Having an issue with a new 2016 core server. (Recently migrated a server from 2012r2)
On our previous 2012r2 server, I could run a powershell script via a remote ps session (enter-pssession oldservername). Now on the new server, I get errors.
This script uses commands from the AD module (get-aduser, get-adgroup etc).
when running via remote session, this happens:
PS C:\> enter-pssession newserver
[newserver]: PS C:\> get-aduser username
Unable to contact the server. This may be because this server does not exist,
it is currently down, or it does not have the Active Directory Web Services running.
+ CategoryInfo : ResourceUnavailable: (username:ADUser) [Get-ADUser], ADServerDownException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADUser
However if I specify as get-aduser username -Credential (Get-Credential), it works fine.
If I run the script directly on the server(rdp to it), it works fine.
Invoke-Command -Session $sess -ScriptBlock {get-aduser username} also fails.
I'm assuming something to do with how the credentials are passed being different in 2016?
has anyone come across this before? is there a way to resolve it?
Best Answer
You're basically running into the classic Kerberos double hop problem. It's likely your previous 2012 R2 server had been configured for some form of Kerberos delegation and your new server hasn't (yet).
Here's a great Technet blog post describing the problem in detail as it relates to PowerShell and the various ways to solve it.
PowerShell Remoting Kerberos Double Hop Solved Securely