HTTP: Enter-PS Session

Welcome Forums General PowerShell Q&A HTTP: Enter-PS Session

This topic contains 4 replies, has 2 voices, and was last updated by

 
Keymaster
7 months, 3 weeks ago.

  • Author
    Posts
  • #97202

    Participant
    Points: 21
    Rank: Member

    Hey Everybody,

    I am setting up PS Remoting with an IP address as my target. I know if you are using an ip for your computername parameter on enter-pssession, kerberos is not used. I also noticed in the documentation that NTLM authentication is used by default whenever you specify an IP address and -cred parameter for enter-pssession. My question: Is NTLM authentication trustworthy when using -cred parameter with an ip as a target when using enter-pssession or new-pssession?

    Thanks,

    Matt

    HOW TO USE AN IP ADDRESS IN A REMOTE COMMAND
    —————————————————–
    ERROR: The WinRM client cannot process the request. If the
    authentication scheme is different from Kerberos, or if the client
    computer is not joined to a domain, then HTTPS transport must be used
    or the destination machine must be added to the TrustedHosts
    configuration setting.

    The ComputerName parameters of the New-PSSession, Enter-PSSession and
    Invoke-Command cmdlets accept an IP address as a valid value. However,
    because Kerberos authentication does not support IP addresses, NTLM
    authentication is used by default whenever you specify an IP address.

    When using NTLM authentication, the following procedure is required
    for remoting.

    1. Configure the computer for HTTPS transport or add the IP addresses
    of the remote computers to the TrustedHosts list on the local
    computer.

    For instructions, see "How to Add a Computer to the TrustedHosts
    List" below.

    2. Use the Credential parameter in all remote commands.

    This is required even when you are submitting the credentials
    of the current user.

  • #97208

    Keymaster
    Points: 1,624
    Helping HandTeam Member
    Rank: Community Hero

    Depends on what you mean by "trustworthy." It doesn't really do mutual authentication, which is the whole point of Kerberos and/or HTTPS, so you're opening yourself to potential man-in-the-middle or spoofing attacks wherein you send your NTLM credentials to a bad actor. That's why the docs say to set up HTTPS.

  • #97221

    Participant
    Points: 21
    Rank: Member

    Thank you.

    If this is the @theRealDonJames- your books and youtube tutorials have helped me greatly, thanks for that also.

  • #97232

    Participant
    Points: 21
    Rank: Member

    Sorry last question if you don't mind– signed cert ok?

  • #97235

    Keymaster
    Points: 1,624
    Helping HandTeam Member
    Rank: Community Hero

    You mean self-signed certificate? No, not okay. It wouldn't be trusted.

The topic ‘HTTP: Enter-PS Session’ is closed to new replies.