Ran into a weird issue where I was getting access denied when trying to query nodes remotely in powershell. The query was working fine against Windows 2003 cluster names and worked locally when ran on a Windows 2008 cluster node, it just didn’t work remotely.
PS C:\Debuggers> gwmi -q "Select name from MSCluster_Node" -namespace root\mscluster -computername Server-2k3-01 | Select-Object Name
Name ---- Server-2k3-01 Server-2k3-02
PS C:\Debuggers> gwmi -q "Select name from MSCluster_Node" -namespace root\mscluster -computername Server-2k8-01 Get-WmiObject : Access denied At line:1 char:5 + gwmi <<<< -q "Select name from MSCluster_Node" -namespace root\mscluster -computername Server-2k8-01
I also tried the query outside of powershell to eliminate that form the equation with the same results and it still failed. So why the difference? Well looking around on the target, I noticed this event in the event log:
Log Name: Application Source: Microsoft-Windows-WMI Date: 9/5/2008 10:17:52 AM Event ID: 5605 Task Category: None Level: Error Keywords: Classic User: N/A Computer: Server-2k8-01 Description: Access to the root\mscluster namespace was denied because the namespace is marked with RequiresEncryption but the script or application attempted to connect to this namespace with an authentication level below Pkt_Privacy. Change the authentication level to Pkt_Privacy and run the script or application again.
Doing a little research I ran across this article explaining the event and what needs to happen to run the query properly:
In VBScript that means adding: authenticationLevel=pktPrivacy to your query. In Powershell (I’m using 2.0) you just add the authentication switch to get it to work. Now the query works on downlevel as well as 2k8:
PS C:\Debuggers> gwmi -q "Select name from MSCluster_Node" -namespace root\mscluster -computername Server-2k8-01 -Authentication PacketPrivacy | Select-Object Name
Server-2k8-01 Server-2k8-02 Server-2k8-03 Server-2k8-04 Server-2k8-05
You can do a whole bunch of cool stuff with powershell check it out! Here’s just a little query to tell me each node and ‘t state:
PS C:\Debuggers> gwmi -q "Select * from MSCluster_Node" -namespace root\mscluster -computername TK5-CLUS-01 -Authentication PacketPrivacy | Select-Object Name,State | Format-Table -au
Name State ---- ----- tk5-clus-01 0 tk5-clus-02 0 tk5-clus-03 0 tk5-clus-04 1 tk5-clus-05 0 tk5-clus-06 0
PingBack from http://powerscripting.wordpress.com/2008/10/05/episode-44-tobias-weltner-gives-an-inside-look-at-powershell-plus/
I get the following error:
A parameter cannot be found that matches parameter name 'Authentication'
Which version of powershell are you using?
Ah forget it, I just found out they added that parameter in CTP 2.0.
what if i can't upgrade to poweshell 2?
how can i solve with ps 1?
The -Authentication was put into v3 to help with this issue. You cannot use get-wmiobject in POSH v1 to connect to namespaces that require packet privacy. You'd need to use [wmisearcher] or the .NET framework and then set the authentication in there. Sorry. It CAN be done though, just a bit more work.
Here's an example of [wmisearcher]:
[wmisearcher]$wmisearcher = "SELECT * FROM IISApplicationPoolSetting"
$wmisearcher.scope = "\\Server1\root\MicrosoftIISv2"
$wmisearcher.scope.options.EnablePrivileges = $true
$wmisearcher.scope.options.Impersonation = "Impersonate"
$wmisearcher.scope.options.Authentication = "PacketPrivacy"
Please follow this link here http://msdn.microsoft.com/en-us/library/aa393618(VS.85).aspx
WMI authentication have to be changed.