Skip to content
PowerShell
WinRM and Enter-PSSession Across Domains

WinRM and Enter-PSSession Across Domains

WinRM and Enter-PSSession Across Domains

Use this process when your client is not joined to the same domain as the target server, or when you need to connect by IP address.

What changed during troubleshooting

  • Enter-PSSession still failed because WinRM over HTTP requires TrustedHosts when Kerberos cannot be used.
  • Connecting by IP address disables Kerberos.
  • Connecting by hostname can still require TrustedHosts if the client is not joined to the target domain or there is no trust relationship.

Prerequisites

  • WinRM enabled on the remote server
  • TCP 5985 open for HTTP WinRM, or TCP 5986 for HTTPS WinRM
  • Credentials for the remote domain
  • Elevated PowerShell session on the client to modify TrustedHosts

Validate connectivity from the client

Check DNS resolution:

1
2

Resolve-DnsName server.domain.internal
nslookup server.domain.internal

Check network reachability:

1
2
3

Test-Connection server.domain.internal -Count 2
Test-NetConnection server.domain.internal -Port 5985
Test-NetConnection 10.10.10.10 -Port 5985

Check basic WinRM response:

1
2

Test-WSMan server.domain.internal
Test-WSMan 10.10.10.10

Enable WinRM on the remote server

Run these commands locally on the destination server if WinRM is not already configured:

1
2
3
4

winrm quickconfig
Enable-PSRemoting -Force
winrm enumerate winrm/config/listener
Get-NetFirewallRule -DisplayGroup "Windows Remote Management"

Verify the network profile if the firewall rule is still too restrictive:

1

Get-NetConnectionProfile

Configure TrustedHosts on the client

If Kerberos cannot be used, add the remote host to TrustedHosts.

Set a single host:

1

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "server.domain.internal"

Set both hostname and IP address:

1

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "server.domain.internal,10.10.10.10"

Append entries without overwriting the current list:

1
2

$current = (Get-Item WSMan:\localhost\Client\TrustedHosts).Value
Set-Item WSMan:\localhost\Client\TrustedHosts -Value ($current + ",server.domain.internal,10.10.10.10").Trim(',')

Verify the setting:

1
2

Get-Item WSMan:\localhost\Client\TrustedHosts
winrm get winrm/config/client

Start the remote PowerShell session

Prompt for credentials:

1

$cred = Get-Credential

Connect by hostname:

1

Enter-PSSession -ComputerName server.domain.internal -Credential $cred

Connect by IP address:

1

Enter-PSSession -ComputerName 10.10.10.10 -Credential $cred

If needed, make the authentication choice explicit:

1

Enter-PSSession -ComputerName server.domain.internal -Credential $cred -Authentication Negotiate

Use credentials in one of these forms:

1
2

domain\username
username@domain.internal

Recommended command sequence

This is the shortest working flow for an HTTP WinRM connection to a host in another domain:

1
2
3
4

Test-NetConnection server.domain.internal -Port 5985
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "server.domain.internal,10.10.10.10"
$cred = Get-Credential
Enter-PSSession -ComputerName server.domain.internal -Credential $cred

Common errors

TCP port open but Enter-PSSession fails with TrustedHosts error

Cause: the host is reachable, but Kerberos is unavailable and the client does not trust the target for WinRM over HTTP.

Fix:

1

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "server.domain.internal,10.10.10.10"

nslookup works but Enter-PSSession says the name cannot be resolved

Cause: nslookup uses DNS directly, but Windows name resolution used by WinRM may still fail because of adapter DNS settings or missing host records.

Fix:

1
2

Resolve-DnsName server.domain.internal
ping server.domain.internal

If needed, add a temporary hosts entry:

1

10.10.10.10 server.domain.internal

Path:

1

C:\Windows\System32\drivers\etc\hosts

Test-WSMan fails before authentication

Cause: WinRM is not enabled, the listener is missing, or a firewall rule is blocking access.

Fix:

1
2
3

Enable-PSRemoting -Force
winrm enumerate winrm/config/listener
Get-NetFirewallRule -DisplayGroup "Windows Remote Management"

More secure option

TrustedHosts is acceptable for internal administrative use, but HTTPS WinRM is better because the server identity is validated with a certificate.

If the remote server has a WinRM HTTPS listener on port 5986, use:

1

Enter-PSSession -ComputerName server.domain.internal -UseSSL -Credential $cred
Import PowerShell Module from GitHub – Single-File Method