HTTP 403 error – PowerShell Remoting, Different Domains and Proxies

On my day to day work I use Nagios monitoring software. I want to add some custom SQL Server scripts to enrich the monitoring, and to accomplish this I will need to:

  • Find a folder
  • Create a sub folder
  • Copy bunch of file
  • edit a ini file to verify/add new entries

all of this for every single host on my entire estate. Obviously (for me 🙂 ) I decided to use PowerShell!

Hold your horses!

Yes, calm down. I’m working on a client where the network it’s anything but simple. As far as I know they have 10 domains and few of them have trust configured, but even those that have, is not in both ways… so I didn’t expect an easy journey to get the task done.

Side note: For those thinking how I can live without PowerShell, I can’t! But,  the majority of my time using PowerShell is with SQL Server, mainly using SMO (with the help of dbatools), which means I haven’t struggle that much until now.

“…WinRM client received an HTTP status code of 403…”

Ok, here we go!

PowerShell Remoting and different domains…

….needs different credentials. This is a requirement when using ip address.
If we try to run the following code:

$DestinationComputer = '10.10.10.1'
Invoke-Command -ScriptBlock { Get-Service *sql* } -ComputerName $DestinationComputer

we will get the following error message:

Default authentication may be used with an IP address under the following conditions: the transport is HTTPS or the destination is in the TrustedHosts list, and explicit credentials are provided.

First, I add the destination computer to my TrustedHosts. We can do this in two ways:

Using Set-Item PowerShell cmdlet

Set-Item WSMan:\localhost\Client\TrustedHosts "10.10.10.1"

Or using winrm executable:

winrm s winrm/config/client '@{TrustedHosts="10.10.10.1"}'

Note: You can use “*” (asterisk) to say all remote hosts are trusted. Or just a segment of IPs like “10.10.10.*”.

But, there is another requirement like the error message says “…and explicit credentials are provided.”. This means that we need to add, and in this case I really want to use, a different credential so I have modified the script to:

$DestinationComputer = '10.10.10.1'
Invoke-Command -ScriptBlock { Get-Service *sql* } -ComputerName $DestinationComputer -Credential domain2\user1

Now I get prompted for the user password and I can… get a different error message (*sigh*):

[10.10.10.1] Connecting to remote server 10.10.10.1 failed with the following error message : The WinRM client received an HTTP status code of 403 from the remote WS-Management service. For more information, see the

about_Remote_Troubleshooting Help topic.

+ CategoryInfo : OpenError: (10.10.10.1:String) [], PSRemotingTransportException

+ FullyQualifiedErrorId : -2144108273,PSSessionStateBroken

This one was new for me so I jumped to google and started searching for this error message. Unfortunately all the references I found are to solve an IIS problem with SSL checkbox on the website like this example.

Clearly this is not the problem I was having.

Proxies

I jumped into PowerShell slack (you can ask for an invite here and join more than 3 thousand professionals) and ask for help on #powershell-help channel.
In the meantime, I continued my search and found something to do with proxies in the The dreaded 403 PowerShell Remoting blog post.
This actually could help, but I don’t want to remove the existing proxies from the remote machine. I had to find another way to do it.

Returning to Slack, Josh Duffney (b | t) and Daniel Silva (b | t) quickly prompted to help me and when I mentioned the blog post on proxies, Daniel has shown to me the PowerTip PowerShell Remoting and HTTP 403 Error that I haven’t found before (don’t ask me why…well, I have an idea, I copy & paste the whole error message that’s why).

ProxyAccessType

The answer, for my scenario, is the ProxyAccessType parameter. As it says on the help page, this option “defines the access type for the proxy connection”. There are 5 different options AutoDetect, IEConfig, None, NoProxyServer and WinHttpConfig.

I need to use NoProxyServer to “do not use a proxy server – resolves all host names locally”. Here is the full code:

$DestinationComputer = '10.10.10.1'
$option = New-PSSessionOption -ProxyAccessType NoProxyServer
Invoke-Command -ScriptBlock { Get-Service *sql* } -ComputerName $DestinationComputer -Credential domain2\user1 -SessionOption $option

This will:

  • create a new PowerShell Session option (line 2) with New-PSSessionOption cmdlet saying that -ProxyAccessType is NoProxyServer.
  • Then, just use the $option as the value of -SessionOption parameter on the Invoke-Command.

This did the trick! Finally I was able to run code on the remote host.

Thanks for reading.

Offline Microsoft Documentation? Download it!

