Winrm Cannot Process the Request Powershell Error Code 0x8009030e

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

Intuitive to Use. Easy to manage.
300.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

I get the error "WinRM cannot process the request" when I try to use a PowerShell sensor

Whenever I try to use a PowerShell sensor with a server or computer that is not joined to the domain, I get the message

Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: There are currently no logon servers available to service the logon request.

Why is this?

kerberos off-domain powershell prtg windows-update-status winrm

16 Replies

Accepted Answer

This article applies to PRTG Network Monitor 19 or later

"No logon servers available" when using PowerShell sensors

With a computer that is not joined to the domain, you cannot start a remote PowerShell session using Kerberos Authentication. This is the authentication type for the PowerShell sensors that are used in PRTG.

The main reason why we set this up with Kerberos is that other forms of authentication are not as secure. By enabling these sensors to work with other forms of Remote PowerShell session authentication, the respective servers would be open to other computers outside the domain initiating similar sessions.

"Unknown security error" with PowerShell sensors

If WinRM cannot process the request and you get an Unknown security error, see My PowerShell sensor returns an error message. What can I do?.

Hi Paessler Team,

In the following scenario:

Net-A<---->INTERNET<---->Net-B

Where Net-A is in Domain-A and Net-B is in Domain-B. If in Net-A I have the PRTG Main Server and in Net-B a PRTG Remote Probe.

1.- Would be possible to execute a powershell script that connects from Net-A to a remote Windows server in Net-B and executes a script located in this remote machine? Or the forced Kerberos authentication will fail (because of different domains)? This is assuming every machine is in their own domain (A or B).

2.- The Kerberos authentication you force in powershell applies both your included sensors and custom Powershell sensors?

Thanks.

Sorry, it will be necessary to execute the Remote Powershell scripts on the machine with the Remote Probe in Net-B, if you want to target machines in the domain of Net-B.

Hi, I will join the 2-nd jf_hernandez`s question. Are there any other solutions (without Kerberos authentication) to collect Windows Update statistics from computer that is not joined to the domain? May be I should use custom Powershell sensor with using invoke-command and pass explicit credentials, such as in this example: https://kb.paessler.com/en/topic/63936-custom-sensor:-get-process-with-powershell ? But I cant find complete script to collect Windows Update statistics in PRTG. Pls help me

Well, for starters, the updates are read like this: $updatescope = New-Object Microsoft.UpdateServices.Administration.UpdateScope

In order to execute a command via Invoke-Script, something like this would work:

Param( [string]$ComputerName = "",  [string]$UserName = "", [string]$Password = "" )  # We need a credential object  ####################################### function createCredentials(){ 	if((($env:COMPUTERNAME) -ne $ComputerName)){ 		# Generate Credentials Object first  		$SecPasswd  = ConvertTo-SecureString $Password -AsPlainText -Force 		$Credentials= New-Object System.Management.Automation.PSCredential ($Username, $secpasswd) 		return $Credentials 	} 	else{ return "false" } }  function getUpdates(){     $Credentials = (CreateCredentials);     # Generate CIMSession     $RemoteSession = New-PSSession -ComputerName $HostName -Credential $Credentials -Name "PRTG Scheduled Task Remote Session"     $UpdateScope = (Invoke-Command -Session $RemoteSession -ScriptBlock { New-Object Microsoft.UpdateServices.Administration.UpdateScope })  <# the output has to go here #>  	if (!($RemoteSession)){ 		Write-Host 1":Error creating remote session."; 		Remove-PSSession($RemoteSession); 		exit 1; 	}  	Remove-PSSession($RemoteSession) 	exit 0 }  # Action! getUpdates;              

Since I'm not quite sure how you need the output, have a look at this "Hey, Scripting Guy!" article, it explains how to retrieve the various updates accordingly.

Answer from PRTG does not make any sense. Why kerberos is required? Why not rely on NTLM which is the same protocol which is used for remote management via WMI and is allowed by PRTG. Please remove this ridiculous and unnecessary limitation.

Dear artisticcheese

We use Kerberos because it is more secure and faster. Powershell code poses a much greater security risk than a WMI read-out.

Why you don´t use (as second or fallback option) connectivity with TrustedHosts set on Remote side. Or simply try to use this when Kerberos isn´t working. It is similar to using WMI or Performace monitor.

We are aware of certain cases when the sensors using Remote Powershell run into issues, but the current solution covers most of the real-world cases. If we see the potential to help many PRTG users with an alternative to Kerberos, we will have another look.

Go to IIS Manager on your Exchange server and make sure you do not Kerbauth.dll register on the default Web Site. if it is, just delete it and register it to the power shell section under module. if you have question email me at [email protected]

This doesn't make sense at all... I want to use a sensor to monitor windows updates on my 3 Hyper-V hosts, running 2008 R2. They're all on the same LAN, behind VPN.

This is ridiculous, so this means it can't be done? You've got to be kidding me.

Are those servers part of the same domain as your PRTG server?

So then, how can i monitor Windows Update statuses for servers that aren't connected to a domain? There surely must be a way. We have many, many servers (over 50) that can't and won't be domain connected and that I need to monitor for Windows updates. Please let me know!

Hi there,

We're currently looking into checking hosts not part of the domain, i.e. lack kerberos authenticaion. Please bear with us on this one, it may take a bit due to technical complexity of the topic.

---

Kind regards,
Stephan Linke, Paessler Tech Support

Hi,

Have you managed to make any progress with checking hosts outside of the domain?

Kind regards,

Andrew

Unfortunately, this can't be done - please use remote probes when checking hosts outside for the domain.

Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.

Winrm Cannot Process the Request Powershell Error Code 0x8009030e

Source: https://kb.paessler.com/en/topic/59745-i-get-the-error-winrm-cannot-process-the-request-when-i-try-to-use-a-powershell-sensor

Share this post