Table of Contents
Use an IP Address in a Remote Command
In some cases, after enable PSRemoting, when you run a remote command using PowerShell with IP of a remote host. You got the following error even you’ve configured PSRemoting on both local and remote hosts.
Enter-PSSession -ComputerName 10.0.2.6 -Credential 10.0.2.6\psadminERROR: The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting.
You got this because the ComputerName parameter of the New-PSSession, Enter-PSSession and Invoke-Command cmdlets accepts an IP address as a valid value. However, because Kerberos authentication doesn’t support IP addresses. When you specify an IP address, NTLM authentication is used.
By default, WinRM enabled Kerberos and Negotidate authentication.
PS C:\Windows\system32> Get-ChildItem -Path WSMan:\localhost\Service\Auth\
WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Service\Auth
Type Name SourceOfValue Value
---- ---- ------------- -----
System.String Basic false
System.String Kerberos true
System.String Negotiate true
System.String Certificate false
System.String CredSSP false
System.String CbtHardeningLevel RelaxedTo support NTLM authentication, you must meet the following requirements:
- Configure the computer for HTTPS transport or add the IP addresses of the remote computers to the TrustedHosts list on the local computer.
- Use the Credential parameter in all remote commands. This is required even when you connect as the current user.
By default, the TrustedHosts list is empty on every computer. So, it does not allow commands to any remote computer which is not in domain. You can get the list with command below:
PS C:\> Get-Item WSMan:\\localhost\client\TrustedHosts
WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Client
Type Name SourceOfValue Value
---- ---- ------------- -----
System.String TrustedHostsAdd remote ComputerName or IP to TrsutedHosts list using Set-Item cmdlet as shown below:
PS C:\> Set-Item WSMan:\\localhost\client\TrustedHosts -Value '10.0.2.6' -Concatenate -Force
PS C:\> Get-Item WSMan:\\localhost\client\TrustedHosts
WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Client
Type Name SourceOfValue Value
---- ---- ------------- -----
System.String TrustedHosts 10.0.2.6That the –Concatenate parameter is mandatory if you want to add multiple conputers, otherwise every time you run the Set-Item command, it will keep overwriting the old values in TrustedHosts list. The -Force parameter is however optional, which is used to suppress the confirmation (Yes/No) prompt.
You can also allow remote connection to all computers (usually, it is not recommended as one of the major disadvantages of NTLM authentication is vulnerable to various malicious attacks:
Set-Item WSMan:\\localhost\client\TrustedHosts -Value * -Force
Once done, you can try to connect to the remote host with PSRemoting to verify it works.
PS C:\Windows\system32> Enter-PSSession -ComputerName 10.0.2.6 -Credential 10.0.2.6\admin
[10.0.2.6]: PS C:\Users\admin\Documents> Restart-Computer -Force
[10.0.2.6]: PS C:\Users\admin\Documents>
