I've encountered an issue while setting up an Enterprise CA w/NDES on a Windows 2012 DC (all roles deployed on a single system).
- Before configuring NDES, I've run "Enable-PSRemoting" on an Admin PS (logged as DC Admin), and I've answered Y to all the questions.
Then I've followed the instructions published at the following address to configure the Ndes Account Service: http://technet.microsoft.com/en-us/library/hh831498.asp
More specifically, after executing the following step:
setspn -s http/CA1.cpandl.com cpandl\NdesService
I noticed that launching the following (firewall OFF & NLA Domain Profile):
enter-pssession localhost
I received the following error:
Enter-PSSession : Connecting to remote server localhost failed with the following message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Negotiate authentication: An unknown security error occurred.
BUT, if I remove the NdesService SPN...
setspn -D http/CA1.cpandl.com cpandl\NdesService
PS Remoting works again.
Further testing reveals that when I manually run:
setspn -s http/CA1.cpandl.com cpandl\NdesService
setspn -s WSMAN/CA1.cpandl.com CA1
setspn -s WSMAN/CA1 CA1
then
enter-pssession localhost
successfully logs me in.
- Unfortunately, after a CA1 Reboot (even if the WSMAN SPNs are present - confirmed by launching "setspn -l CA1"), PS Remoting doesn't work.
Anyone able to shed some light re the following (unwanted) behaviour?