Problem with certbased authentication at powershell remoting

Welcome Forums General PowerShell Q&A Problem with certbased authentication at powershell remoting

This topic contains 7 replies, has 2 voices, and was last updated by

4 years, 6 months ago.

  • Author
  • #18940

    Points: 0
    Rank: Member


    I'm looking for some help at a problem to manage a couple of servers outside of our domain with powershell remoting.

    I followed the guide "Secrets of PowerShell Remoting" and configured a https-listener and the listener works.

    I can establish a connection via SSL with a local user:

    PS C:\Users\adm_cbrumm\Documents> $session = New-PSSession -ComputerName server.fqdn -Credential "HBGERPV001\fct_psr_Admin" -UseSSL
    PS C:\Users\adm_cbrumm\Documents> Enter-PSSession -Session $session
    [server.fqdn]: PS C:\Users\fct_psr_ADMIN\Documents>

    Then I created an user-cert and imported it in the Trusted People Store:

    [server.fqdn]: PS C:\Users\fct_psr_ADMIN\Documents> Get-ChildItem Cert:\LocalMachine\TrustedPeople
        Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\TrustedPeople
    Thumbprint                                Subject
    ----------                                -------
    D77AC0C0E6AC433ADB822C7E82663638B730552C  CN=psr_Admin Function, OU=QSC, OU=FCT, OU=ACCOUNTS, OU=CENTRAL, DC=***...

    and I imported the cert of the issuing-ca:

    [server.fqdn]: PS C:\Users\fct_psr_ADMIN\Documents> Get-ChildItem Cert:\LocalMachine\CA | where { $_.Subject -match 'PKP'}
        Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\CA
    Thumbprint                                Subject
    ----------                                -------
    557A8CE0C284DDE39CB0B6724B07B0C0D83EE086  CN=***-***-CA, DC=***, DC=LAN

    And enabled Certbased Auth:

    [server.fqdn]: PS C:\Users\fct_psr_ADMIN\Documents> get-item -path WSMan:\localhost\Service\Auth\Certificate
       WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Service\Auth
    Type            Name                           SourceOfValue   Value
    ----            ----                           -------------   -----
    System.String   Certificate                                    true

    I created a mapping (the wildcard in subject came in while debugging):

    [server.fqdn]: PS C:\Users\fct_psr_ADMIN\Documents> Get-Item -Path WSMan:\localhost\ClientCertificate\ClientCertificate_479242521 | fl *
    PSPath            : Microsoft.WSMan.Management\WSMan::localhost\ClientCertificate\ClientCertificate_479242521
    PSParentPath      : Microsoft.WSMan.Management\WSMan::localhost\ClientCertificate
    PSChildName       : ClientCertificate_479242521
    PSDrive           : WSMan
    PSProvider        : Microsoft.WSMan.Management\WSMan
    PSIsContainer     : True
    Keys              : {URI=*, Issuer=557A8CE0C284DDE39CB0B6724B07B0C0D83EE086, Subject=*}
    Name              : ClientCertificate_479242521
    TypeNameOfElement : Container
    Type              : Container

    and tried to connect ...

    PS C:\Users\adm_cbrumm\Documents> $session = New-PSSession -ComputerName server.fqdn -CertificateThumbprint D77AC0C0E6AC433ADB822C7E82663638B730552C
    New-PSSession : [server.fqdn] Connecting to remote server server.fqdn failed
    with the following error message : The WinRM client cannot process the request. The destination computer
    (server.fqdn:5986) returned an 'access denied' error. Specify one of the authentication
    mechanisms supported by the server. If Kerberos mechanism is used, verify that the client computer and the destination
    computer are joined to a domain. Possible authentication mechanisms reported by server:     Negotiate Kerberos
    ClientCerts For more information, see the about_Remote_Troubleshooting Help topic.
    At line:1 char:12
    + $session = New-PSSession -ComputerName server.fqdn -Certifi ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
        + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed

    After a whole day of controlling every step I have no idea what to do next ...

    Thanks for your help!

  • #18944

    Points: 0
    Rank: Member

    From what I can see here, it looks like you're doing things correctly. Just to double check, please run the following commands and let me know their output:

    # On server.fqdn:
    (Get-Item Cert:\LocalMachine\TrustedPeople\D77AC0C0E6AC433ADB822C7E82663638B730552C).HasPrivateKey
    # On the client computer:
    (Get-Item Cert:\CurrentUser\My\D77AC0C0E6AC433ADB822C7E82663638B730552C).HasPrivateKey

    If all is set up properly, you should get a result of $false on the server and $true on the client computer. (Neither command should produce an error.)

    Also, when you created the mapping, you did enter the credentials of a local account on server.fqdn which has Administrator rights, correct? You can't use a domain account with certificate authentication.

  • #18976

    Points: 0
    Rank: Member

    Hi Dave,

    thanks for your response.

    I checked the private keys and got false on the server and a true on the client.
    For the mapping I tested two local admin accounts (a fresh one and the buildin).

  • #18978

    Points: 0
    Rank: Member

    I'm not sure what's going wrong, then. Since it's an Access Denied error, I would start by checking the Security event log. The PowerShell event logs may also have something useful.

    What operating systems and PowerShell versions are you using for the client and server? If I have some time, I'll try spinning up a new test environment to see if I can reproduce the problem.

  • #18979

    Points: 0
    Rank: Member

    Hi Dave,

    I think my problem is solved ... I have no idea why but now it works ...
    For a deeper look I just enabled more logging (described here: started a trace and it works ....

    Are there any caches involved? Maybe the Thumbprint check of the issuing CA?

    I will go on rolling out that config on the other machines and see if it happens again.

    Thanks for your help!

  • #19015

    Points: 0
    Rank: Member

    This is a very strange behaviour .... we reproduced it on two additional machines and it takes a couple of hours to work.
    We can handle this but we are really interrested in the reason ... any ideas?

  • #19018

    Points: 0
    Rank: Member

    Are you generating new certificates at the time you reproduce the problem? Maybe you've got something quirky happening like the certificate's NotBefore value is set for 2-3 hours in the future (perhaps due to confusion over time zones in the cert request, or something along those lines.) Or, does the account that the certificate maps to have any logon time restrictions?

    I'm kind of grasping at straws here. Off the top of my head, I can't think of any other reason a certificate auth might give you "Access Denied", then suddenly start working with no change on your part.

  • #19061

    Points: 0
    Rank: Member

    Hi Dave,

    fortunately we have some more server to configure ... so we could test a lot in the last days.

    Our Problem was the following:

    – We are using a two-tiered PKI and the usercert for authentication is issued by the issuing CA.
    At the initial configuration we had only imported the cert of the issuing CA in cert:\localmachine\CA but it seems to be necessary that the root cert is imported too.
    – If the root cert is not present the server sends an access denied and caches it – so the root cert has to be imported before the first connection attempt.

    I've attached the script we are now using to connect our standalone systems to the central scripting host. (some more comments would be great i know ....)
    Maybe this is helpful for anybody.

    Thanks for your help

The topic ‘Problem with certbased authentication at powershell remoting’ is closed to new replies.

denizli escort samsun escort muğla escort ataşehir escort kuşadası escort