NTLM or Kerberos – PS Remoting

Welcome Forums General PowerShell Q&A NTLM or Kerberos – PS Remoting

Viewing 5 reply threads
  • Author
    Posts
    • #191785
      Participant
      Topics: 23
      Replies: 48
      Points: 285
      Helping Hand
      Rank: Contributor

      Hi Team,

      A small doubt. I’m currently working in multi forest environment where some forests have trust and some not. I am able to use psremoting within trusted forest without any changes. And also able to do psremoting to untrusted forest using trusted host entry at wsman configuration.

      Now I’m bit confused with the authentication mechanism as mentioned in the title. Who is working for untrusted forest authentication, Kerberos or NTLM?

      Please help me by clearing the doubt, also if NTLM is the answer then is there any way to change it to Kerberos?

      Thanks in Advance.

      Roy.

    • #191854
      Participant
      Topics: 0
      Replies: 25
      Points: 163
      Helping Hand
      Rank: Participant
    • #191803
      Participant
      Topics: 11
      Replies: 127
      Points: 762
      Helping Hand
      Rank: Major Contributor
    • #191911
      Participant
      Topics: 23
      Replies: 48
      Points: 285
      Helping Hand
      Rank: Contributor

      Good reference Aaron. Thanks.

      As per Don, did he mean that using trusted host, Kerberos will work (Look at bold statement below.)?

      Kerberos can only be used within trusted domains. Across non-trusted domains… nope. That’s why it was using NTLM. And, in order for that to work, you either have to connect via HTTPS or put the target machine in the initiating machine’s TrustedHosts list. Either way, you must also specify -Credential. 

      Regards,

      Sankhadip.

    • #192067
      Participant
      Topics: 11
      Replies: 127
      Points: 762
      Helping Hand
      Rank: Major Contributor

      His comment on Kerberos was well-put. Once you go beyond the boundary of where Kerberos can manage authentication (into the untrusted domain), NTLM has to handle authentication because you can’t pass Kerberos session tickets to an untrusted destination.

      Here’s another reference: https://stackoverflow.com/questions/9691643/kerberos-delegation-across-2-untrusted-domains-using-wcf

      By adding the ‘untrusted’ host to the TrustedHosts list on the computer you’re remoting from, you’re allowing the connection but it will be over NTLM.

    • #192070
      Participant
      Topics: 23
      Replies: 48
      Points: 285
      Helping Hand
      Rank: Contributor

      Thanks a lot Aaron. Now clear.. 👍

Viewing 5 reply threads
  • The topic ‘NTLM or Kerberos – PS Remoting’ is closed to new replies.