NTLM or Kerberos - PS Remoting

Welcome Forums General PowerShell Q&A NTLM or Kerberos - PS Remoting

Viewing 5 reply threads
  • Author
    Posts
    • #191785
      Participant
      Topics: 21
      Replies: 38
      Points: 203
      Helping Hand
      Rank: Participant

      Hi Team,

      A small doubt. I'm currently working in multi forest environment where some forests have trust and some not. I am able to use psremoting within trusted forest without any changes. And also able to do psremoting to untrusted forest using trusted host entry at wsman configuration.

      Now I'm bit confused with the authentication mechanism as mentioned in the title. Who is working for untrusted forest authentication, Kerberos or NTLM?

      Please help me by clearing the doubt, also if NTLM is the answer then is there any way to change it to Kerberos?

      Thanks in Advance.

      Roy.

    • #191854
      Participant
      Topics: 0
      Replies: 23
      Points: 152
      Helping Hand
      Rank: Participant
    • #191803
      Participant
      Topics: 10
      Replies: 118
      Points: 503
      Helping Hand
      Rank: Major Contributor
    • #191911
      Participant
      Topics: 21
      Replies: 38
      Points: 203
      Helping Hand
      Rank: Participant

      Good reference Aaron. Thanks.

      As per Don, did he mean that using trusted host, Kerberos will work (Look at bold statement below.)?

      Kerberos can only be used within trusted domains. Across non-trusted domains... nope. That's why it was using NTLM. And, in order for that to work, you either have to connect via HTTPS or put the target machine in the initiating machine's TrustedHosts list. Either way, you must also specify -Credential. 

      Regards,

      Sankhadip.

    • #192067
      Participant
      Topics: 10
      Replies: 118
      Points: 503
      Helping Hand
      Rank: Major Contributor

      His comment on Kerberos was well-put. Once you go beyond the boundary of where Kerberos can manage authentication (into the untrusted domain), NTLM has to handle authentication because you can't pass Kerberos session tickets to an untrusted destination.

      Here's another reference: https://stackoverflow.com/questions/9691643/kerberos-delegation-across-2-untrusted-domains-using-wcf

      By adding the 'untrusted' host to the TrustedHosts list on the computer you're remoting from, you're allowing the connection but it will be over NTLM.

    • #192070
      Participant
      Topics: 21
      Replies: 38
      Points: 203
      Helping Hand
      Rank: Participant

      Thanks a lot Aaron. Now clear.. 👍

Viewing 5 reply threads
  • You must be logged in to reply to this topic.