PowerShell Remoting / Certificate Auth / Changing Passwords

Welcome Forums General PowerShell Q&A PowerShell Remoting / Certificate Auth / Changing Passwords

This topic contains 2 replies, has 2 voices, and was last updated by  Aftab Hussain 4 years ago.

  • Author
  • #19707

    Aftab Hussain

    My Achievements

    No Achievements Yet!

    I've setup an image with PowerShell remoting enabled over https and using certificate auth, any machines deployed with this image will be in a workgroup. I assumed certificate auth would work similar in concept to ssh keys, so that a certificate would be bound to the user account regardless of the password. What I've found is that if I change the password after configuring certificate auth, I can no longer connect. The only way to fix this is the delete the wsman config for the client certificate and re-issue the command to bind the client cert with the new password.

    Is there anyway around this?

  • #19708

    Don Jones

    My Achievements


    You need to give some more detail on what you're using the certificate for.

    Is this an SSL certificate being used to secure the WS-MAN endpoint?

    Or is the certificate being used to authenticate an incoming user, instead of relying on a password?

    I suspect you're referring to the latter. If that's the case, I'm not aware of a workaround. The certificate store isn't set up in a way that facilitates distributing certificates via a master image, in the way you seem to be describing.

  • #19722

    Aftab Hussain

    My Achievements

    No Achievements Yet!

    Yes that's correct, its the latter. The problem isn't related to the image being a master, I originally saw the error after my final sysprep. I then tested without a sysprep, so assume a standard machine with powershell configured over https. Client auth certificate works fine, but as soon as I change the password on the administrator's account, the one I used to bind the certificate, remote powershell stops working. Running the following lines fixes the issue, until the password is changed again:

    $Username = 'Administrator'
    $adminPass = ConvertTo-SecureString 'Mynewpassword1' -AsPlainText -Force
    $Credentials = New-Object System.Management.Automation.PSCredential -ArgumentList $Username, $adminPass
    del wsman:\localhost\ClientCertificate\ClientCertificate_* -recurse
    New-Item -Path WSMan:\localhost\ClientCertificate -Credential $Credentials -Subject admin@localhost -URI * -Issuer 415E12063261DCEF7724C98FF972C0ABABAB1212 -Force

    Note: The 'del wsman' is from memory so may be a little off in the target path.

You must be logged in to reply to this topic.

Skip to toolbar