Author Posts

March 20, 2014 at 4:37 am

I have been writing a few PowerShell scripts in our work domain secured environment, all work fine with kerberos security. I'm trying to look to modify these on my laptop which is in domain, and to test execute these on VMs in my homelab which are not members of the domain.

With a view to enable basic authentication on the target machine I ran

Set-Item -Force WSMan:\localhost\Client\TrustedHosts -Value 
Set-Item -Force WSMan:\localhost\Service\AllowUnencrypted $True
Set-Item -Force WSMan:\localhost\Client\AllowUnencrypted $True
Set-Item -Force WSMan:\localhost\Service\Auth\Basic $True
Set-Item -Force WSMan:\localhost\Client\Auth\Basic $True

I then verify all are being set correctly using, as on attachment "Target Settings.jpg"

Get-Item WSMan:\localhost\Client\TrustedHosts
Get-Item WSMan:\localhost\Service\AllowUnencrypted
Get-Item WSMan:\localhost\Client\AllowUnencrypted
Get-Item WSMan:\localhost\Service\Auth\Basic
Get-Item WSMan:\localhost\Client\Auth\Basic

However when I try to invoke a remote session, such as

$computer = Get-Content -Path C:\Temp\TrimUnmap\Servers.txt
$cred = Get-Credential
$pso = New-PSSessionOption -NoEncryption 
foreach ($computer1 in $computer) {
$sess = New-PSSession -ComputerName $computer1 -Credential $cred -SessionOption $pso
}

It returns to say Unencryted traffic is currently disabled in the client configuration as per Remote Error.jpg

I'm quite new to Powershell so I'm probably missing something obvious, for background target is Windows 2012 R2 so Windows Management Framework 4 and remote sending is Windows 7 with Windows Management Framework 4 installed.

March 20, 2014 at 4:42 am

Nearly forgot, also on remote computer I executed

New-Itemproperty -name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1

March 20, 2014 at 6:25 am

So, there's a differences between the application-level encryption and the HTTPS channel. If the goal is to use Basic authentication, WinRM wants you to use HTTPS. That means you have to set up a listener for HTTPS, and specify -UseSSL when running the command. That has nothing to do with the "allow unencrypted" though.

March 21, 2014 at 12:41 pm

Thanks for the quick reply Dom.

The goal is to have a simple solution no real preference, my thought was configuring the client to enable Basic authentication over a non-SSL connection. On re-reading what I had put I realized I had missed forcing New-PSSession to use Basic authentication.

$computer = Get-Content -Path C:\Temp\TrimUnmap\Servers.txt
$cred = Get-Credential
$pso = New-PSSessionOption -NoEncryption
foreach ($computer1 in $computer) {
$sess = New-PSSession -ComputerName $computer1 -Credential $cred -Authentication Basic -SessionOption $pso
}

I still get the same "Unencrypted traffic is currently disabled in the client configuration." I wonder if from what you have put that Basic authentication cannot work over non-SSL and while the client is enabled for unencrypted traffic the message really relates to unencrypted traffic not being allowed with basic authentication.

March 21, 2014 at 2:19 pm

You can do hat you want – you need to add the target computer to the local computer's TrustedHosts list, and provide a credential. Otherwise it wants SSL. It isn't so much about encryption as it is about mutual authentication.