Hi,
I am trying to run the below powershell script using AWS ssm automation. This script will run as SSM Administrator and will try to enable the iscsi service by running the script as domain user account authenticated with CredSSP. Windows version: Windows_Server-2019-English-Full-Base
[CmdletBinding()]
param(
[Parameter(Mandatory=$true)]
[string]$DomainNetBIOSName,
[Parameter(Mandatory=$true)]
[string]$AdminSecret,
[Parameter(Mandatory=$true)]
[string]$DomainDNSName
)
$HostName = hostname
# Getting Password from Secrets Manager for AD Admin User
$AdminUser = ConvertFrom-Json -InputObject (Get-SECSecretValue -SecretId $AdminSecret).SecretString
$ClusterAdminUser = $DomainNetBIOSName + '\' + $AdminUser.UserName
# Creating Credential Object for Administrator
$Credentials = (New-Object PSCredential($ClusterAdminUser,(ConvertTo-SecureString $AdminUser.Password -AsPlainText -Force)))
Invoke-Command -ScriptBlock {
Write-Output "Iscsi Setup started"
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
Start-service -Name msiscsi
Set-Service -Name msiscsi -StartupType Automatic
Write-Output "Iscsi Setup completed"
} -Credential $Credentials -ComputerName $HostName -Authentication credssp
Scenario: I have to run the same script on 2 AWS EC2 instances where I join both the EC2 instances to Active Directory > enable CredSSP on both > Run the script mentioned above
Script Steps:
-
SSM runs the script using Administrator account. However, I need to run the script using the domain user account. Hence I decided to use CredSSP based auth with Invoke Command.
-
Domain Join is successful. Below script is used to enable CredSSP. This works fine.
[CmdletBinding()]
param(
[Parameter(Mandatory=$true)]
[string]$DomainDNSName
)
$HostName = hostname
$HostAddress = "{0}.{1}" -f $HostName, $DomainDNSName
Enable-WSManCredSSP -Role "Server" -Force
Enable-WSManCredSSP -Role "Client" -DelegateComputer $HostAddress -Force
- Now when I try to run the powershell script to configure iscsi. It works fine on the first EC2 Instance (SqlFSx1.example.com) but throws the below error on Instance2 (SqlFSx2.example.com).
[SqlFSx2] Connecting to remote server SqlFSx2 failed with the following error message : The WinRM client cannotprocess the request. A computer policy does not allow the delegation of the user credentials to the target computerbecause the computer is not trusted. The identity of the target computer can be verified if you configure the WSMANservice to use a valid certificate using the following command: winrm set winrm/config/service'@{CertificateThumbprint="<thumbprint>"}' Or you can check the Event Viewer for an event that specifies that thefollowing SPN could not be created: WSMAN/<computerFQDN>. If you find this event, you can manually create the SPNusing setspn.exe . If the SPN exists, but CredSSP cannot use Kerberos to validate the identity of the target computerand you still want to allow the delegation of the user credentials to the target computer, use gpedit.msc and look atthe following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> AllowFresh Credentials with NTLM-only Server Authentication. Verify that it is enabled and configured with an SPNappropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be oneof the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. Try the request again after these changes. For moreinformation, see the about_Remote_Troubleshooting Help topic. + CategoryInfo : OpenError: (SqlFSx2:String) [], PSRemotingTransportException + FullyQualifiedErrorId : -2144108124,PSSessionStateBroken
Not sure what is happening?
I have added the domain user to Administrators group as well.
Have tried the below commands as well. But, facing the same issue on the second EC2 instance.
Specify the SPN to create
$spn = "WSMAN/$HostName"
# Configure the local Group Policy to allow fresh credentials with NTLM-only server authentication
$policyPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation"
if (!(Test-Path $policyPath)) { New-Item $policyPath -Force | Out-Null }
Set-ItemProperty $policyPath "AllowFreshCredentials" -Value 1
Set-ItemProperty $policyPath "ConcatenateDefaults_AllowFreshCredentials" -Value 1
Set-ItemProperty $policyPath "AllowFreshCredentialsWhenNTLMOnly" -Value 1
# Configure the local computer to allow delegation to the remote server using NTLM-only authentication
Invoke-Command -ComputerName $HostName -ScriptBlock {
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" -Name "AllowFreshCredentials" -Value "1"
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" -Name "ConcatenateDefaults_AllowFresh" -Value "1"
}
Set-Item -Path "WSMan:\localhost\Client\AllowFreshCredentials" -Value 1
Set-Item -Path "WSMan:\localhost\Client\Auth\CredSSP" -Value 1
Set-Item -Path "WSMan:\localhost\Client\TrustedHosts" -Value $computerName -Force
# Create the SPN on the remote server using setspn.exe
Invoke-Command -ComputerName $HostName -ScriptBlock {
param($spn)
setspn -s $spn $env:COMPUTERNAME
} -ArgumentList $spn
Not sure what am I missing here.Any help would be appreciated.
AWS OFFICIALUpdated 7 months ago
