我正在尝试使用 DBATools 命令 install-DbaInstance 启动 SQL 服务器的远程安装,但是在使用 CredSSP 连接到远程服务器时出现错误。
这是下面的代码,$InstallationSources 是网络共享上的安装媒体列表,此代码从管理服务器运行,WMI 对其开放。
$Configuration = @{ UpdateSource = $UpdateSources[$Version]; USESQLRECOMMENDEDMEMORYLIMITS="True" }
$InstallationParameters = @{
SqlInstance = $SqlInstance
Path = $InstallationSources[$Version]+'\'+$Edition
Version = $Version
Feature = $Features
InstancePath = $InstancePath
DataPath = $DataPath
LogPath = $LogPath
TempPath = $TempPath
BackupPath = $BackupPath
EngineCredential = $EngineCredential
AgentCredential = $AgentCredential
ISCredential = $SSISCredential
Credential = $InstallationCredential
Configuration = $Configuration
PerformVolumeMaintenanceTasks = $true
AuthenticationMode = $Authentication
Restart = $true
Confirm = $false
Verbose = $true
enter code here
}
错误输出
VERBOSE: [11:40:04][Initialize-CredSSP] Configuring remote host to use CredSSP
VERBOSE: Performing the operation "Primary protocol (Credssp) failed, sending credentials via potentially unsecure protocol" on target "Server.domain.com".
VERBOSE: [11:40:04][Invoke-CommandWithFallback] Initial connection to Server.domain.com through Credssp protocol unsuccessful, falling back to PSSession configurations | Connecting to remote server Server.domain.com fai
led with the following error message : The WinRM client cannot process the request. A computer policy does not allow the delegation of the user credentials to the target computer because the computer is not trusted. The identity of the target computer can be veri
fied if you configure the WSMAN service to use a valid certificate using the following command: winrm set winrm/config/service '@{CertificateThumbprint="<thumbprint>"}' Or you can check the Event Viewer for an event that specifies that the following SPN could no
t be created: WSMAN/<computerFQDN>. If you find this event, you can manually create the SPN using setspn.exe . If the SPN exists, but CredSSP cannot use Kerberos to validate the identity of the target computer and you still want to allow the delegation of the us
er credentials to the target computer, use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication. Verify that it is enab
led and configured with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. Try the request again after these changes. For
more information, see the about_Remote_Troubleshooting Help topic.
VERBOSE: [11:40:06][Install-DbaInstance] Looking for installation files in \\ \INSTALLMEDIA\share on remote machine Server.domain.com
VERBOSE: [11:40:06][Invoke-CommandWithFallback] Initial connection to Server.domain.com through Credssp protocol unsuccessful, falling back to PSSession configurations | Connecting to remote server Server.domain.com fai
led with the following error message : The WinRM client cannot process the request. A computer policy does not allow the delegation of the user credentials to the target computer because the computer is not trusted. The identity of the target computer can be veri
fied if you configure the WSMAN service to use a valid certificate using the following command: winrm set winrm/config/service '@{CertificateThumbprint="<thumbprint>"}' Or you can check the Event Viewer for an event that specifies that the following SPN could no
t be created: WSMAN/<computerFQDN>. If you find this event, you can manually create the SPN using setspn.exe . If the SPN exists, but CredSSP cannot use Kerberos to validate the identity of the target computer and you still want to allow the delegation of the us
er credentials to the target computer, use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication. Verify that it is enab
led and configured with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. Try the request again after these changes. For
more information, see the about_Remote_Troubleshooting Help topic.
WARNING: [11:40:07][Install-DbaInstance] Failed to enumerate files in \\installmedia\shareDeveloper | Connecting to remote server Server.domain.com failed with the fol
lowing error message : The WinRM client cannot process the request. A computer policy does not allow the delegation of the user credentials to the target computer because the computer is not trusted. The identity of the target computer can be verified if you conf
igure the WSMAN service to use a valid certificate using the following command: winrm set winrm/config/service '@{CertificateThumbprint="<thumbprint>"}' Or you can check the Event Viewer for an event that specifies that the following SPN could not be created: WS
MAN/<computerFQDN>. If you find this event, you can manually create the SPN using setspn.exe . If the SPN exists, but CredSSP cannot use Kerberos to validate the identity of the target computer and you still want to allow the delegation of the user credentials t
o the target computer, use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication. Verify that it is enabled and configur
ed with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. Try the request again after these changes. For more informatio
n, see the about_Remote_Troubleshooting Help topic.
我也尝试将其添加到脚本中,但仍然出现相同的错误。
Enable-WSManCredSSP –Role Client –DelegateComputer $SQLinstance -Force
Enable-WSManCredSSP –Role Server -Force