Invoke-Command Mixed Domain Kerberos Versus NTLM

I have a ps1 script that dumps out local groups, with focus on administrators group.  It uses Quest/Dell cmdlets to further dump out the contents of AD groups with the -indirect switch, which tells it to do nested support.

I want to get the script to work so if a test-path fails, to try a copy of the script on a server that is in the correct domain.  That different domain is not trusted.  I am using invoke-command and discovered by using [Security.Principal.WindowsIdentity]::GetCurrent()
authentication type is kerberos when I run it locally, but when I use invoke-command, it sends over NTLM.

I have tried to use the -Authentication Kerberos argument on the invoke-command but end up getting,

[] Connecting to remote server failed with the following error message : WinRM cannot process the
 request. The following error occured while using Kerberos authentication: There are currently no logon servers available to
 service the logon request.
 Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
 After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTT
PS transport.
 Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see
the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (:) [], PSRemotingTransportException
    + FullyQualifiedErrorId : PSSessionStateBroken

Anyone been able to get a script to work on a remote system, passing the correct credentials using get-credentail when the target server is not part of the trust that the source server is in?

Here is a copy of my invoke-command block.




= Get-Credential -Credential ("mydomain\$env:username")
$rs = ''











-ComputerName $rs -Credential $cred -Authentication Kerberos -scriptblock { param ($argspassed) c:\WINDOWS\system32\WindowsPowerShell\v1.0\GetLocalChild.ps1 $argspassed } -ArgumentList $argspassed