question

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 asked BojanZivkovic-7448 answered

Invoke-Command does not work with host name

Hi, having created custom endpoint now I can not connect to it using host name of target DNS server:

Connecting to remote server server host name failed with the following error message : The connection to the specified remote host was refused. Verify that the WS-Management service is running on the remote host and configured to listen for requests on the correct port and HTTP URL. For more information, see the about_Remote_Troubleshooting Help topic.

However, connection to target DNS server using its FQDN can be established without issues. What can be wrong here? I deployed same endpoint in other forest and PS remoting to it works with host name of target DNS server.

Thx in advance.

windows-server-powershell
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

3 Answers

RichMatheisen-8856 avatar image
0 Votes"
RichMatheisen-8856 answered

First, it's important to understand that WinRM is a windows service. PowerShell just makes use of it.

You've emphasized the "host name" in your question -- does that mean that you can connect if you use the remote machine's IP address?

You also say that you can connect to the remote machine using it's host name, but fail to say how -- or that you used the same port in such a connection as the one assigned to the WinRM service.

You don't mention forest/domain trusts. You don't mention how the WinRM service is configured (on both sides). You don't mention what authentication you're using, which is especially important in cross-forest environments. I'm not sure if this is still applicable to recent Windows: hh921473(v=ws.10)

You don't mention whether you've done any of the troubleshooting in PowerShell's "about_Remote_Troubleshooting" help.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 answered RichMatheisen-8856 commented

It seems that some GPO applied to bastion hosts (jump boxes) is blocking using host name in Invoke-Command. I have just tried from my laptop and Enter-PSSession -ComputerName host name -ConfigurationName DNS_test_config worked.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RichMatheisen-8856 avatar image RichMatheisen-8856 ·

It may not be the GPO!

If you're connecting to your "jump box" from your local machine and then trying to use Invoke-Command from there, you're running into the "second-hop problem". You can't pass your credentials from the 2nd machine (jump box) to 3rd machine (the host name in your Invoke-Command). You have to provide a -Credential on the Invoke-Command for that to work.

There are ways to avoid that problem, but they weaken security.

0 Votes 0 ·
BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 answered

No, I am not accessing "jump box" from my local machine. Invoke-Command does not work without specifying FQDN on jump box itself. I mentioned my local machine since I can "see" port 5985 on remote machine but from my local machine Invoke-Command works with host name as well.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.