snippetsqlMinor
How do I enable both PowerShell Remoting and SPN for SQL Server Reporting?
Viewed 0 times
reportingenableserversqlpowershellspnbothforhowand
Problem
I'm struggling with remoting servers with SQL Server Reporting Services running. My Reporting Services are running with individual domain-accounts, and I have set up SPNs for them (
I have no problem running e.g.
Get-CimInstance : WinRM cannot process the request. The following
error with errorcode 0x80090322 occurred while using Kerberos
authentication: An unknown security error occurred. Possible causes
are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be
authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. At line:1 char:1 + Get-CimInstance
win32_service -ComputerName `
If I del
HTTP/ \). As far as I can see, this effectively disables using PowerShell remoting, since the SPN which WinRM should use points to the domain account used by Reporting Services.I have no problem running e.g.
Get-Service -ComputerName , but if I try Get-CimInstance Win32_Service -ComputerName or Enter-PsSession I get an error similar to this:Get-CimInstance : WinRM cannot process the request. The following
error with errorcode 0x80090322 occurred while using Kerberos
authentication: An unknown security error occurred. Possible causes
are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be
authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. At line:1 char:1 + Get-CimInstance
win32_service -ComputerName `
+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +
CategoryInfo: AuthenticationError: (root\cimv2:win32_service:String)
[Get-CimInstance], CimException + FullyQualifiedErrorId : HRESULT
0x8033809d,Microsoft.Management.Infrastructure.CimCmdlets.GetCimInstanceCommand
+ PSComputerName : `If I del
Solution
I believe we have found the solution. To avoid Reporting Services and WinRM fighting over the HTTP SPN, you can set a port-specific SPN for the WinRM like this:
It's a good idea to create SPNs for both short machine name and the FQDN.
The default port is 5985 for HTTP and 5986 for HTTPS, but I believe it can be set up to use different ports.
When using WinRM, I just set up a session like this:
setspn -S HTTP/: It's a good idea to create SPNs for both short machine name and the FQDN.
The default port is 5985 for HTTP and 5986 for HTTPS, but I believe it can be set up to use different ports.
When using WinRM, I just set up a session like this:
$CimSessionOption = New-CimSessionOption -EncodePortInServicePrincipalName
$CimSession = New-CimSession -Name ServiceSession -SessionOption $CimSessionOption -ComputerName
Get-CimInstance Win32_Service -CimSession $CimSessionCode Snippets
$CimSessionOption = New-CimSessionOption -EncodePortInServicePrincipalName
$CimSession = New-CimSession -Name ServiceSession -SessionOption $CimSessionOption -ComputerName <Machine>
Get-CimInstance Win32_Service -CimSession $CimSessionContext
StackExchange Database Administrators Q#129286, answer score: 2
Revisions (0)
No revisions yet.