Performance counter access when launching monitoring app on remote machine with PowerShell

Question

I have a C# process that as part of it's role reads performance counters from a set of Windows Server 2008R2 machines. All the machines are in a corporate AD domain and on the same network. This program works fine if I log onto a server machine and run the C# process from within my login session. I'm now trying to automate some experiments using this C# process with powershell. The goal is launch it from my desktop remotely on one of the servers. All the machines are in the same domain (desktop and servers).

All the machines have been set up with:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
Configure-SMRemoting.ps1 -force -enable

The powershell script is creating a PsSession to connect to the machine that runs the C# process and uses invoke-command to start it. However, the C# application on the remote host can no longer access the performance counters on the set machines that it monitors :- "Access is denied".

Suspecting that this is a multi-hop authentication issue, I followed the these instructions http://www.ravichaganti.com/blog/?p=1230 to enable multi-hop authentication. Attempting to use CredSSP:

$cred = Get-Credential -Credential "Company\user"
$session = new-pssession -ComputerName $loadHost -Credential $cred -Authentication CredSSP -ErrorAction Stop

Yields:

Connecting to remote server failed with the following error message : The WinRM client cannot process the request. CredSSP authentication is currently disabled in the client configuration. Change the client configuration and try the request again. CredSSP authentication must also be enabled in the server configuration. Also, Group Policy must be edited to allow credential delegation to the target computer. Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Delegating Fresh Credentials. Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com For more information, see the about_Remote_Troubleshooting Help topic.

Using gpedit.msc, it's plain Allow Delegating Fresh Credentials is setup with the corresponding SPN entry for the domain. The firewall on all machines is configured to enable WinRM Http-In. I've read the about_Remote_Troubleshooting documentation to no avail.

Any ideas on whether the multi-hop authentication is indeed the right approach, or anything else that could be breaking this?

Answer 1

I wrote that blog post. And, yes, from the description of the problem, it looks like a CredSSP authentication issue. First, you need correct privileges to monitor the performance counters. When using remoting the second receives the request as SYSTEM if the credentials are delegated and hence the Invoke-COmmand on remote system yields access denied.

First question is: Why didn't you use Enable-PSremoting on the remote systems? Second question is: Did you configure the local system where C# application is running as a CredSSP client.

Enable-WSManCredSSP -Role Client -DelegateComputer "*.SP2010lab.com"

This needs to done only on the computer you are using as client. On the system where you are using Invoke-Command, you must set the CredSSP Server.

Enable-WSManCredSSP -Role Server

Can you confirm this?