Im trying to run the following
$secpasswd = 'Test'
$secpasswd = ConvertTo-SecureString $secpasswd -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ('domain2\nick', $secpasswd)
[scriptblock]$CheckDNS = {
Get-DnsServerResourceRecord -Name 'computername' -ZoneName domain2.local -ComputerName domain2dC.domain2.local }
invoke-command -scriptblock $CheckDNS -Credential $mycreds -ComputerName domain2managementbox.domain2.local
This should be running Get-DnsServerResourceRecord module on the target machine however im getting the following error:
Failed to get the zone information for domain2.local on server domain2managementbox.domain2.local.
+ CategoryInfo : PermissionDenied: (dgtest.local:root/Microsoft/...rResourceRecord) [Get-DnsServerResourceRecord], CimException
+ FullyQualifiedErrorId : WIN32 5,Get-DnsServerResourceRecord
When I run the command on the box itself it works fine and I have the correct permissions.
Thanks
You're attempting to "double hop" with your credentials (from your client machine, to "domain2managementbox.domain2.local" and then again to "domain2dC.domain2.local". This is not permitted using the default kerberos authentication.
Run Enable-WSManCredSSP -Role Client -DelegateComputer domain2managementbox.domain2.local -Force
on your client machine.
Run on Enable-WSMaCredSSP -Role Server –Force
on "domain2managementbox.domain2.local"
... and then use -CredSSP
as an additional authentication parameter for Invoke-Command
.