Score:0

"logon session does not exist" when cmdlet wrapped in do-nothing Invoke-Command

in flag

While logged into HOST1, my user can successfully run this powershell command to move a running VM from HOST1 to HOST2:

Move-VM -Name DC02 -DestinationHost HOST2 -IncludeStorage -DestinationStoragePath "V:\Virtual Machines\DC02"

However, this command (which does the same thing because HOST1 is localhost) fails:

Invoke-Command {
  Move-VM -Name DC02 -DstinationHost HOST2 -IncludeStorage -DestinationStoragePath "V:\Virtual Machines\DC02"
} -ComputerName HOST1

The error is:

Move-VM : The operation on computer 'HOST2' failed: WinRM cannot process the request. The following error with
errorcode 0x8009030e occurred while using Kerberos authentication: A specified logon session does not exist. It may
already have been terminated.
 Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
 After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
 Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config.
    + CategoryInfo          : NotSpecified: (:) [Move-VM], VirtualizationException
    + FullyQualifiedErrorId : Unspecified,Microsoft.HyperV.PowerShell.Commands.MoveVM

When enabling verbose Kerberos I see this in the System event log:

A Kerberos Error Message was received:
on logon session DomainY\UserY
Client Time:
Server Time: 20:40:44.0000 12/8/2022 Z
Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED
Extended Error:
Client Realm:
Client Name:
Server Realm: DomainY
Server Name: krbtgt/DomainY
Target Name: krbtgt/DomainY@DomainY
Error Text:
File: logonapi.cxx
Line: e02
Error Data is in record data.

Q: Why does the command fail when wrapped in Invoke-Command?

Hint pointing to forest trust: the failure happens for UserY but not UserX:

  • HOST1, HOST2, and UserX are on DomainX
  • UserY is on DomainY
  • DomainX trusts DomainY via Forest Trust
  • DomainY trusts DomainX via Forest Trust
  • UserX is a Domain Admin on DomainX
  • UserY is a Domain Admin on DomainY (although this doesn't matter)
  • UserY is a in the BUILTIN Administrators group on HOST1 and HOST2 (which are in DomainX)
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.