SharePoint 2010 with Windows PowerShell Remoting Step by Step

SharePoint 2010 with Windows PowerShell Remoting Step by Step

Rate This
  • Comments 17

With all the improvements in SharePoint 2010 for IT Professionals, I always put Windows PowerShell support as the number one. Maybe this has something to do with my past Linux/Unix background, but the main reason is, I’m a really really lazy person. If something can be put into automation, then why bother to click through it manually every time? Schedule it to run at certain time everyday can save me a lot of time. In the past SharePoint versions, STSADM is okay, but it’s limited and hard to play with. Although you can use Windows PowerShell to call object models directly, but that is too complex and indeed a developer stuff. Now, with SharePoint 2010 Windows PowerShell cmdlets, scripting can be really fun!

But someone asked me this question:

You are telling me scripting is great – but isn’t that just a server thing? I still need to open remote desktop on my laptop to connect to the server box and then do the shell stuff, can’t I have something like SSH?  Just run my script remotely without opening my browser, remote desktop, only Windows PowerShell…

Definitely you can do it! Windows PowerShell v2 RTM on Server 2008/R2, which is also a requisite of SharePoint 2010, supports “remoting”. So you can manage SharePoint 2010 remotely with Windows PowerShell prompt on your local machine.

Let’s try it!

Enable Remoting support on SharePoint Server box

A few steps are necessary to setup Windows PowerShell Remoting for SharePoint.

Enable Windows PowerShell Remoting

Windows PowerShell Remoting needs to be enabled first by calling the following cmdlet in Windows PowerShell:

Enable-PSRemoting

snap0089

This command will do a quick configuration of Windows Remote Management (WinRM). A HTTP listener will be created by WinRM and firewall exceptions will be created automatically. If you get a Kerberos error, it could be possible that SPN for HTTP/yourservername is not there and you need to use setspn to add it. Most of the time you won’t have the issue.

You can test if the remoting is working by type Enter-PSSession –ComputerName localhost on the same server box.

However, there’re two extra requirements for SharePoint remoting. I just list them here, if you want further details, Zach Rosenfield, the Program Manager who owns SharePoint Windows PowerShell support, explained in his blog SharePoint PowerShell “Remoting” Requirements.

Increase memory limit for remote shell

Some of the SharePoint cmdlets could run for quite a long time and require a lot of memory. By default, a remote shell will be allocated 150 MB of memory, this may cause some of the command to fail, for example site collection creation. Use the following command to increase this limitation to 1000MB. This is only necessary if you need to run those commands on that server. 

Set-Item WSMan:\localhost\Shell\MaxMemoryPerShellMB 1000
 
If this value is too low, then you may have error messages like:System.Management.Automation.RemoteException: Process is terminated due to StackOverflowException.
 

Setup CredSSP support

Credential Security Service Provider(CredSSP) authentication should be used if you need to do “double hop” with your credentials. It does not mean using other authentication methods you can’t run the cmdlets at all, depending on different security permission scenarios, they may or may not work. CredSSP is the best way to deal with the situation.

In some of the situation, even without CredSSP the cmdlets still work. For example, my current account is in Microsoft domain. The target server is in contoso.com domain. I used Negotiate authentication with a username and password to logon this server remotely, then created a new content database without any problem. You can test your environment to choose the best way – certain domain policy may prevent client machine from delegating credentials, which is required by CredSSP. But still, please use CredSSP in any case if possible.

snap0117[4]

To enable CredSSP on the server, use the following command:

Enable-WSManCredSSP –Role Server

snap0103[3]

You can use Get-WSManCredSSP to check if it is enabled.

Setup client machine for Remoting

Enable CredSSP support

To use CredSSP, you need to run the following command in Windows PowerShell, where * can be replaced with the server name you want to connect:

Enable-WSManCredSSP -Role client -DelegateComputer *

snap0111[3]

Use Get-WSManCredSSP to check if it is enabled correctly.

Create and enter a remote session of Windows PowerShell

If your current user on client machine has permission to the SharePoint farm and Windows PowerShell on the remote box, you can use Enter-PSSession to create and enter the remote session.

