Enable Basic Security

Welcome Forums General PowerShell Q&A Enable Basic Security

This topic contains 4 replies, has 2 voices, and was last updated by

 
Keymaster
4 years, 10 months ago.

  • Author
    Posts
  • #13933

    Participant
    Points: 0
    Rank: Member

    I have been writing a few PowerShell scripts in our work domain secured environment, all work fine with kerberos security. I'm trying to look to modify these on my laptop which is in domain, and to test execute these on VMs in my homelab which are not members of the domain.

    With a view to enable basic authentication on the target machine I ran

    Set-Item -Force WSMan:\localhost\Client\TrustedHosts -Value 
    Set-Item -Force WSMan:\localhost\Service\AllowUnencrypted $True
    Set-Item -Force WSMan:\localhost\Client\AllowUnencrypted $True
    Set-Item -Force WSMan:\localhost\Service\Auth\Basic $True
    Set-Item -Force WSMan:\localhost\Client\Auth\Basic $True

    I then verify all are being set correctly using, as on attachment "Target Settings.jpg"

    Get-Item WSMan:\localhost\Client\TrustedHosts
    Get-Item WSMan:\localhost\Service\AllowUnencrypted
    Get-Item WSMan:\localhost\Client\AllowUnencrypted
    Get-Item WSMan:\localhost\Service\Auth\Basic
    Get-Item WSMan:\localhost\Client\Auth\Basic
    

    However when I try to invoke a remote session, such as

    $computer = Get-Content -Path C:\Temp\TrimUnmap\Servers.txt
    $cred = Get-Credential
    $pso = New-PSSessionOption -NoEncryption 
    foreach ($computer1 in $computer) {
    $sess = New-PSSession -ComputerName $computer1 -Credential $cred -SessionOption $pso
    }

    It returns to say Unencryted traffic is currently disabled in the client configuration as per Remote Error.jpg

    I'm quite new to Powershell so I'm probably missing something obvious, for background target is Windows 2012 R2 so Windows Management Framework 4 and remote sending is Windows 7 with Windows Management Framework 4 installed.

  • #13936

    Participant
    Points: 0
    Rank: Member

    Nearly forgot, also on remote computer I executed

    New-Itemproperty -name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1

  • #13938

    Keymaster
    Points: 1,785
    Helping HandTeam Member
    Rank: Community Hero

    So, there's a differences between the application-level encryption and the HTTPS channel. If the goal is to use Basic authentication, WinRM wants you to use HTTPS. That means you have to set up a listener for HTTPS, and specify -UseSSL when running the command. That has nothing to do with the "allow unencrypted" though.

  • #13987

    Participant
    Points: 0
    Rank: Member

    Thanks for the quick reply Dom.

    The goal is to have a simple solution no real preference, my thought was configuring the client to enable Basic authentication over a non-SSL connection. On re-reading what I had put I realized I had missed forcing New-PSSession to use Basic authentication.

    $computer = Get-Content -Path C:\Temp\TrimUnmap\Servers.txt
    $cred = Get-Credential
    $pso = New-PSSessionOption -NoEncryption
    foreach ($computer1 in $computer) {
    $sess = New-PSSession -ComputerName $computer1 -Credential $cred -Authentication Basic -SessionOption $pso
    }

    I still get the same "Unencrypted traffic is currently disabled in the client configuration." I wonder if from what you have put that Basic authentication cannot work over non-SSL and while the client is enabled for unencrypted traffic the message really relates to unencrypted traffic not being allowed with basic authentication.

  • #13988

    Keymaster
    Points: 1,785
    Helping HandTeam Member
    Rank: Community Hero

    You can do hat you want – you need to add the target computer to the local computer's TrustedHosts list, and provide a credential. Otherwise it wants SSL. It isn't so much about encryption as it is about mutual authentication.

The topic ‘Enable Basic Security’ is closed to new replies.