This post will show how to get PowerShell remoting to work properly with Lync/Skype for Business Server.
Since Windows Server 2012 enables PS remoting by default, you don’t need to do anything special to run normal commands like Get-Service, Get-Process, etc…
However, when trying to run many specific Skype for Business cmdlets, you may run into problems. Here’s a quick demonstration.
I’ll open a remote PS session to my lab SfB server, which is just a SfB 2015 Standard Edition VM
$creds = (Get-Credential) New-PSSession -ComputerName lync.home.lab -Credential $creds
I can run all kinds of commands without issue, including some SfB-specific cmdlets like Get-CsWindowsService
Now let me try running a really common command, Get-CsUser. The result is a pretty unhelpful error
Active Directory error “-2147016672” occurred while searching for domain controllers in domain “home.lab”: “An operations error occurred.”
And in the exception, it says “ADTransientException”
This is not actually a SfB specific problem. It’s something known as the “second-hop problem” and is applicable to many other products. It’s not really a problem, but it does require a quick work-around.
The Second Hop
What’s happening is that running Get-CsUser requires a second hop — meaning I am asking the remote server to make a query to the domain controller (the second hop). Which credentials are going to be used when making this query to the DC?
That’s where CredSSP comes in. CredSSP allows me to specify a server which I allow to utilize the credentials which I passed during authentication for the remote PowerShell session. When using CredSSP, the delegate server (the server I am remoted into) will pass the credentials to the domain controller on my behalf when needed.
Fortunately, enabling CredSSP is simple. First, open a remote PS session with the server. In my example, it will be the remote SfB server whom I already have a connection with. Run the command
Enable-WSManCredSSP -Role Server
Now restart WinRM on the remote server (this will disconnect the session)
This remote server will now accept CredSSP sessions from any client offering them.
Alright, now I’ll disconnect to the remote server and run the following command on my desktop and restart WinRM
Enable-WSManCredSSP -Role Client -DelegateComputer lync.home.lab Restart-Service winrm
Now I am explicitly trusting that single server to act as a delegate with my credentials.
Now all I need to do is establish a new PS session with the server with a new parameter
New-PSSession -ComputerName lync.home.lab -Credential $creds -Authentication Credssp
I am now creating a session with CredSSP as the authentication type, allowing the delegation to happen during this session.
Now if I try any of the cmdlets that require authentication to other servers, we won’t get any errors
Obviously there might be security concerns when using CredSSP, but as far as I know this is still the recommended approach.
CredSSP can also be enabled via Group Policy by going to Computer Configuration | Administrative Templates | System | Credentials Delegation