For example, connecting to sharepoint.contoso.com…

Enter-PSSession -ComputerName sharepoint.contoso.com

If it works, the command prompt will be changed to [sharepoint.contoso.com]: PS C:\Users\Administrator\>.

The session will be closed when you type exit or Exit-PSSession. You can also use New-PSSession to create the session to use with Invoke-Command.

To connect to a machine with CredSSP and a different credential, you can use

Enter-PSSession -ComputerName sharepoint.contoso.com -Authentication CredSSP –Credential domain\username

This will pop up a dialogue for you to type in password. If you want this process to be fully automated, you can store the credential first into a file.

Store and use credentials for scripting

A credential in Windows PowerShell is a object which contains username (as plain text) and password (as secure string).

First, use the following command to covert password from keyboard input to a secure string in a text file.

Read-Host -AsSecureString | ConvertFrom-SecureString | out-file C:\crd-sharepoint.txt

snap0099[5]

When you need to create a credential object, read this password (the secure string) from the file and create the credential with the following command:

$pwd = Get-Content C:\crd-sharepoint.txt | ConvertTo-SecureString

then create the credential (replace myusername with your domain\username):

$crd = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "myusername",$pwd


snap0100

Then you will be able to use this credential in the command line without any dialogue.

Enter-PSSession -ComputerName sharepoint.contoso.com -Authentication CredSSP -Credential $crd

Load SharePoint Windows PowerShell Snap-in

Unlike SharePoint Management Shell, You need to load this snap-in manually to use the cmdlets for SharePoint.

Add-PSSnapin Microsoft.SharePoint.Powershell 

Then everything will work.

 

Further readings

Zach Rosenfield’s Blog

http://sharepoint.microsoft.com/blogs/zach

Zach’s blog is my favorite. The following articles are highly recommended to read…

SharePoint 2010 PowerShell Permissions Explained

http://sharepoint.microsoft.com/blogs/zach/Lists/Posts/Post.aspx?ID=56

SPModule.HelloWorld()

http://sharepoint.microsoft.com/blogs/zach/Lists/Posts/Post.aspx?ID=54

Remote Install of SharePoint (with SPModule)

http://sharepoint.microsoft.com/blogs/zach/Lists/Posts/Post.aspx?ID=55

Webcast - Getting Started: Windows PowerShell for SharePoint 2010 Administrators, by Todd Kindt on TechNet

http://technet.microsoft.com/en-us/sharepoint/ee518673.aspx

Technical Reference: Windows PowerShell for SharePoint Server 2010

CHM references for download. Please note there’ll be some changes in the cmdlets between beta and RTM.

http://technet.microsoft.com/en-us/library/ee662539(office.14).aspx



Got Questions?

Ask them on TechNet Forum! If we got enough questions we may even open a separate section for Windows PowerShell!

SharePoint 2010 - Setup, Upgrade, Administration and Operation

 

Jie.

Leave a Comment
  • Please add 7 and 1 and type the answer here:
  • Post
  • Excellent walk through.

  • can I do this for 2007 ... i tried using add-pssnapin and it doesn't work

    also, Microsoft.SharePoint is not listed as a get-pssnapin -registered item

  • SharePoint 2007 doesn't have the PowerShell cmdlets. You have to use the stsadm tool.

    I have one question. Do I still have to set the thread options for the shell to "ReuseThread"?

  • This is great.  But why is it that when I am physically I am on the SharePoint box everything works great, but when I remote into the box with powershell it tells me I do not have sufficient access or permissions (simply trying a get-spsite)?

  • Excellent walk through, however it seems that you must obtain SharePoint objects over PSRemoting using SPSecurity.RunWithElevatedPrivileges, otherwise yo do not have proper access.  This renders a lot of the cmdlets useless.

    Also for anyone interested in being able to use the RunWithElevatedPrivileges method using PSRemoting, you can run this nice piece of code:

    Add-Type -Language CSharpVersion3 -TypeDefinition @"

    using System;

    using Microsoft.SharePoint;

    public class GetElevatedSPSite

    {

    public static SPSite GetSPSite(String SiteName)

    {

    SPSite mysite = null;

    SPSecurity.RunWithElevatedPrivileges(delegate(){ mysite = new SPSite(SiteName); });

    return mysite;

    }

    }

    "@ -ReferencedAssemblies @("C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\ISAPI\Microsoft.SharePoint.dll")

    And then you can run this to get your site object

    [GetElevatedSPSite]::GetSPSite($SiteURL)

  • For me your screenshots do not show! A shame as this is very interesting info!

