对 CredSSP 进行故障排除Troubleshoot CredSSP

适用于 Azure Stack HCI 版本 v20H2Applies to Azure Stack HCI, version v20H2

某些 Azure Stack HCI 操作使用 Windows 远程管理 (WinRM),该功能默认情况下不允许凭据委派。Some Azure Stack HCI operations use Windows Remote Management (WinRM), which doesn't allow credential delegation by default. 若要允许委派,计算机需要暂时启用凭据安全支持提供程序 (CredSSP)。To allow delegation, the computer needs to have Credential Security Support Provider (CredSSP) enabled temporarily. CredSSP 是一种安全支持提供程序,它允许客户端将凭据委派给服务器进行远程身份验证。CredSSP is a security support provider that allows a client to delegate credentials to a server for remote authentication.

启用 CredSSP 意味着安全状态降级,在大多数情况下,应在任务或操作完成后禁用。Enabling CredSSP is a degraded security posture, and in most circumstances should be disabled after the task or operation is completed.

需要启用 CredSSP 的某些任务包括:Some tasks that require CredSSP to be enabled include:

  • 创建群集向导工作流Create Cluster wizard workflow
  • Active Directory 查询或更新Active Directory queries or updates
  • SQL Server 查询或更新SQL Server queries or updates
  • 查找不同域或未加入域的环境中的帐户或计算机Locating accounts or computers on a different domain or non-domain joined environment

故障排除提示Troubleshooting tips

如果遇到关于 CredSSP 的问题,以下故障排除方法可能会有所帮助:If you experience issues with CredSSP, the following troubleshooting tips may help:

  • 若要在服务器上而不是在电脑上运行 Windows 管理中心时使用创建群集向导,您必须是 Windows 管理中心服务器上的 "网关管理员" 组的成员。To use the Create Cluster wizard when running Windows Admin Center on a server instead of a PC, you must be a member of the Gateway administrators group on the Windows Admin Center server. 有关详细信息,请参阅 使用 Windows 管理中心的用户访问选项For more information, see User access options with Windows Admin Center.

  • 运行创建群集向导时,如果未建立 Active Directory 信任或该信任中断,则 CredSSP 可能会报告问题。When running the Create Cluster wizard, CredSSP may report an issue if an Active Directory trust isn't established or is broken. 当将基于工作组的服务器用于群集创建时,会产生这种结果。This results when workgroup-based servers are used for cluster creation. 在这种情况下,请尝试手动重启群集中的每个服务器。In this case, try manually restarting each server in the cluster.

  • 在服务器上运行 Windows 管理中心时,请确保用户帐户是网关管理员组的成员。When running Windows Admin Center on a server, make sure the user account is a member of the Gateway administrators group.

  • 建议在与托管服务器位于同一域中的计算机上运行 Windows 管理中心。We recommend running Windows Admin Center on a computer that is a member of the same domain as the managed servers.

  • 若要在服务器上启用或禁用 CredSSP,请确保你是该计算机上的网关管理员组中的一员。To be able to enable or disable CredSSP on a server, make sure you belong to the Gateway administrators group on that computer. 有关详细信息,请参阅配置用户访问控制和权限的前两个部分。For more information, see the first two sections of Configure User Access Control and Permissions.

  • 如果在群集中的服务器上重新启动 WinRM 服务,可能会提示你在每个群集服务器和 Windows 管理中心之间重新建立 WinRM 连接。Restarting the WinRM service on the servers in the cluster might prompt you to re-establish the WinRM connection between each cluster server and Windows Admin Center.

    执行此操作的一种方法是转到每个群集服务器,然后在 Windows 管理中心的 " 工具 " 菜单上选择 " 服务",选择 " WinRM",选择 " 重新启动",然后在 " 重新启动服务 " 提示符下,选择 "是"One way to do this is by going to each cluster server, and in Windows Admin Center on the Tools menu, select Services, select WinRM, select Restart, and then on the Restart Service prompt, select Yes.

手动故障排除Manual troubleshooting

如果收到以下 WinRM 错误消息,请尝试使用此部分中的手动验证步骤来解决该错误。If you receive the following WinRM error message, try using the manual verification steps in this section to resolve the error. 示例错误消息:Example error message:

Connecting to remote <sever name> failed with the following error message: The WinRM client cannot process the request. A computer policy does not allow the delegation of the user credentials to the target computer because the computer is not trusted. The identity of the target computer can be verified if you configure the WSMAN service to use a valid certificate.

