Certificate Authentication in Workgroup

Welcome Forums General PowerShell Q&A Certificate Authentication in Workgroup

This topic contains 1 reply, has 1 voice, and was last updated by

 
Participant
2 months ago.

  • Author
    Posts
  • #166984

    Participant
    Topics: 3
    Replies: 5
    Points: 10
    Rank: Member

    I went through WinRM-Certificate-Authentication document By Dave but unable to implement in a Workgroup environment.

    Goal:-

    500+ Workgroup clients need to be managed via PS. I have enabled the PS Remoting and so far it's working like charm. Due to increase security thread and ransomware attack, we are frequently changing the local admin account password which is common across the board. I thought of moving the PS Remoting on HTTPS instead of HTTP and use Certificate authentication mode to stop transmitting password on a wire. In this way, I thought I can use single Mangement Server to connect to 500+ Workgroup system over HTTPS using Certificate Authentication. We do have SCCM in our environment but it only works on PS 3.0+ hence have to depend on PS.

    Configuration:-

    I Do have Active Directory CA and I use below code to get the certificate using PS from Workgroup System.

    
    $Username = 'Domain\User'
    
    $Password = 'Password'
    
    $pass = ConvertTo-SecureString -AsPlainText $Password -Force
    
    $Cred = New-Object System.Management.Automation.PSCredential -ArgumentList $Username,$pass
    
    $certSubject = "CN=$ENV:COMPUTERNAME"
    
    $Cert = Get-Certificate -Template WinRM -Credential $Cred -SubjectName $certSubject -Url https://CA.Contoso.com/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP -CertStoreLocation cert:\LocalMachine\My -DnsName $ENV:COMPUTERNAME
    
    

     

    Once I Obtain the Cert I use that cert to configure WinRM Listener.

    
    $thumbprint=(Get-ChildItem -Path Cert:\LocalMachine\my\ | Where-Object {$_.Subject -like "*$certSubject*"}).Thumbprint
    
    $WinrmCreate= "winrm create –% winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=`"$ENV:COMPUTERNAME`";CertificateThumbprint=`"$thumbprint`"}"
    
    invoke-expression $WinrmCreate
    
    

     

    The post above config I can run below command successfully which gives me an indication that WinRM HTTPs listener is working fine.

    Invoke-Command -ScriptBlock $SB -ComputerName $COMP -Credential $RCred -Port 5986 -UseSSL

    Now I below command on Workgroup system to configure the mapping. $CARoot is Thumbprint of RootCA which is in LocalMachine\Root and the commands execute successfully.

    
    New-Item -Path WSMan:\localhost\ClientCertificate -Credential $Cred1 -URI * -Subject * -Issuer $CARoot -Force -Confirm:$false
    
    

     

    Challenge:-

    1. Not sure which thumbprint should I use when I run invoke-command from Management System.

    2. In Mapping, we have to use a local account. What happens if that account is deleted or the password of that account is changed.

    3. Post configuring the WinRM over HTTPS If I use the IP address in computer name it fails with cert error. Since its difficult to track the exact computer and easy to work with IP can we use a wildcard in WinRM HTTPS listener.

    Ex. If we can use *.contoso.com then we can use 10-10-10-1.contoso.com as computer name where computer IP will be 10.10.10.1.

  • #166996

    Participant
    Topics: 3
    Replies: 5
    Points: 10
    Rank: Member

    I was able to overcome the third issue by rewriting the code to request Wildcard. I was able to set the wildcard in WinRM and it worked perfectly.

    
    $Username = 'Domain\User'
    $Password = 'Password'
    $pass = ConvertTo-SecureString -AsPlainText $Password -Force
    $Cred = New-Object System.Management.Automation.PSCredential -ArgumentList $Username,$pass
    $Subject = "*.Contoso.com"
    $certSubject = "CN=$Subject"
    $Cert = Get-Certificate -Template WinRM -Credential $Cred -SubjectName $certSubject -Url
    https://CA.Contoso.com/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP -CertStoreLocation cert:\LocalMachine\My -DnsName $Subject
    $thumbprint=(Get-ChildItem -Path Cert:\LocalMachine\my\ | Where-Object {$_.Subject -like "*$certSubject*"}).Thumbprint
    
    $WinrmCreate= "winrm create –% winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=`"$Subject`";CertificateThumbprint=`"$thumbprint`"}"
    invoke-expression $WinrmCreate
    
    Invoke-Command -ScriptBlock $SB -ComputerName FE.Contoso.com -Credential $RCred -Port 5986 -UseSSL
    FE
    
    Invoke-Command -ScriptBlock $SB -ComputerName 10-10-10-1.Contoso.com -Credential $RCred -Port 5986 -UseSSL
    FE
    
    

    I exported the cert from Workgroup including Private Key and imported on Management server. Then If I try to below command using the Thumbprint of imported cert get the error. The certification Auth is enabled on Workgroup system.

    
    Invoke-Command -ScriptBlock $SB -ComputerName FE.Contoso.com -Port 5986 -UseSSL -CertificateThumbprint DD5CC27DCAEC798D7A7CD86BE90007D80AC071C3
    [FE.Contoso.com] Connecting to remote server FE.Contoso.com failed with the following error message : The WinRM client cannot process the request. The destination computer (FE.Contoso.com:5986) returned an 'access denied' error. Specify one of the authentication mechanisms supported by the server. If Kerberos mechanism is used, verify that the client computer and the destination computer are joined to a domain. Possible authentication mechanisms reported by server: Negotiate ClientCerts For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo : OpenError: (RProxyFE.Contoso.com:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken
    
    

You must be logged in to reply to this topic.