Setting up remote PowerShell for SP Raas

Hello All,

Lately  when I setup remote PowerShell to run the Raas tool (For more info about the service see https://services.premier.microsoft.com/assess?Culture=en-US&CultureAutoDetect=true) I have been having the same problems every time, so I figured I would throw it up here so that everybody could benefit from it.

First thing first we are setting up PSRemoting, and very quickly this is what we do.  I follow this article https://www.microsoft.com/en-us/download/details.aspx?id=34698

On the SharePoint server (Target machine) we run the following commands

1. winrm quickconfig
2. Enable-WSManCredSSP -Role server

NOTE: (Run the following two commands for Windows Server 2008/R2 only)

1. winrm set winrm/config/winrs '@{MaxShellsPerUser="25"}'
2. winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="600"}'

NOTE: (Watch the quotes in the last 2 commands above)  

Then on the tool server (Client machine)

1. Enable-WSManCredSSP -Role client -DelegateComputer <SharePointServer FQDN>

NOTE: You must provide the whole FQDN not just Netbios name

Then we test our connection by running a New-PSSession command, and baam the trouble starts.  We get the following error

PS C:\Users\XXXXXXX> $s = New-PSSession -ComputerName server.domain.com -Authentication CredSSP -Credential $farm

[server.domain.com] Connecting to remote server failed with the f

ollowing error message : The WinRM client cannot process the request. A compute

r policy does not allow the delegation of the user credentials to the target co

mputer because the computer is not trusted. The identity of the target computer

can be verified if you configure the WSMAN service to use a valid certificate

using the following command: winrm set winrm/config/service '@{CertificateThumb

print="<thumbprint>"}'  Or you can check the Event Viewer for an event that spe

cifies that the following SPN could not be created: WSMAN/<computerFQDN>. If yo

u find this event, you can manually create the SPN using setspn.exe .  If the S

PN exists, but CredSSP cannot use Kerberos to validate the identity of the targ

et computer and you still want to allow the delegation of the user credentials

to the target computer, use gpedit.msc and look at the following policy: Comput

er Configuration -> Administrative Templates -> System -> Credentials Delegatio

n -> Allow Fresh Credentials with NTLM-only Server Authentication.  Verify that

it is enabled and configured with an SPN appropriate for the target computer.

For example, for a target computer name "myserver.domain.com", the SPN can be o

ne of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. Try the r

equest again after these changes. For more information, see the about_Remote_Tr

oubleshooting Help topic.

    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:Re

   moteRunspace) [], PSRemotingTransportException

    + FullyQualifiedErrorId : PSSessionOpenFailed

PS C:\Users\XXXXXXX>

Here are the solutions that I have found for this issue, hopefully one of them will help you.

1. Denied permission on session configuration, run the following command

Set-PSSsessionConfiguration -ShowSecurityDescriptorUI –Name microsoft.powershell

Then in the window that opens insure your user has Full Control and there are no denies.

1. Deny Access to Server, make sure your user is a member of Local Admin group on the SharePoint server

1. CreddSSP authentication failing, if your able to connect to session by dropping the CredSSP parameter.  Perform the following steps.

1. Open GPEdit.msc
2. Expand Computer Configuration -> Administrative Templates -> System -> Credentials Delegation
3. Enable the policy 'Allow delegating fresh credentials with NTLM-only server authentication'
4. Click the Show button and add the SPN in the format WSMAN/<FQDN>
5. Click ok and close the .msc
6. Run gpupdate /force

As I find new solutions/issues I will update this article, good luck and have fun everybody.