2

有没有人得到 powershell 远程处理来处理 CNAMES 或主机文件。

一种测试方法,针对 localhost 创建一个 PSsession 以确保其正常工作......然后有一个到 127.0.0.1 的主机记录称为某些东西,然后尝试针对它创建一个 pssession。

我收到这种错误

[funkymonkey] Connecting to remote server failed with the following error message : WinRM cannot pr
ocess the request. The following error occured while using Kerberos authentication: The network pat
h was not found.
 Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two d
omains.
 After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configu
ration setting or use HTTPS transport.
 Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. F
or more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PS
   RemotingTransportException
    + FullyQualifiedErrorId : PSSessionOpenFailed
4

1 回答 1

1

如果 NTLM 不起作用,我认为您会受到 winsrv 2003 sp1+ 中添加的环回检查内容的影响。您可以将 CNAME 添加到一个特殊的注册表项中,该注册表项会将它们包含在例外列表中(已包含 localhost。)

ps> new-itemproperty hklm:\system\currentcontrolset\control\Lsa\MSV1_0 BackConnectionHostNames `-propertyType multistring -val "cname1","cname1.local"

有些人只是通过设置 dword DisableLoopbackCheck (google it) 将其完全关闭(环回检查),但您确实应该使用前一种方法更严格地控​​制它,而不是采取惰性路线。

IIRC,此安全功能可防止称为“反射攻击”的特定类型的凭据盗窃。我不记得方法论了,但我相信你可以在网上找到它。

于 2011-03-10T16:30:29.747 回答