HiveBrain v1.2.0
Get Started
← Back to all entries
snippetsqlMinor

How do I enable both PowerShell Remoting and SPN for SQL Server Reporting?

Submitted by: @import:stackexchange-dba··
0
Viewed 0 times
reportingenableserversqlpowershellspnbothforhowand

Problem

I'm struggling with remoting servers with SQL Server Reporting Services running. My Reporting Services are running with individual domain-accounts, and I have set up SPNs for them (HTTP/ \). As far as I can see, this effectively disables using PowerShell remoting, since the SPN which WinRM should use points to the domain account used by Reporting Services.

I have no problem running e.g. Get-Service -ComputerName , but if I try Get-CimInstance Win32_Service -ComputerName or Enter-PsSession I get an error similar to this:


Get-CimInstance : WinRM cannot process the request. The following
error with errorcode 0x80090322 occurred while using Kerberos
authentication: An unknown security error occurred. Possible causes
are:

-The user name or password specified are invalid.

-Kerberos is used when no authentication method and no user name are specified.

-Kerberos accepts domain user names, but not local user names.

-The Service Principal Name (SPN) for the remote computer name and port does not exist.

-The client and remote computers are in different domains and there is no trust between the two domains.


After checking for the above issues, try the following:

-Check the Event Viewer for events related to authentication.

-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.


Note that computers in the TrustedHosts list might not be
authenticated.

-For more information about WinRM configuration, run the following command: winrm help config. At line:1 char:1 + Get-CimInstance
win32_service -ComputerName ` +
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +
CategoryInfo: AuthenticationError: (root\cimv2:win32_service:String)
[Get-CimInstance], CimException + FullyQualifiedErrorId : HRESULT
0x8033809d,Microsoft.Management.Infrastructure.CimCmdlets.GetCimInstanceCommand
+ PSComputerName :
`

If I del

Solution

I believe we have found the solution. To avoid Reporting Services and WinRM fighting over the HTTP SPN, you can set a port-specific SPN for the WinRM like this:

setspn -S HTTP/:

It's a good idea to create SPNs for both short machine name and the FQDN.

The default port is 5985 for HTTP and 5986 for HTTPS, but I believe it can be set up to use different ports.

When using WinRM, I just set up a session like this:

$CimSessionOption = New-CimSessionOption -EncodePortInServicePrincipalName
$CimSession = New-CimSession -Name ServiceSession -SessionOption $CimSessionOption -ComputerName 
Get-CimInstance Win32_Service -CimSession $CimSession

Code Snippets

$CimSessionOption = New-CimSessionOption -EncodePortInServicePrincipalName
$CimSession = New-CimSession -Name ServiceSession -SessionOption $CimSessionOption -ComputerName <Machine>
Get-CimInstance Win32_Service -CimSession $CimSession

Context

StackExchange Database Administrators Q#129286, answer score: 2

Revisions (0)

No revisions yet.