Share via

Enable PowerShell Remoting with Client Outside of Server's Domain (Trusted Host and Double Hop Issue)

  • Article

To enable remote powershelling with servers not in the same domain as the client machine you will need to perform the following steps:

Note: Do not allow unencrypted communication for internet use. 

On the client PC elevated with admin credentials type:

PS> Set-Item WSMan:\localhost\Client\TrustedHosts  -Value "* "

On the server PC type:

PS c:\users\root> Enable-PSRemoting 

Then using regedit set the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Service\allow_unencrypted to 0x00000001

 

To connect from the client type:

PS WSMan:\localhost\Client> New-PSSession -name Server01 -computername boqsource -credential boq\spsetup  -Port 5985

PS WSMan:\localhost\Client> Enter-PSSession Server01

 

You should be on a command line on your server!

 

To add Sharepoint commands to your shell type:

[server] c:\ Add-PSSnapin Microsoft.Sharepoint.Powershell

Now you can execute any SP cmdlets!

But wait, you get access denied to the farm :O. This is due to a known issue in the double hop of credentials. My server credentials are different to my client credentials and my Powershell is using my client credentials. The solution is to configure CredSSP authentication.

 

Here are the steps to enable CredSSP on the server:

1. Login to your server.

2. In powershell type: PS C:\ Enable-WSManCredSSP -Role Server

 

Here are the steps to enable CredSSP on the client:

1. Enable CredSSP through powershell by typing: PS C:\ Enable-WSManCredSSP -Role Client -DelegateComputer <FQDN of the server>

2. Run "gpedit.msc" drill down: Local Computer Policy > Computer Configuration > Administrative Templates > Credentials Delegation > Allow Delegating Fresh Credentials with NTLM-only.

3. Enable "Allow Delegating Fresh Credentials with NTLM-only" and click "Show" next to "Add servers to list:". Add the server "WSMAN/*" this will add all servers, you can be specific if you wish.

4. Apply the new policy and click Start -> Run -> and type: "gpupdate"

 

Logging in using CredSSP:

PS C:> Enter-PSSession server -Authentication CredSSP -Credential (Get-Credential)

[server]: PS C:> Add-PSSnapin Microsoft.Sharepoint.Powershell

alternatively, put this into a ps1 script file:

$session = New-PSSession -Name server -ComputerName server -Authentication CredSSP -Credential (Get-Credential)
Invoke-Command -Session $session -ScriptBlock { Add-PSSnapin Microsoft.SharePoint.PowerShell }
Enter-PSsession $session

Now you have full access to the server and Sharepoint cmdlets!! Phew.