemoting -Force;
  • Set-WSmanQuickConfig -UseSSL -Force;
  • Enable-WsmanCredssp -Role Client -DelegateComputer *.contoso.com -Force;

After configuring the client and server, run:

$cred = Get-Credential;
Enter-PSSession -ComputerName server.contoso.com -Credential $cred -Authentication CredSSP;

That reproduces the error consistently.

Best Answer

I think I may have found the issue.

I'd originally been running into problems with the HTTPS listener. I wanted to use an explicit IP but this is only available when using SSL. Setting up the SSL listener with the following:

Set-WSManQuickConfig -UseSSL -Force

or

winrm quickconfig -transport:https -Force

would configure the listener on the server but would still fail when connecting from the client with the -UseSSL parameter.

I gave up on the IPs and returned to using machine names. I left the attempts to set HTTPS in the script but ran into the issues you were having with the 500 responses when using Credssp for authentication.

Finally, I decided to try one thing at a time. As soon as I removed the HTTPS settings, things worked!

My full script looks like this:

# Disable/revoke winrm/remoting
Start-Service winrm
winrm invoke restore winrm/config

Disable-PSRemoting -Force
Disable-WSManCredSSP -Role Client
Disable-WSManCredSSP -Role Server
Stop-Service winrm

# Enable remoting
Enable-PSRemoting -Force
Enable-WSManCredSSP -Role Server -Force
Enable-WSManCredSSP -Role Client -DelegateComputer "*.mydomain.com" -Force
winrm enumerate winrm/config/listener

Set-Item WSMan:\localhost\Client\TrustedHosts "*.mydomain.com" -Force

It's certainly not ideal,, but I hope it helps.

Related Question