October 15, 2014 at 7:37 am #19707
I've setup an image with PowerShell remoting enabled over https and using certificate auth, any machines deployed with this image will be in a workgroup. I assumed certificate auth would work similar in concept to ssh keys, so that a certificate would be bound to the user account regardless of the password. What I've found is that if I change the password after configuring certificate auth, I can no longer connect. The only way to fix this is the delete the wsman config for the client certificate and re-issue the command to bind the client cert with the new password.
Is there anyway around this?
October 15, 2014 at 7:49 am #19708
You need to give some more detail on what you're using the certificate for.
Is this an SSL certificate being used to secure the WS-MAN endpoint?
Or is the certificate being used to authenticate an incoming user, instead of relying on a password?
I suspect you're referring to the latter. If that's the case, I'm not aware of a workaround. The certificate store isn't set up in a way that facilitates distributing certificates via a master image, in the way you seem to be describing.
October 15, 2014 at 11:12 am #19722
Yes that's correct, its the latter. The problem isn't related to the image being a master, I originally saw the error after my final sysprep. I then tested without a sysprep, so assume a standard machine with powershell configured over https. Client auth certificate works fine, but as soon as I change the password on the administrator's account, the one I used to bind the certificate, remote powershell stops working. Running the following lines fixes the issue, until the password is changed again:
$Username = 'Administrator'
$adminPass = ConvertTo-SecureString 'Mynewpassword1' -AsPlainText -Force
$Credentials = New-Object System.Management.Automation.PSCredential -ArgumentList $Username, $adminPass
del wsman:\localhost\ClientCertificate\ClientCertificate_* -recurse
New-Item -Path WSMan:\localhost\ClientCertificate -Credential $Credentials -Subject admin@localhost -URI * -Issuer 415E12063261DCEF7724C98FF972C0ABABAB1212 -Force
Note: The 'del wsman' is from memory so may be a little off in the target path.
You must be logged in to reply to this topic.