Menu
I'm new to powershell and I'm having troubles using credentials delegation. I have the following script:
$session = New-PSSession myserver -Authentication CredSSP -Credential DOMAIN\Administrator
Invoke-Command -Session $session -ScriptBlock { <Some PowerShell Command> }
Before running it, I did the following:
Enable-PSRemoting on myserver. Enable-WSManCredSSP Server on myserver. Restart-Service WinRM on myserver. Enable-WSManCredSSP Client –DelegateComputer myserver on the client. But once I run the script, I get the following error message:
[myserver] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. A computer policy does not allow the delegation of
the user credentials to the target computer. Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delega
tion -> Allow Delegating Fresh Credentials. Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name "m
yserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionOpenFailed
I checked the policies as mentioned in the error message but everything seems to be fine. What else could be blocking me?
606
Enable-WSManCredSSP can enable CredSSP on a Client or a Server. To enable CredSSP on a client, specify Client in the Role parameter. Clients delegate explicit credentials to a server when server authentication is achieved. To enable CredSSP on a server, specify Server in the Role parameter.
To enable CredSSP authentication, use the Enable-WSManCredSSP cmdlet.
Do the following on the server:
Enable-WSManCredSSP -Role Server Do the following on the client:
set-item wsman:localhost\client\trustedhosts -value * Enable-WSManCredSSP -Role Client –DelegateComputer * Use gpedit.msc on the client to enable Delegating Fresh Credentials to WSMAN/*:
Local Computer Policy, expand Computer Configuration, expand Administrative Templates, expand System, and then click Credential Delegation.Settings pane, double-click Allow Delegating Fresh Credentials with NTLM-only Server Authentication.Allow Delegating Fresh Credentials with NTLM-only Server Authentication dialog box, do the following:Enabled.Options area, click Show.WSMAN/*, and then click OK. Make sure that Concatenate OS defaults with input above is selected, and then click OK.The following command now works (after a password prompt):
Invoke-Command { dir \\fileserver\devtools } -computer appserver01 -authentication credssp -credential domain\user See MSDN forums.
See TechNet
107
I finally got it to work thanks to this page. It provides a script that sets the required credential delegation policies by setting the appropriate registry keys directly. Once I ran that script with admin privileges, I was able to successfully establish a CredSSP connection to myserver:
Enable-WSManCredSSP -Role client -DelegateComputer *.mydomain.com
$allowed = @('WSMAN/*.mydomain.com')
$key = 'hklm:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation'
if (!(Test-Path $key)) {
md $key
}
New-ItemProperty -Path $key -Name AllowFreshCredentials -Value 1 -PropertyType Dword -Force
$key = Join-Path $key 'AllowFreshCredentials'
if (!(Test-Path $key)) {
md $key
}
$i = 1
$allowed |% {
# Script does not take into account existing entries in this key
New-ItemProperty -Path $key -Name $i -Value $_ -PropertyType String -Force
$i++
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With