  • Very helpful post. Very clear commentary and suggested phrasing are most impressive, as are his and your generosity in sharing this explanation and example.

    pfefferspray-discount.de

  • stackoverflow.com/.../credssp-not-recommended-in-production-environments

    I try deploy Sharepoint WSP projects using PowerShell Remoting.

    See sharepoint.stackexchange.com/.../powershell-remoting-sharepoint-2010-error

    Solution is configure CredSSP for Sharepoint.

    But Microsoft says:

    Caution: Credential Security Service Provider (CredSSP) authentication, in which the user's credentials are passed to a remote computer to be authenticated, is designed for commands that require authentication on more than one resource, such as accessing a remote network share. This mechanism increases the security risk of the remote operation. If the remote computer is compromised, the credentials that are passed to it can be used to control the network session.

    Not recommended in production environments.

    Any suggestions for deploy using powershell remoting and sharepoint ?

  • What ports do you need to open for remote windows powershell if your SharePoint runs in an application vault?

  • zsharepoint.wordpress.com - new place of zach's blog

  • Hi,

    I have used powershell script to copy(runtime) library contents across webapplications in the same farm.

    Can i used the concept of remoting to copy(runtime) the library contents across webapplications in different farms?

    Your inputs in this regard would be most appreciated.

    Regards,

    Tony

  • Not working here. On the server (a MS Windows 2008 R2 Server running Sharepoint 2010 in Windows Azure.), I've ran Enable-PSRemoting and Enable-WSManCredSPP with server role. Get-WSManCredSPP tells me that "This computer is configured to receive credentials from a remote client computer."

    On the client, I'm running Powershell ISE locally on a MS Windows 8 without Sharepoint installed. The command "Enable-WSManCredSSP -Role client -DelegateComputer *" yields an error "The client cannot connect to the destination specified in the request." I've also tried with specifying my server using "myServer" and "myserver.cloudapp.net" but in vain.

    Note, that I'm able to send start and stop commands from ISE to virtual machines in Azure, i.e. I should have some settings ok.

    Pointers appreciated.

  • Great walk through. Only thing missing is mention that remote commands require running SharePoint cmdlets within a RunWithElevatedPrivileges command block.

    [Microsoft.SharePoint.SPSecurity]::RunWithElevatedPrivileges({

      <SharePoint Commands>

    })

  • Thank you for this excellent article! I am testing migrating from Sharepoint 2010 (Windows Server 2008 R2) to Sharepoint 2013 (Windows 2012). Have encountered the problem of "No snap-ins have been registered for Windows PowerShell 3". After weeks of googling, this is the only site who have a real solution! And it works with Sharepoint 2013 running on Windows 2012!

    I have save this entire web page in case it goes down!!! Thank you!!!

  • Hi there, excellent walkthrough, I have totally automated sharepoint administration with guidance from your post and then started this strange behaviours in my computer. Every time I run the script then it gives an exception saying the rpc server is unavailable, meaning there is no connectivity to the remote server.

    so tried to ping it and it indeed wasn't reachable. So I called the network team to look into the issue as i assumed it be some network thing, the network guy just restarted my pc and it worked like a charm the next moment. He advised me to restart again if such issue appears as it may be due to dns cache. Now this thing was repeated for a couple of times and every time i have restarted my pc. Then my computer was replaced and surprisingly this issue still continued, it was then i realised it was problem with my script and not with computer or network.Then after terrible research on sharepoint powershell remoting i landed into this page www.liberalcode.com/.../running-sharepoint-cmdlets-from-remote.html which talks about Start-SPAssignment and Stop-SPAssignment and how it can prevent the DNS cache flooding. Initially i have skipped it as it didn't make much sense to me but now i have realised my mistake.

    It would be nice of you add the SP-Assignment thing in your post as i have wasted lot of days not knowing the issue.

    source: www.liberalcode.com/.../running-sharepoint-cmdlets-from-remote.html

Page 1 of 2 (17 items) 12