Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to Enable PSRemoting when SPN values are missing

Management With PowerShell

How to Enable PSRemoting when SPN values are missing

by  markdmac  Posted    (Edited  )
While working on a project for work to automate the removal of SCOM 2007 agents to prepare for 2012 agent installations, we encountered a problem whereby several servers were not configured for PSRemoting. WSMan QuickConfig and Enable-PSRemoting both would fail on just a few of our 2008R2 or 2012 servers. After a little investigation we discovered that there were missing SPN records.

Servers should have four SPN records that would look like this:

servername http/servername
servername https/servername
servername http/servername.domain.com
servername https/servername.domain.com

In checking how the SETSPN utility works, if you try to add an entry that already exists, SETSPN simply ignores it. That was good news for me since I really didn't know which servers were messed up (we have several hundred). I wrote the following script which we push out and execute via GPO to run and it adds needed SPN records if missing, then enables PSRemoting. The script will also check if it is being run elevated (required to enable PSRemoting) and if not it relaunches itself elevated as admin.

The script automatically pulls both machine name and domain name, so no modification should be needed.
Note that the script verifies that the server it is executing on is running 2008 server or higher. SETSPN does not exist on 2003 servers.
[code ]
[color #4E9A06]#==========================================================================
#
# Script: FixSPN-EnablePSRemoting.ps1
#
# AUTHOR: Mark D. MacLachlan, The Spider's Parlor
# Date: 01/19/2015 11:13:49
#
# THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
# ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
# PARTICULAR PURPOSE.
#
# IN NO EVENT SHALL THE SPIDER'S PARLOR AND/OR ITS RESPECTIVE SUPPLIERS
# BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
# DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
# WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
# OF THIS CODE OR INFORMATION.
#
#
# COMMENT: Adds SPN records needed to enable PS Remoting
#
#
#==========================================================================[/color]

$ErrorAction = "SilentlyContinue"

function Use-RunAs
{
[color #4E9A06]# Check if script is running as Adminstrator and if not use RunAs
# Use Check Switch to check if admin[/color]

param([Switch]$Check)

$IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()`
).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")

if ($Check) { return $IsAdmin }

if ($MyInvocation.ScriptName -ne "")
{
if (-not $IsAdmin)
{
try
{
$arg = "-file `"$($MyInvocation.ScriptName)`""
Start-Process "$psHome\powershell.exe" -Verb Runas -ArgumentList $arg -ErrorAction 'stop'
}
catch
{
Write-Warning "Error - Failed to restart script with runas"
break
}
exit # Quit this session of powershell
}
}
else
{
Write-Warning "Error - Script must be saved as a .ps1 file first"
break
}
}

Use-RunAs

[color #4E9A06]#Get OS version and verify 2008+[/color]
$OS = [environment]::OSVersion.Version
If ($OS.Major -eq 6){
[color #4E9A06]#Get PC Name and domain info[/color]
$Computer = $Env:ComputerName
$Domain = (gwmi WIN32_ComputerSystem).Domain
[color #4E9A06]#Add our needed SPF Records[/color]
Invoke-Expression "SETSPN -A http/$Computer.$Domain $Computer"
Invoke-Expression "SETSPN -A http/$Computer $Computer"
Invoke-Expression "SETSPN -A https/$Computer.$Domain $Computer"
Invoke-Expression "SETSPN -A https/$Computer $Computer"
}
[color #4E9A06]#Enable PSRemoting, use Force to prevent confirmation[/color]
Invoke-Expression "Enable-PSRemoting -Force"

[/code]
Register to rate this FAQ  : BAD 1 2 3 4 5 6 7 8 9 10 GOOD
Please Note: 1 is Bad, 10 is Good :-)

Part and Inventory Search

Back
Top