For a CI/CD environment I am building a PowerShell script to create an new Hyper-V VM which is basically a clone of a 'base-vm'. This base-vm is not a member of the domain, it is a Windows workgroup member.
When trying to add the computer to the domain I have the following issue, the script displayed below works when run directly on the target machine which is the Hyper-V host (running under an administrative account) but not when being run from the build server (Jenkins).
The process is as shown in the following scheme:
And the script part which is failing is the following:
Invoke-Command -Session $remoteSession -Scriptblock {
Rename-Computer -NewName $args[0] -Restart
} -ArgumentList $vmSettings.ComputerName
Start-Sleep -s 30
$newVmRemoteSession = New-PSSession -ComputerName $vmSettings.ComputerName -Credential $credentials
Invoke-Command -Session $newVmRemoteSession -Scriptblock {
Add-Computer -Domainname myfunny.domain -Credential $args[0] -Restart
} -ArgumentList $domainAdminCredentials
Remove-PSSession $newVmRemoteSession
Remove-PSSession $remoteSession
Write-Host "Done creating new VM"
The $remoteSession variable contains a remote PowerShell session based on the local administrator crendentials.
The $newVmRemoteSession variable contains an remote session to the renamed virtual machine with the local administrator crendentials.
The error I recieve while running this script via a build-job:
[base-vm] Connecting to remote server base-vm failed with the following error message : WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic.
The command which throws the exception is:
Invoke-Command -Session $newVmRemoteSession -Scriptblock {
Add-Computer -Domainname myfunny.domain -Credential $args[0] -Restart
} -ArgumentList $domainAdminCredentials`
I have been looking for the solution for this problem, but I cannot find the error. First I thought it had to do with trusted relationships between the build server and the virtual machine but when I used WinRM to add that relationship the build still fails.
I used: winrm s winrm/config/client '@{TrustedHosts="*"}' to add the relationship.
UPDATE: The other thing I did is running the script with the same user as the build server did. This gave me the same error as above. The strange thing is that the user is an local administrator on the server from which the script is being run and is also member of the 'remote management users' group on that server.
UPDATE2: I found out that the issue has to do with Kerberos versus Negotiate authentication. When running a script from a domain joined workstation the script runs under the Kerberos scheme by default and when run from a standalone workstation it runs under the Negotaite scheme, which needs an SPN for what I read from https://msdn.microsoft.com/en-us/library/windows/desktop/aa378748(v=vs.85).aspx.
