What security setting is preventing Remote PowerShell 2.0 from accessing UNC paths

Asked 2/12, 2011 at 20:13 Answered 16/1, 2012 at 17:7

This is just crazy, I am starting on PowerShell. And of course I need to do Admin work remotely.

A simple

dir \\server\share\folder

Just refuses to work, I get this error

Get-ChildItem : Cannot find path '\\server\share\folder' because it does not exist.
    + CategoryInfo          : ObjectNotFound: (\\server\share\folder:String) [Get-ChildItem], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

To me it is pretty obvious it is an access rights issue. And we do have a domain here at the company. I am logged in to the server, with the exact same user account, on VNC and I can see the UNC path. But whenever I try to just copy a file from my desktop with the remote connection. It just won't work!!!!

I can do many other things so I am positive I am connected.

Grodno answered 2/12, 2011 at 20:13 Comment(3)

in a dos shell command 'dir \\server\share\folder' give no error?? – Kajdan 2/12, 2011 at 20:29

That is correct. Maybe I should write "dir \\MyServer\MyShare\MyFolder". I did find out I need to setup CredSSP, I did and I still get a timeout followed by Enable-WSManCredSSP : This command cannot be executed because the setting cannot be enabled. This can happen if no network connection is present. – Grodno 2/12, 2011 at 23:55

By now, I used gpedit.msc to allow for fresh credentials on BOTH computers. I set the fresh credentials policy and I use the enable-wsmancredssp -role client -delegatecomputer computer1.domain.com and enable-wsmancredssp -role server commands. For status I execute 'Get-WSManCredSSP' and I get The machine is configured to allow delegating fresh credentials to the following target(s): wsman/computer1.domain.com,wsm an/*.domain.com. This computer is configured to receive credentials from a remote client computer. I can't find anytheing else to do and it is still not working! – Grodno 5/12, 2011 at 17:36

To get this to work, you must configure both your local and remote computers.

On the remote server, run the following command:

 Enable-WSManCredSSP -Role server

You'll know things are confgured correctly if you run the Get-WSManCredSSP cmdlet and get the following output:

The machine is not configured to allow delegating fresh credentials. This computer is configured to receive credentials from a remote client computer.

On your local computer, from an Administrative PowerShell prompt, you need to allow credential delegation in PowerShell. Run the following command:

 Enable-WSManCredSSP -Role Client -DelegateComputer <REMOTE_COMPUTER_NAME>

You can enable all servers by using * for REMOTE_COMPUTER_NAME.

You'll know this is configured correctly when you run Get-WSManCredSSP and get the following output:

The machine is configured to allow delegating fresh credentials to the following target(s): wsman/REMOTE_SERVER_NAME
This computer is not configured to receive credentials from a remote client computer.

On your local machine, update Group Policy to allow your credentials to be delegated to the remote server.

Open gpedit.msc and browse to Computer Configuration > Administrative Templates > System > Credentials Delegation.
Double-click "Allow delegating fresh credentials with NTLM-only Server Authentication".
Enable the setting and add the build server to the server list as WSMAN/BuildServerName. (You can enable all servers by entering WSMAN/*.)

Then, when you need to run your command on the remote server, you can't use any of the *-PSSession commands because CredSSP can't use cached credentials. You have to start the session using Invoke-Command, and use CredSSP as the value to the Authentication parameter, like so:

Invoke-Command -ScriptBlock { # remote commands here } `
               -ComputerName <REMOTE_COMPUTER_NAME> `
               -Authentication CredSSP `
               -Credential <USERNAME>

Strohl answered 8/12, 2011 at 19:40 Comment(3)

Great answer and lots of good info thanks! Unfortuantely, I still have a problem. I've made the changes in the group policy but when I run the following in an elevated PS window: "Enable-WSManCredSSP -role Client -DelegateComputer d-vasbiz01 -force" I get the following error: "Enable-WSManCredSSP : This command cannot be executed because the setting cannot be enabled" any ideas? – Scotia 2/8, 2012 at 11:1

I found it! Problem was within the group policy editor I needed to prefix the name of the server I'm delegating to with "wsman/". This is as stated by the answer, but I missed it! Many thanks for the answer. – Scotia 2/8, 2012 at 11:13

I did not have to do the "group policy" steps just the enable "client" and enable "server" roles on the correct computers. – Impostor 27/2, 2014 at 14:20

Powershell also uses Internet Explorer security settings on running remote scripts.

I have found that, for whatever machine you are trying to have run a remote script, if I add the unc path of the remote machine to my trusted intrAnet sites, I can run scripts then (assuming my execution policy in posh is set to remotesigned...."set-executionpolicy remotesigned").

I do a ton of administration for multiple servers with and without SQL, and I've never done anything with Enable-WSManCredSSP.

Bryson answered 16/1, 2012 at 17:7 Comment(0)

Recommended topics

Hot tags