10 小时后长时间运行的 Exchange PowerShell 脚本中出现 Kerberos 错误

Question

我实现了一个 powershell 脚本，它将 Exchange 设置分配给我们的用户邮箱 (Exchange 2016)。由于我们有很多邮箱并且分配设置很慢，脚本会运行超过 15 个小时。但是大约 10 小时后，我收到以下错误：

Processing data for a remote command failed with the following error message: Error occurred during the Kerberos response. 
[Server=XXXXX, TimeStamp = 74/2018 01:25:49]
For more information, see the about_Remote_Troubleshooting Help topic.
At C:\Users\ACCOUNT\AppData\Local\Temp\tmp_cj3akhk4.osq\tmp_cj3akhk4.osq.psm1:77943 char:9
+         $steppablePipeline.End()
+         ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : OperationStopped: (XXXX:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : JobFailure
+ PSComputerName        : XXXX

我的脚本退出操作，并在两次重试（失败）后显示身份验证提示。在那里我可以输入服务帐户的密码，然后脚本继续。但是，仅当我在 PS 命令提示符下运行脚本时，此对话框才可见。如果脚本作为 Windows 任务启动，它只会挂起并且不会继续。

使用以下代码打开并导入与 Exchange 的连接。该代码可以根据传递的参数连接到我们的本地 Exchange 或 Exchange Online。该问题目前仅在连接到我们的本地（本地）Exchange 基础架构时才会发生。

Function Connect-Exchange{
PARAM(
    [parameter(Mandatory=$false)]
    [String]$TargetExchange = 'Local'
)
BEGIN{}
PROCESS{
    if ($ExchangeSessionInfo.Session -and $ExchangeSessionInfo.Type -eq $TargetExchange -and $ExchangeSessionInfo.Session.State -eq 'Opened'){
        # Nothing to do, we are already connected.
        Write-Log "Exchange connection type $($TargetExchange) already established, nothing to do."
    } else {
        if ($ExchangeSessionInfo.Session -and $ExchangeSessionInfo.Type -ne $TargetExchange -and $ExchangeSessionInfo.Session.State -eq 'Opened'){
            # We have a open session with the wrong type. We close it.
            Remove-PSSession $ExchangeSessionInfo.Session
            $ExchangeSessionInfo.Session = $null
            $ExchangeSessionInfo.Status = 'undefined'
            $ExchangeSessionInfo.Type = ''
        }
        # We close all other existing Exchange sessions we created.
        get-pssession -Name "Exchange" -ErrorAction SilentlyContinue | remove-pssession

        # Now connect to the requestes Exchange infrastructure and import session.
        $Connected = $False
        $RetryCount = 5
        do{
            try {
                If ($TargetExchange -eq 'Local'){
                    $ExchangeServer = Get-Random -InputObject $LocalExchangeConfig.ExchangeServers
                    $ExchangeSessionInfo.Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "http://$($ExchangeServer)/PowerShell/" -Credential $EOCredentials -Authentication Kerberos -Name "Exchange"
                } else {
                    $ExchangeSessionInfo.Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'https://ps.protection.outlook.com/powershell-liveid/' -Credential $EOCredentials -Authentication Basic -AllowRedirection -Name "Exchange"
                }
                $Res = Import-PSSession $ExchangeSessionInfo.Session -WarningAction SilentlyContinue -AllowClobber

                # Store Exchange status in session variable.
                $Connected = $True
                $ExchangeSessionInfo.Status = 'connected'
                $ExchangeSessionInfo.Type = $TargetExchange 
            } catch {
                $err = Write-Error -err $error -msg "Could not connect to Exchange server type '$($TargetExchange)' (Retries left: $($RetryCount))." -Break $false
                get-pssession -Name "Exchange" -ErrorAction SilentlyContinue | remove-pssession
                $RetryCount -= 1
            }
        } while (!$Connected -and ($RetryCount -gt 0))          

        # If we do not have connection here, this is an error. 
        if (!$Connected) {
            $ExchangeSessionInfo.Session = $null
            $ExchangeSessionInfo.Status = 'undefined'
            $ExchangeSessionInfo.Type = ''
            throw "No connection to Exchange server (type: $($TargetExchange)) could be established."
        } else {
            # Get list of available mailbox DBs including mailbox count and create hashtable to store statistics. We only have to get it the first time.
            if (($MailboxDBList.count -eq 0) -and ($TargetExchange -eq 'Local')){
                Write-Log "Getting current Exchange DB configuration and mailbox count. Takes a moment."
                $MailboxDBList = Get-MailboxDBCount -Type $LocalExchangeConfig.DistributeMailboxes
            }
        }           
    }
}
END{
    return $ExchangeSessionInfo
}
}