On my last article I shared how we can now Contribute to Microsoft Documentation. Today I bring another quick tip on Microsoft Documentation!

Download Microsoft Documentation

Did you know that we can download PDF files with Microsoft Documentation?

I did not know until my colleague called my attention to it few days ago.

Important note: This tip is not (yet?) available for all Microsoft’s product suite. You should confirm if this tip applies to the product you need.

“Which documentation?”

The one we can find at docs.microsoft.com.

Here is why this can be useful

Nowadays, some of us have access to the internet almost 100% of the time, this help us forget that this may fail. You probably have gone through this, losing the internet access right when you needed to check a document. You know, it can happen.

If it happens, you get stuck because you can’t access a small (or not) piece of text that you could have backed up before but you didn’t, right?

Were you using the online documentation to understand what a specific field that belongs to an System Dynamic Management View (DMV) means? Or, which parameter you need to use to execute a specific system stored procedure?

If you get the pdf, you can continue working offline. Going on a flight? Will you be in a place where you don’t have internet access at all?

I think you get the point.

“I will give it a try, show me how”

The link is located on the bottom left of the page.

DownloadLink

This download will not download just the current page. By using the “Download PDF” link you will get all the content that is present on the tree-view under the “filter” box on the left of the page.

treeview

Script to download all existing PDF files

From my search exists at least 98 pdf documents (~66mb) exist just for the Relational Databases topic. Download them all is not the kind of work I would like to do manually.

PowerShell for the rescue

I wrote a PowerShell script that make thing a little bit easier.

With this script, you can download all files for a specific topic. You can find and download the script Get-MSDocs from my GitHub repository, just change the variables and run it.

Let’s see an example

You search for ‘sys.dm_exec_sessions’ DMV and you find the corresponding page from Microsoft documentation -> sys.dm_exec_sessions

The image below shows where you find the topic (highlighted in yellow) that you need to setup on the $topic variable on the script.

mainTopic

By setting the variable $topic = "relational-databases" this script will download all PDF files for that main topic. I have accomplished that by understanding the sql-docs GitHub repository nomenclature.

Each folder in there is the name of one PDF file plus, the current folder ‘Relational-Database’ in this scenario.

Next, choose the destination by setting it on the $outputFolder variable.

As an example for the SQL docs, you have to choose a folder from the Docs root at GitHub repository.

If you find any difficulty working with it let me know by writing a comment to this blog post.

Let’s say you want to do the same but for Azure – you need to change the URLs too. The script is currently pointing to ‘SQL.sql-content’ and for Azure is ‘Azure.azure-documents’. The way I know this is by clicking on download PDF on one of the pages and read the URL from the PDF.

Wrap up:

I have shown how you can download a copy of the documentation manually but also how to get all existing files for a specific topic.

Also, I explained that this is not available for every Microsoft product. For example, PowerShell docs don’t have the link to download PDF file on the docs.microsoft.com site.

Maybe in the future this will become the standard for every Microsoft’s product documentation.

 

Thanks for reading

Contribute to Microsoft Documentation

Times have changed and Microsoft has changed the way we can contribute for documentation!

We already have access to the source code from some programs. One example is PowerShell, that has an GitHub repository where anyone can contribute!

Now anyone can contribute to the documentation too!

How and where?

If you haven’t seen before, now we have a pencil icon on the top right corner that makes possible to suggest a change.

feature_image

 

When clicking on that pencil we will be redirected, in this case, to the MicrosoftDocs – sql-docs repository on GitHub.

There, we need to fork the repository, make the changes and submit our suggestion by doing a pull request (PR). After that we just need to wait for some feedback from the Microsoft team that will review what we have submitted.

Start contributing

In the past, if you saw any errors on Microsoft documentation you could not help easily. But now we don’t have more excuses! If we want to contribute the process is much easier.

Have you overcome a not so common problem and have precious information to add to the documentation? Do you want to add another code example? Or have you “just” found a typo?

Just go ahead and submit a PR.

I will be speaking at PowerShell Conference Asia 2017

Which better way could I have to launch my blog if not with great news ?!

I am so happy and excited to announce that I will be speaking at PowerShell Conference Asia in Singapore!

On 28th of October I will be presenting two sessions with the following titles:

  • Next step to your script…turn it into an Advanced Function
  • SQLServer Reporting Services administration new best friend – PowerShell

Also, on 26th there will be 2 precon:

If you want to know more about the conference you can follow @psconfasia on Twitter, go to the psconf.asia website, and join the Slack team at psconfasia.slack.

Looking forward to meet you in Singapore!