本部分中的手动验证步骤要求你配置以下计算机:The manual verification steps in this section require you to configure the following computers:

  • 运行 Windows 管理中心的计算机The computer running Windows Admin Center
  • 接收到错误消息的服务器The server where you received the error message

若要解决此错误,请根据需要尝试以下补救步骤:To resolve the error, try the following remedy steps as needed:

补救措施1:Remedy 1:

  1. 重新启动运行 Windows 管理中心和服务器的计算机。Restart the computer running Windows Admin Center and the server.

  2. 尝试再次运行创建群集向导。Try running the Create Cluster wizard again.

    有关运行此向导的详细信息,请参阅 使用 Windows 管理中心创建 AZURE STACK HCI 群集For details on running the wizard, see Create an Azure Stack HCI cluster using Windows Admin Center.

补救措施2:Remedy 2:

  1. 在运行 Windows 管理中心的计算机上,以管理员身份打开 Windows PowerShell 并运行以下命令:On the computer running Windows Admin Center, open Windows PowerShell as an administrator and run the following commands:

    Disable-WsmanCredSSP -Role Client  
    
    Enable-WsmanCredSSP -Role Client -DelagateComputer <Server FQDN Name>
    
  2. 使用 RDP 功能连接到服务器,然后运行以下 PowerShell 命令:Use the RDP feature to connect to the server, and then run the following PowerShell commands:

    Disable-WsmanCredSSP -Role Server  
    
    Enable-WsmanCredSSP -Role Server  
    
  3. 尝试再次运行创建群集向导。Try running the Create Cluster wizard again.

    有关运行此向导的详细信息,请参阅 使用 Windows 管理中心创建 AZURE STACK HCI 群集For details on running the wizard, see Create an Azure Stack HCI cluster using Windows Admin Center.

更正3:Remedy 3:

  1. 在运行 Windows 管理中心的计算机上,运行以下 PowerShell 命令以检查服务主体名称 (SPN) :On the computer running Windows Admin Center, run the following PowerShell command to check the Service Principal Name (SPN):

    setspn -Q WSMAN/<Windows Admin Center Computer Name>  
    

    结果应列出以下输出:The result should list the following output:

    WSMAN/<Windows Admin Center Computer Name>

    WSMAN/<Windows Admin Center Computer FQDN Name>

  2. 如果未列出结果,请运行以下 PowerShell 命令来注册 SPN:If the results are not listed, run the following PowerShell commands to register the SPN:

    setspn -S WSMAN/<Windows Admin Center Computer Name> <Windows Admin Center Computer Name>  
    
    setspn -S WSMAN/<Windows Admin Center Computer Name> <Windows Admin Center Computer FQDN Name>  
    
  3. 使用 RDP 功能连接到服务器,然后运行以下 PowerShell 命令以检查 SPN:Use the RDP feature to connect to the server, and then run the following PowerShell command to check the SPN:

    setspn -Q WSMAN/<Server Name>  
    

    结果应列出以下输出:The result should list the following output:

    WSMAN/<Server Name>

    WSMAN/<Server FQDN Name>

  4. 如果未列出结果,请运行以下 PowerShell 命令来注册 SPN:If the results are not listed, run the following PowerShell commands to register the SPN:

    setspn -S WSMAN/<Server Name> <Server Name>  
    
    setspn -S WSMAN/<Server Name> <Server FQDN Name>  
    
  5. 尝试再次运行创建群集向导。Try running the Create Cluster wizard again.

    有关运行此向导的详细信息,请参阅 使用 Windows 管理中心创建 AZURE STACK HCI 群集For details on running the wizard, see Create an Azure Stack HCI cluster using Windows Admin Center.

补救措施4:Remedy 4:

如果前面的任何补救步骤失败或未完成,则这可能表示 Active Directory 的记录发生冲突。If any of the previous remedy steps failed or did not complete, this might indicate a record conflict in Active Directory. 你可以使用不同的计算机名称将记录重置为 Active Directory 中的新记录。You can use a different computer name to reset the record as a new record in Active Directory.

若要重置 Active Directory 中的记录,请使用新的计算机名称重新安装 Azure Stack HCI 操作系统。To reset the record in Active Directory, reinstall the Azure Stack HCI operating system with a new computer name.

后续步骤Next steps

有关 CredSSP 的详细信息,请参阅凭据安全支持提供程序For more information on CredSSP, see Credential Security Support Provider.