以下代码正在应用一组预定义的 Exchange 设置：

...                 
$TryCount = 0
$Done = $false
do{
    # It takes a while after enabling mailbox until settings can be applied. So we need to retry.
    try{
        # If we need to execute a setting several times.
        if ($MailboxSetting.LoopOver){
            # We have a loop value (array).
            foreach ($LoopValue in $MailboxSetting.LoopOver){
                # Copy parameter as we have to change a value (loop value).
                $TempParams = $Params.PsObject.Copy()                               
                @($Params.getenumerator()) |? {$_.Value -match '#LOOPVALUE#'} |% {$TempParams[$_.Key]=$LoopValue} 
                $res = & $MailboxSetting.Command -ErrorAction Stop @TempParams -WhatIf:$RunConfig.TestMode
            }
        } else {
# THE PROBLEM HAPPENS HERE
            $res = & $MailboxSetting.Command -ErrorAction Stop @Params -WhatIf:$RunConfig.TestMode
        }
        # Write-Log "Setting command $($MailboxSetting.Command) executed successfully"
        $Done = $true
    } catch{
        $tryCount++
        $res = Write-Error -err $error -msg "Error applying mailbox settings, account: $($AccountDetails.sAMAccountName), retry count: $($TryCount)" -Break $false
        Start-Sleep -s $(($Retires-$TryCount) * 5)
    } 
} while ((!$done) -and ($tryCount -lt $Retires))
...

我确定该错误与代码无关，因为脚本运行数小时没有问题并应用所有设置。然而，大约 10 小时后，Kerberos 票证似乎过期了，然后脚本在没有重新登录的情况下无法再访问 Exchange。

有没有办法防止 Kerberos 票证过期或续订？

任何帮助将不胜感激。

Answer 1

我认为您正在使用域安全策略（组策略对象 - GPO）=> security settings/account policy/Kerberos policy 限制。

您的两个有效选项是：

Maximum lifetime for user ticket => 默认值为 10 小时

Maximum lifetime for user ticket renewal => 默认值为 7 天（这是可以续订票证的期限）。

• 有没有办法防止 Kerberos 票证过期或续订？

对于第一个问题，您“只需”将maximum lifetime for user ticket 设置调整为您认为合适的值。

第二个更棘手。我将通过 powershell 清除所有 kerberos 票证。更多信息 - viewing and purging cached kerberos tickets 会给你一个新的。

如果可以续订票证，您必须查看RENEABLE flag - 您可以通过kinit 查看它。也许kinit -R 就足以续订票了。 （我自己没有这样做）你也可以通过kerberos for windows更新它

编辑 -- 添加klist purge 以清除所有 Kerberos 票证以便续订。

因为您有 klist，那么您可以通过必须在提升的 powershell 提示符下运行来清除所有票证 （所有归功于JaredPoeppelman）：

Get-WmiObject Win32_LogonSession | Where-Object {$_.AuthenticationPackage -ne 'NTLM'} | ForEach-Object {klist.exe purge -li ([Convert]::ToString($_.LogonId, 16))}  

然后检查您的TGT 是否通过以下方式更新：

klist tgt

注意：您必须在任何地方使用 FQDN 名称！

Answer 2

感谢您的建议。在第一次尝试中，我将按如下方式扩展我的代码并尝试重新建立一个新的 Exchange 连接。需要 10 小时运行脚本才能查看它是否有效。

我无法影响域安全策略，另外由于我不知道脚本运行多长时间，因此很难设置值。

在我的 Windows 2016 上，无法识别命令“kinit”。可能我需要安装额外的模块/角色。

...                 
$TryCount = 0
$Done = $false
do{
    # It takes a while after enabling mailbox until settings can be applied. So we need to retry.
    try{
        # If we need to execute a setting several times.
        if ($MailboxSetting.LoopOver){
            # We have a loop value (array).
            foreach ($LoopValue in $MailboxSetting.LoopOver){
                # Copy parameter as we have to change a value (loop value).
                $TempParams = $Params.PsObject.Copy()                               
                @($Params.getenumerator()) |? {$_.Value -match '#LOOPVALUE#'} |% {$TempParams[$_.Key]=$LoopValue} 
                $res = & $MailboxSetting.Command -ErrorAction Stop @TempParams -WhatIf:$RunConfig.TestMode
            }
        } else {
            $res = & $MailboxSetting.Command -ErrorAction Stop @Params -WhatIf:$RunConfig.TestMode
        }
        # Write-Log "Setting command $($MailboxSetting.Command) executed successfully"
        $Done = $true
    } catch{
        $tryCount++
        $res = Write-Error -err $error -msg "Error applying mailbox settings, account: $($AccountDetails.sAMAccountName), retry count: $($TryCount)" -Break $false
        Start-Sleep -s $(($Retires-$TryCount) * 5)

        try{
            # We may have lost the Kerberos ticket, reconnect to Exchange.
            $ConnectionType = $ExchangeSessionInfo.Type
            Disconnect-Exchange
            Connect-Exchange -TargetExchange $ConnectionType
        } catch {}          
    } 
} while ((!$done) -and ($tryCount -lt $Retires))
...