I have a C# process that as part of it’s role reads performance counters from a set of Windows Server 2008R2 machines. All the machines are in a corporate AD domain and on the same network. This program works fine if I log onto a server machine and run the C# process from within my login session. I’m now trying to automate some experiments using this C# process with powershell. The goal is launch it from my desktop remotely on one of the servers. All the machines are in the same domain (desktop and servers).
All the machines have been set up with:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
Configure-SMRemoting.ps1 -force -enable
The powershell script is creating a PsSession to connect to the machine that runs the C# process and uses invoke-command to start it. However, the C# application on the remote host can no longer access the performance counters on the set machines that it monitors :- “Access is denied”.
Suspecting that this is a multi-hop authentication issue, I followed the these instructions http://www.ravichaganti.com/blog/?p=1230 to enable multi-hop authentication. Attempting to use CredSSP:
$cred = Get-Credential -Credential "Company\user"
$session = new-pssession -ComputerName $loadHost -Credential $cred -Authentication CredSSP -ErrorAction Stop
Yields:
Connecting to remote server failed with the following error message :
The WinRM client cannot process the request. CredSSP authentication is
currently disabled in the client configuration. Change the client
configuration and try the request again. CredSSP authentication must
also be enabled in the server configuration. Also, Group Policy must
be edited to allow credential delegation to the target computer. Use
gpedit.msc and look at the following policy: Computer Configuration ->
Administrative Templates -> System -> Credentials Delegation -> Allow
Delegating Fresh Credentials. Verify that it is enabled and
configured with an SPN appropriate for the target computer. For
example, for a target computer name “myserver.domain.com”, the SPN can
be one of the following: WSMAN/myserver.domain.com or
WSMAN/*.domain.com For more information, see the
about_Remote_Troubleshooting Help topic.
Using gpedit.msc, it’s plain Allow Delegating Fresh Credentials is setup with the corresponding SPN entry for the domain. The firewall on all machines is configured to enable WinRM Http-In. I’ve read the about_Remote_Troubleshooting documentation to no avail.
Any ideas on whether the multi-hop authentication is indeed the right approach, or anything else that could be breaking this?
I wrote that blog post. And, yes, from the description of the problem, it looks like a CredSSP authentication issue. First, you need correct privileges to monitor the performance counters. When using remoting the second receives the request as SYSTEM if the credentials are delegated and hence the Invoke-COmmand on remote system yields access denied.
First question is: Why didn’t you use Enable-PSremoting on the remote systems?
Second question is: Did you configure the local system where C# application is running as a CredSSP client.
This needs to done only on the computer you are using as client. On the system where you are using Invoke-Command, you must set the CredSSP Server.
Can you confirm this?