Posey's Tips & Tricks
PowerShell Trusted Hosts for Mixed Environments
Trusted host lists can help keep PowerShell remoting working in mixed domain and workgroup environments, but only if admins avoid overwriting existing WinRM settings.
When it comes to using PowerShell remoting to manage remote systems, things normally work seamlessly. WinRM allows you to manage a remote system in almost exactly the same way that you would manage a local system. Things break down however, when you attempt to perform PowerShell remote management in a mixed environment where some machines are domain joined and others are members of a workgroup.
The reason why Windows remoting breaks in mixed environments is because it depends on Kerberos. In order for Kerberos to work, both machines have to either reside in the same domain or within trusted domains. Additionally, both machines have to trust the same KDC and they have to have registered their identities. In an environment in which some machines are domain joined and others are not, these conditions simply are not met, which means that Kerberos based authentication becomes impossible.
If you find yourself in which you need to use WinRM in this type of mixed environment, you have three options available. The first option is to join the standalone machine to the domain. Of course, this might not be a "real" option, because the standalone machine is probably standalone for a reason.
The second option is to use WinRM over HTTPS. This means installing a certificate onto the remote machine. This certificate can be used to verify the machine's identity and to encrypt communications between the two machines. You will also need to bind WinRM to HTTPS (Port 5986).
The third option, and the one that I want to focus on in this blog post is to use a trusted host list. As weird as it sounds, a trusted host list is really just that... It's a list of hosts that you want to allow communications with, even though Kerberos authentication is not available. Think of a trusted host list as being a communications white list for remote machines that you trust.
There are any number of potential use cases for trusted host lists. Although I am focusing on communications between domain joined and standalone systems, a trusted host list can also be used to enable communication between two standalone machines. Trusted host lists are also useful if you want to use IP addresses instead of host names or if you want to connect to a system in an untrusted domain.
Before you attempt to create a trusted host list, it is important to check to see if a trusted host list already exists on your system. After all, you don't want to accidentally overwrite an existing list. The command used to view an existing trusted host list is:
(Get-Item WSMan:\localhost\Client\TrustedHosts).Value
If a trusted host list exists, then this command will display all of the entries on that list. If that happens, then you will need to append new entries to the existing trusted host list rather than adding trusted hosts in the usual way (which would cause the existing list to be overwritten).
Creating a brand new trusted host list is a really simple process. All you have to do is to use a command like this one:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "Server01"
This command creates a brand new trusted host list and adds Server01 to that list. Once again, keep in mind that you cannot use this command if you already have a trusted host list or the existing list will be overwritten.
Often, if you are going to be creating a trusted host list, then you may need to add multiple systems to the list. The command for doing so is exactly like the one that I just showed you. The only difference is that you will need to specify multiple host names, separating each one with a comma. Here is an example of such a command:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "Server01,Server02"
The command shown above brings up a very important point. In this example, the trusted host list identifies hosts by their computer name. If you are going to need to reference a host by its fully qualified domain name, then you will need to add that as well. If for example, I were to try to connect to Server01.poseylab.com that connection would fail, even if Server01 is on the trusted host list. The solution would be to use a command like this one:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "Server01,Server01.poseylab.com,Server02,Server02.poseylab.com"
The last thing that I want to show you is how to append a new entry to an existing trusted host list. Let's suppose for example, that I created a trusted host list containing Server01 and Server02 and now I want to add Server03 to the existing list. The commands for doing so would be:
$Current = (Get-Item WSMan:\localhost\Client\TrustedHosts).Value
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "$Current,Server03"
These commands collectively add Server03 to the list without overwriting the existing entries in the process.
About the Author
Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.