Enable Basic Security

This topic contains 4 replies, has 2 voices, and was last updated by  Don Jones 3 years, 7 months ago.

  • Author
    Posts
  • #13933

    mister potato head
    Participant

    I have been writing a few PowerShell scripts in our work domain secured environment, all work fine with kerberos security. I'm trying to look to modify these on my laptop which is in domain, and to test execute these on VMs in my homelab which are not members of the domain.

    With a view to enable basic authentication on the target machine I ran

    Set-Item -Force WSMan:\localhost\Client\TrustedHosts -Value 
    Set-Item -Force WSMan:\localhost\Service\AllowUnencrypted $True
    Set-Item -Force WSMan:\localhost\Client\AllowUnencrypted $True
    Set-Item -Force WSMan:\localhost\Service\Auth\Basic $True
    Set-Item -Force WSMan:\localhost\Client\Auth\Basic $True

    I then verify all are being set correctly using, as on attachment "Target Settings.jpg"

    Get-Item WSMan:\localhost\Client\TrustedHosts
    Get-Item WSMan:\localhost\Service\AllowUnencrypted
    Get-Item WSMan:\localhost\Client\AllowUnencrypted
    Get-Item WSMan:\localhost\Service\Auth\Basic
    Get-Item WSMan:\localhost\Client\Auth\Basic
    

    However when I try to invoke a remote session, such as

    $computer = Get-Content -Path C:\Temp\TrimUnmap\Servers.txt
    $cred = Get-Credential
    $pso = New-PSSessionOption -NoEncryption 
    foreach ($computer1 in $computer) {
    $sess = New-PSSession -ComputerName $computer1 -Credential $cred -SessionOption $pso
    }

    It returns to say Unencryted traffic is currently disabled in the client configuration as per Remote Error.jpg

    I'm quite new to Powershell so I'm probably missing something obvious, for background target is Windows 2012 R2 so Windows Management Framework 4 and remote sending is Windows 7 with Windows Management Framework 4 installed.

  • #13936

    mister potato head
    Participant

    Nearly forgot, also on remote computer I executed

    New-Itemproperty -name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1

  • #13938

    Don Jones
    Keymaster

    So, there's a differences between the application-level encryption and the HTTPS channel. If the goal is to use Basic authentication, WinRM wants you to use HTTPS. That means you have to set up a listener for HTTPS, and specify -UseSSL when running the command. That has nothing to do with the "allow unencrypted" though.

  • #13987

    mister potato head
    Participant

    Thanks for the quick reply Dom.

    The goal is to have a simple solution no real preference, my thought was configuring the client to enable Basic authentication over a non-SSL connection. On re-reading what I had put I realized I had missed forcing New-PSSession to use Basic authentication.

    $computer = Get-Content -Path C:\Temp\TrimUnmap\Servers.txt
    $cred = Get-Credential
    $pso = New-PSSessionOption -NoEncryption
    foreach ($computer1 in $computer) {
    $sess = New-PSSession -ComputerName $computer1 -Credential $cred -Authentication Basic -SessionOption $pso
    }

    I still get the same "Unencrypted traffic is currently disabled in the client configuration." I wonder if from what you have put that Basic authentication cannot work over non-SSL and while the client is enabled for unencrypted traffic the message really relates to unencrypted traffic not being allowed with basic authentication.

  • #13988

    Don Jones
    Keymaster

    You can do hat you want – you need to add the target computer to the local computer's TrustedHosts list, and provide a credential. Otherwise it wants SSL. It isn't so much about encryption as it is about mutual authentication.

You must be logged in to reply to this topic.