PowerShell Remoting / Certificate Auth / Changing Passwords

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of Aftab Hussain Aftab Hussain 2 years, 1 month ago.

  • Author
    Posts
  • #19707
    Profile photo of Aftab Hussain
    Aftab Hussain
    Participant

    I've setup an image with PowerShell remoting enabled over https and using certificate auth, any machines deployed with this image will be in a workgroup. I assumed certificate auth would work similar in concept to ssh keys, so that a certificate would be bound to the user account regardless of the password. What I've found is that if I change the password after configuring certificate auth, I can no longer connect. The only way to fix this is the delete the wsman config for the client certificate and re-issue the command to bind the client cert with the new password.

    Is there anyway around this?

  • #19708
    Profile photo of Don Jones
    Don Jones
    Keymaster

    You need to give some more detail on what you're using the certificate for.

    Is this an SSL certificate being used to secure the WS-MAN endpoint?

    Or is the certificate being used to authenticate an incoming user, instead of relying on a password?

    I suspect you're referring to the latter. If that's the case, I'm not aware of a workaround. The certificate store isn't set up in a way that facilitates distributing certificates via a master image, in the way you seem to be describing.

  • #19722
    Profile photo of Aftab Hussain
    Aftab Hussain
    Participant

    Yes that's correct, its the latter. The problem isn't related to the image being a master, I originally saw the error after my final sysprep. I then tested without a sysprep, so assume a standard machine with powershell configured over https. Client auth certificate works fine, but as soon as I change the password on the administrator's account, the one I used to bind the certificate, remote powershell stops working. Running the following lines fixes the issue, until the password is changed again:

    $Username = 'Administrator'
    $adminPass = ConvertTo-SecureString 'Mynewpassword1' -AsPlainText -Force
    $Credentials = New-Object System.Management.Automation.PSCredential -ArgumentList $Username, $adminPass
    del wsman:\localhost\ClientCertificate\ClientCertificate_* -recurse
    New-Item -Path WSMan:\localhost\ClientCertificate -Credential $Credentials -Subject admin@localhost -URI * -Issuer 415E12063261DCEF7724C98FF972C0ABABAB1212 -Force

    Note: The 'del wsman' is from memory so may be a little off in the target path.

You must be logged in to reply to this topic.