Try using the Invoke-Command
parameter -Authentication Credssp
. This is a typical solution for double-hop credential problems.
Nested Invoke-Command results in PSSessionStateBroken, PSRemotingTransportException
-
30-07-2022 - |
Question
I have three boxes: A, B, C.
I'm trying to invoke a command on C from A without prompting for credentials.
I can invoke command successfully
a) on B from A
b) on C from B
but cannot invoke
c) on C from A with nested Invoke-Command
I think I can make a workaround with calling A and C from B.
But it's still bothering me why it doesn't work this way. All the three boxes seem to be configured properly.
I can't even figure out if it's an authentication or network issue.
Any help please?
The error is:
Connecting to remote server failed with the following error message:
WinRM cannot process the request. The following error occured while using
Negotiate authentication: A specified logon session does not exist.
It may already have been terminated.
(...)
+ CategoryInfo : OpenError: (:) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionStateBroken
+ PSComputerName : [IP]
Details:
Preparing stored password:
$key = ([KEY])
Read-Host -AsSecureString| ConvertFrom-SecureString -Key $key| Out-File [PATH]
Invocation A > B
$key = ([KEY])
$pw = Get-Content "[PATH1]"| ConvertTo-SecureString -Key $key
$cred = New-Object System.Management.Automation.PSCredential("[USER1]", $pw)
Invoke-Command -ComputerName [B] -Credential $cred { dir c:\ }
This gets me proper result (directory listing).
Invocation B > C (the same, except for path, user, etc.)
$k = ([KEY])
$p = Get-Content "[PATH2]"| ConvertTo-SecureString -Key $k
$c = New-Object System.Management.Automation.PSCredential("[USER2]", $p)
Invoke-Command -ComputerName [C] -Credential $c { dir c:\ }
This gets me proper result (directory listing).
Now, combined invocation A > C:
$key = ([KEY])
$pw = Get-Content "[PATH1]"| ConvertTo-SecureString -Key $key
$cred = New-Object System.Management.Automation.PSCredential("[USER1]", $pw)
Invoke-Command -ComputerName [B] -Credential $cred { $k = ([KEY]); $p = Get-Content "[PATH2]"| ConvertTo-SecureString -Key $k; $c = New-Object System.Management.Automation.PSCredential("[USER2]", $p); Invoke-Command -ComputerName [C] -Credential $c { dir c:\ } }
yields the aforementioned error.
No correct solution
OTHER TIPS