PowerShell Remoting / Certificate Auth / Changing Passwords

This topic contains 2 replies, has 2 voices, and was last updated by  Aftab Hussain 2 years, 10 months ago.

  • Author
    Posts
  • #19707

    Aftab Hussain
    Participant

    I've setup an image with PowerShell remoting enabled over https and using certificate auth, any machines deployed with this image will be in a workgroup. I assumed certificate auth would work similar in concept to ssh keys, so that a certificate would be bound to the user account regardless of the password. What I've found is that if I change the password after configuring certificate auth, I can no longer connect. The only way to fix this is the delete the wsman config for the client certificate and re-issue the command to bind the client cert with the new password.

    Is there anyway around this?

  • #19708

    Don Jones
    Keymaster

    You need to give some more detail on what you're using the certificate for.

    Is this an SSL certificate being used to secure the WS-MAN endpoint?

    Or is the certificate being used to authenticate an incoming user, instead of relying on a password?

    I suspect you're referring to the latter. If that's the case, I'm not aware of a workaround. The certificate store isn't set up in a way that facilitates distributing certificates via a master image, in the way you seem to be describing.

  • #19722

    Aftab Hussain
    Participant

    Yes that's correct, its the latter. The problem isn't related to the image being a master, I originally saw the error after my final sysprep. I then tested without a sysprep, so assume a standard machine with powershell configured over https. Client auth certificate works fine, but as soon as I change the password on the administrator's account, the one I used to bind the certificate, remote powershell stops working. Running the following lines fixes the issue, until the password is changed again:

    $Username = 'Administrator'
    $adminPass = ConvertTo-SecureString 'Mynewpassword1' -AsPlainText -Force
    $Credentials = New-Object System.Management.Automation.PSCredential -ArgumentList $Username, $adminPass
    del wsman:\localhost\ClientCertificate\ClientCertificate_* -recurse
    New-Item -Path WSMan:\localhost\ClientCertificate -Credential $Credentials -Subject admin@localhost -URI * -Issuer 415E12063261DCEF7724C98FF972C0ABABAB1212 -Force

    Note: The 'del wsman' is from memory so may be a little off in the target path.

You must be logged in to reply to this topic.