Skype for Business Server and PowerShell Remoting

This post will show how to get PowerShell remoting to work properly with Lync/Skype for Business Server.

Since Windows Server 2012 enables PS remoting by default, you don’t need to do anything special to run normal commands like Get-Service, Get-Process, etc…

However, when trying to run many specific Skype for Business cmdlets, you may run into problems. Here’s a quick demonstration.

I’ll open a remote PS session to my lab SfB server, which is just a SfB 2015 Standard Edition VM

$creds = (Get-Credential)

New-PSSession -ComputerName lync.home.lab -Credential $creds

I can run all kinds of commands without issue, including some SfB-specific cmdlets like Get-CsWindowsService

non-auth.jpg

Now let me try running a really common command, Get-CsUser. The result is a pretty unhelpful error

get-csuser-fail

Active Directory error “-2147016672” occurred while searching for domain controllers in domain “home.lab”: “An operations error occurred.”

And in the exception, it says “ADTransientException”

This is not actually a SfB specific problem. It’s something known as the “second-hop problem” and is applicable to many other products. It’s not really a problem, but it does require a quick work-around.

The Second Hop

What’s happening is that running Get-CsUser requires a second hop — meaning I am asking the remote server to make a query to the domain controller (the second hop). Which credentials are going to be used when making this query to the DC?

That’s where CredSSP comes in. CredSSP allows me to specify a server which I allow to utilize the credentials which I passed during authentication for the remote PowerShell session. When using CredSSP, the delegate server (the server I am remoted into) will pass the credentials to the domain controller on my behalf when needed.

The second hop is explained in great detail in these posts here and here.

Implementing CredSSP

Fortunately, enabling CredSSP is simple. First, open a remote PS session with the server. In my example, it will be the remote SfB server whom I already have a connection with. Run the command

Enable-WSManCredSSP -Role Server

server-enable.jpg

Now restart WinRM on the remote server (this will disconnect the session)

Restart-Service winrm

This remote server will now accept CredSSP sessions from any client offering them.

Alright, now I’ll disconnect to the remote server and run the following command on my desktop and restart WinRM

Enable-WSManCredSSP -Role Client -DelegateComputer lync.home.lab

Restart-Service winrm

client.jpg

Now I am explicitly trusting that single server to act as a delegate with my credentials.

Now all I need to do is establish a new PS session with the server with a new parameter

New-PSSession -ComputerName lync.home.lab -Credential $creds -Authentication Credssp

I am now creating a session with CredSSP as the authentication type, allowing the delegation to happen during this session.

Now if I try any of the cmdlets that require authentication to other servers, we won’t get any errors

get-csuser-notfail.jpg

Obviously there might be security concerns when using CredSSP, but as far as I know this is still the recommended approach.

CredSSP can also be enabled via Group Policy by going to Computer Configuration | Administrative Templates | System | Credentials Delegation 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s