Enter-PSSession to Nanoserver container in Docker -> Access is Denied RRS feed

  • Question

  • Hi,

    I've been pulling my hair out over this for the last few days and am really hoping someone here can help (or claim my StackOverflow bounty).

    I am hosting the microsoft/nanoserver image in a container within docker on Windows Server 2016 (basically following these instructions) with the command:

    docker run -it microsoft/nanoserver cmd

    This provides me an interactive command line within the container and I am able to ping the container from the host.

    However, when I try to use the command "Enter-PSSession -ComputerName <ipaddress | name in hosts file> -Credential ~\Administrator" to establish a remote powershell session with the nanoserver container I *always* receive the error "Access is denied".

    Here's what I have tried. After each test I have re-issued the Enter-PSSession command above but still get "Access is denied"

    * Setting the Administrator password from within the container with the command "net user Administrator <password>"

    * Calling "Set-WSManQuickConfig" from powershell within the container results in:

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    WinRM Quick Configuration
    Running the Set-WSManQuickConfig command has significant security implications, as it enables remote management through
     the WinRM service on this computer.
    This command:
     1. Checks whether the WinRM service is running. If the WinRM service is not running, the service is started.
     2. Sets the WinRM service startup type to automatic.
     3. Creates a listener to accept requests on any IP address. By default, the transport is HTTP.
     4. Enables a firewall exception for WS-Management traffic.
     5. Enables Kerberos and Negotiate service authentication.
    Do you want to enable remote management through the WinRM service on this computer?
    [Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y
    WinRM is already set up to receive requests on this computer.
    WinRM has been updated for remote management.
    Configured LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    NOTE: 'Enable-PSRemoting' and 'winrm quickconfig' are not available within nanoserver.

    * Enabling all PSSession configurations with the command 'Enable-PSSessionConfiguration -Name *' results in:

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    WinRM is already set up to receive requests on this computer.
    WinRM is already set up for remote management on this computer.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    * Navigating wsman: to do the following on both the client and server (restarting winrm service after every change)

    1. Allow basic authentication

    2. Allow non-encrypted communication

    3. Add "Everyone" with full-control to the RootSDDL of the wsman service

    * Adding transparent bridge to docker and starting container with 'docker run -it -network TransparentBridge microsoft/nanoserver cmd' and repeating all the above.

    * And a number of other things I've since forgot.

    I can telnet to port 5985 of the container so I know the firewall isn't an issue. Also I get a "HTTP BAD REQUEST" when passing it garbage so I know there's a service listening here.

    I have successfully set up nanoserver within a virtual machine (following these instructions) and can easily establish a remote powershell session with this server so I'm at a bit of a loss why it won't work with the docker image.

    Any help gratefully appreciated.

    Thanks,  Ian

    Monday, December 19, 2016 5:04 PM

All replies

  • I have the exact same issue. Did you resolve it?
    Friday, March 3, 2017 2:06 PM
  • Thursday, March 16, 2017 4:21 PM
  • Did you manage to resolve this. I have the exact same issue. Would be really happy if you share your solution
    Thursday, April 13, 2017 8:04 PM
  • Did you tried to follow this article?

    Add the Nano Server system to trusted hosts of the remote system. Replace the IP Address with the IP Address of the Nano Server.

    Set-Item WSMan:\localhost\Client\TrustedHosts -Force

    Create the remote PowerShell session.

    Enter-PSSession -ComputerName -Credential ~\Administrator

    When these steps have been completed, you will be in remote PowerShell session with the Nano Server system. The remainder of this document, unless noted otherwise, will take place from the remote session.

    • Proposed as answer by Myles Keating Friday, April 21, 2017 5:20 PM
    Friday, April 21, 2017 3:57 PM
  • Didn't work for me. Still getting access denied errors in nanoserver and servercore containers.

    I've exposed the WINRM ports, set Administrator password. I also added Nanoserver IP as a trusted host but nothing seems to work.
    Saturday, April 29, 2017 4:11 AM
  • Just checking are you able to connect to the the containers using:

    docker exec -it <containerid> <command> 

    (i.e.: docker exec 12345565 powershell) ?

    once you setup the administrator password did you enable it? net user administratror  /ACTIVE:YES

    Also notice the Enter-psession  as also a switch for containers -containerid did you alos tried with that?

    Thursday, May 4, 2017 8:55 AM
  • Okay I think I've got it ... when you run Enter-pssession the id need to be complete and not the alias showed by docker ps.

    Try this:

    1) docker inspect <RUNNINGCONTAINERID>

    2) look at the beginning the result for the complete ID

    3) Enter-pssesion -containerid <completeid> -runAsAdministrator (to enter as containeradministrator)


    3) Enter-pssesion -containerid <completeid> (to enter as container user)

    • Proposed as answer by alefesta Thursday, May 4, 2017 2:00 PM
    Thursday, May 4, 2017 1:59 PM
  • Anyone have any thoughts on how do this on nanoserver-1709 with powershell-core 6.0.1 installed? I cannot for the life of me get to an elevated Powershell or cmd interface.
    Thursday, March 8, 2018 4:44 PM
  • What is the problem with `docker exec -it <containeriD> cmd.exe`? It shall work
    Thursday, March 8, 2018 4:54 PM
  • It works, but it is not an elevated prompt.  I.e. Access denied when attempting administrative tasks.  runAS is not present on the system and even if it were, I do not have the admin password for the image posted as Microsoft/powershell:nanoserver.
    Thursday, March 8, 2018 5:00 PM
  • Interesting, it's in fact non elevated prompt from `docker exec` which used to be elevated in previous versions. Can you build images though (by executing the same command from DockerFile) or it's the same issue?
    Thursday, March 8, 2018 5:12 PM
  • That is what I am going to try next - building my own image based on this one, were I set an Admin user name and password.  Any tips on how to do that?
    Thursday, March 8, 2018 5:18 PM
  • Here is what works

    docker exec -it -u Administrator --privileged <containerID> cmd.exe

    • Proposed as answer by thehetz Thursday, March 8, 2018 5:48 PM
    Thursday, March 8, 2018 5:26 PM
  • Indeed it does!  THANK YOU!
    Thursday, March 8, 2018 5:32 PM
  • I don't think `--priviliged` is need as well. Just `-u`
    Thursday, March 8, 2018 5:36 PM