- This topic has 5 replies, 3 voices, and was last updated 9 months, 2 weeks ago by
December 5, 2019 at 6:49 pm #191785
A small doubt. I’m currently working in multi forest environment where some forests have trust and some not. I am able to use psremoting within trusted forest without any changes. And also able to do psremoting to untrusted forest using trusted host entry at wsman configuration.
Now I’m bit confused with the authentication mechanism as mentioned in the title. Who is working for untrusted forest authentication, Kerberos or NTLM?
Please help me by clearing the doubt, also if NTLM is the answer then is there any way to change it to Kerberos?
Thanks in Advance.
December 6, 2019 at 12:09 am #191854ParticipantTopics: 0Replies: 25Points: 163Rank: Participant
December 6, 2019 at 3:14 am #191803ParticipantTopics: 11Replies: 127Points: 762Rank: Major Contributor
Maybe this could help:
Have you checked out/familiar with Secrets of PowerShell Remoting?
December 6, 2019 at 12:27 pm #191911
Good reference Aaron. Thanks.
As per Don, did he mean that using trusted host, Kerberos will work (Look at bold statement below.)?
Kerberos can only be used within trusted domains. Across non-trusted domains… nope. That’s why it was using NTLM. And, in order for that to work, you either have to connect via HTTPS or put the target machine in the initiating machine’s TrustedHosts list. Either way, you must also specify -Credential.
December 7, 2019 at 5:40 am #192067ParticipantTopics: 11Replies: 127Points: 762Rank: Major Contributor
His comment on Kerberos was well-put. Once you go beyond the boundary of where Kerberos can manage authentication (into the untrusted domain), NTLM has to handle authentication because you can’t pass Kerberos session tickets to an untrusted destination.
Here’s another reference: https://stackoverflow.com/questions/9691643/kerberos-delegation-across-2-untrusted-domains-using-wcf
By adding the ‘untrusted’ host to the TrustedHosts list on the computer you’re remoting from, you’re allowing the connection but it will be over NTLM.
December 7, 2019 at 8:31 am #192070
Thanks a lot Aaron. Now clear.. 👍
- The topic ‘NTLM or Kerberos – PS Remoting’ is closed to new replies.