远程 Powershell 脚本和 Jenkins 不工作

Question

我在使用 Jenkins 运行远程脚本时遇到问题。我已经安装了 PowerShell 插件并且可以在本地构建服务器上运行 PowerShell 脚本，但是当我尝试在远程服务器上运行它时，它总是失败。我可以在 Jenkins 之外本地和远程运行相同的脚本，而且效果很好。我的假设是我缺少一个安全设置，但对于我的生活，我找不到它。

任何见解/帮助将不胜感激。

以下代码在服务器上使用 PowerShell 运行，但不通过 Jenkins：

$ErrorActionPreference = 'Stop'

# Create a PSCredential Object using the "User" and "Password" parameters 
that you passed to the job
$SecurePassword = 'xxxxxxx' | ConvertTo-SecureString -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList 'ci-user', $SecurePassword

# Invoke a command on the remote machine.
# It depends on the type of job you are executing on the remote machine as 
to if you want to use "-ErrorAction Stop" on your Invoke-Command.
Invoke-Command -ComputerName xxx.xx.xx.xxx -Credential $cred -ScriptBlock {
    # Restart the W32Time service
    Restart-Service -Name W32Time
}

下面的错误是我在 Jenkins 中运行它时得到的。当我在 Jenkins 之外运行它并工作时，我使用相同的用户名和密码：

Connecting to remote server xxx.xx.xx.xxx failed with the 
following error message : WinRM cannot process the request. The following 
error with errorcode 0x8009030d occurred while using Negotiate authentication: 
A specified logon session does not exist. It may already have been terminated. 

 Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are 
specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does 
not exist.
  -The client and remote computers are in different domains and there is no 
trust between the two domains.
 After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM 
TrustedHosts configuration setting or use HTTPS transport.
 Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: 
winrm help config. For more information, see the about_Remote_Troubleshooting 
Help topic.
At C:\Windows\TEMP\jenkins3589460126620702793.ps1:12 char:1
+ Invoke-Command -ComputerName xxx.xx.xx.xxx -Credential $cred -ScriptBlock {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (xxx.xx.xx.xxx:String) [], PSRemoting 
   TransportException
    + FullyQualifiedErrorId : 1312,PSSessionStateBroken

Answer 1

这可能是由几个不同的问题引起的：

1. 您的远程机器和连接机器是否在同一个域中？如果不是，请验证您的 ci 用户的域并重试。

   $cred = 新对象 System.Management.Automation.PSCredential -ArgumentList 'connectingserver/ci-user', $SecurePassword

2. 您的远程服务器上是否启用了 WinRM，WinRM 服务是否正在运行，您是否设置为允许适当的远程处理？请按照以下步骤进行验证：https://technet.microsoft.com/en-us/library/ff700227.aspx?f=255&MSPPError=-2147217396

3. 远程和连接服务器设置是否使用相同的身份验证方法？您将需要使用 Kerberos 或 CredSSP。仅当您尝试解决 Double-Hop issue 时，我才会考虑 CredSSP。

Answer 2

我发现了我的方法的错误，但希望这个答案能帮助遇到它的其他人。

问题是我使用的用户是本地用户，需要将其视为工作组用户。因此，我需要将它作为 \ci-user 传递，而不是 ci-user。一旦我这样做了，它就像一个魅力。

感谢您的所有意见。