0

我正在尝试在 SYSTEM1 上运行 PowerShell 脚本,该脚本在 SYSTEM2 上执行 robocopy,将文件复制到 SYSTEM3、4、5 等。

SYSTEM1 和 SYSTEM2 在同一个域中,但 SYSTEM2 不在防火墙后面(因此需要从 SYSTEM2 而不是 SYSTEM1 运行 robocopy)。

SYSTEM3、4、5 与 SYSTEM2 位于不同的域中,并且彼此位于不同的域中。

我这样设置脚本(它使用 net use 命令提示用户输入不同域的凭据):

Foreach($server in $servers) {
        $command = {
            param($cred, $server);
            $error.clear();

            # Stored credentials in local variables
            $user = $cred.GetNetworkCredential().username
            $pass = $cred.GetNetworkCredential().password

            #establish connection from SYSTEM2-> $server
            net use \\$server\c$\Deployments /delete
            net use \\$server\c$\Deployments /USER:$user $pass

            # Check to see if C:\Deployments exists on server, and if not create it.
            if ((Test-Path \\$server\c$\Deployments) -eq $FALSE) {
                $c = {
                    New-Item \\$server\c$\Deployments -type directory
                }

                $ws = Invoke-Command -ComputerName $server -Credential $cred -ScriptBlock $c
            }

            # Copy over the deployment packages
            $dest = "\\$server\Deployments\$DeploymentDate\$CurrentDirectoryName"
            robocopy $CurrentDirectoryPath $dest  /W:20 /R:15 /e /XF CopyPackage.ps1

            # Delete connection from SYSTEM2 -> $server
            net use \\$server\c$\Deployments /delete

但是,输入凭据后 net use 命令会返回错误:

The network connection could not be found.
    + CategoryInfo          : NotSpecified: (The network con...d not be found.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
    + PSComputerName        : SYSTEM2

More help is available by typing NET HELPMSG 2250.
System error 55 has occurred.
    + CategoryInfo          : NotSpecified: (System error 55 has occurred.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
    + PSComputerName        : SYSTEM2

The specified network resource or device is no longer available.
[SYSTEM3] Connecting to remote server failed with the following error message : WinRM cannot process the request. The
following error occured while using Kerberos authentication: There are currently no logon servers available to service
the logon request.
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more
information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (:) [], PSRemotingTransportException
    + FullyQualifiedErrorId : PSSessionStateBroken
    + PSComputerName        : SYSTEM2
The network connection could not be found.
    + CategoryInfo          : NotSpecified: (The network con...d not be found.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
    + PSComputerName        : SYSTEM2

More help is available by typing NET HELPMSG 2250.

我读过这可能是一个“双跳”问题(详见此处),但我不确定如何编辑脚本以使用 CredSSP 而不是 Kerberos(或者这甚至是问题所在)。

有任何想法吗?

4

1 回答 1

0

如果有人在不使用 CredSSP 的情况下对 DoubleHop 的简单解决方案仍然存在问题,请发布此解决方案。

试试这个: https ://www.powershellgallery.com/packages/Invoke-PSSession

它调用 PSSession,然后使用您提供的凭据注册 PSSessionConfiguration。基本上为该 DoubleHop 提供凭据

然后将 Invoke-Command 与该新 PSSession 一起使用。它应该具有执行您需要的操作所需的权限。

于 2017-10-18T20:28:54.067 回答