Problem with certbased authentication at powershell remoting

This topic contains 7 replies, has 2 voices, and was last updated by Profile photo of Christopher Brumm Christopher Brumm 2 years, 2 months ago.

  • Author
    Posts
  • #18940
    Profile photo of Christopher Brumm
    Christopher Brumm
    Participant

    Hi,

    I'm looking for some help at a problem to manage a couple of servers outside of our domain with powershell remoting.

    I followed the guide "Secrets of PowerShell Remoting" and configured a https-listener and the listener works.

    I can establish a connection via SSL with a local user:

    PS C:\Users\adm_cbrumm\Documents> $session = New-PSSession -ComputerName server.fqdn -Credential "HBGERPV001\fct_psr_Admin" -UseSSL
    PS C:\Users\adm_cbrumm\Documents> Enter-PSSession -Session $session
    [server.fqdn]: PS C:\Users\fct_psr_ADMIN\Documents>
    

    Then I created an user-cert and imported it in the Trusted People Store:

    [server.fqdn]: PS C:\Users\fct_psr_ADMIN\Documents> Get-ChildItem Cert:\LocalMachine\TrustedPeople
    
        Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\TrustedPeople
    
    Thumbprint                                Subject
    ----------                                -------
    D77AC0C0E6AC433ADB822C7E82663638B730552C  CN=psr_Admin Function, OU=QSC, OU=FCT, OU=ACCOUNTS, OU=CENTRAL, DC=***...
    

    and I imported the cert of the issuing-ca:

    [server.fqdn]: PS C:\Users\fct_psr_ADMIN\Documents> Get-ChildItem Cert:\LocalMachine\CA | where { $_.Subject -match 'PKP'}
    
        Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\CA
    
    Thumbprint                                Subject
    ----------                                -------
    557A8CE0C284DDE39CB0B6724B07B0C0D83EE086  CN=***-***-CA, DC=***, DC=LAN
    

    And enabled Certbased Auth:

    [server.fqdn]: PS C:\Users\fct_psr_ADMIN\Documents> get-item -path WSMan:\localhost\Service\Auth\Certificate
    
       WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Service\Auth
    
    Type            Name                           SourceOfValue   Value
    ----            ----                           -------------   -----
    System.String   Certificate                                    true
    

    I created a mapping (the wildcard in subject came in while debugging):

    [server.fqdn]: PS C:\Users\fct_psr_ADMIN\Documents> Get-Item -Path WSMan:\localhost\ClientCertificate\ClientCertificate_479242521 | fl *
    
    PSPath            : Microsoft.WSMan.Management\WSMan::localhost\ClientCertificate\ClientCertificate_479242521
    PSParentPath      : Microsoft.WSMan.Management\WSMan::localhost\ClientCertificate
    PSChildName       : ClientCertificate_479242521
    PSDrive           : WSMan
    PSProvider        : Microsoft.WSMan.Management\WSMan
    PSIsContainer     : True
    Keys              : {URI=*, Issuer=557A8CE0C284DDE39CB0B6724B07B0C0D83EE086, Subject=*}
    Name              : ClientCertificate_479242521
    TypeNameOfElement : Container
    Type              : Container
    

    and tried to connect ...

    PS C:\Users\adm_cbrumm\Documents> $session = New-PSSession -ComputerName server.fqdn -CertificateThumbprint D77AC0C0E6AC433ADB822C7E82663638B730552C
    New-PSSession : [server.fqdn] Connecting to remote server server.fqdn failed
    with the following error message : The WinRM client cannot process the request. The destination computer
    (server.fqdn:5986) returned an 'access denied' error. Specify one of the authentication
    mechanisms supported by the server. If Kerberos mechanism is used, verify that the client computer and the destination
    computer are joined to a domain. Possible authentication mechanisms reported by server:     Negotiate Kerberos
    ClientCerts For more information, see the about_Remote_Troubleshooting Help topic.
    At line:1 char:12
    + $session = New-PSSession -ComputerName server.fqdn -Certifi ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
       gTransportException
        + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed
    

    After a whole day of controlling every step I have no idea what to do next ...

    Thanks for your help!
    Chris

  • #18944
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    From what I can see here, it looks like you're doing things correctly. Just to double check, please run the following commands and let me know their output:

    # On server.fqdn:
    
    (Get-Item Cert:\LocalMachine\TrustedPeople\D77AC0C0E6AC433ADB822C7E82663638B730552C).HasPrivateKey
    
    # On the client computer:
    
    (Get-Item Cert:\CurrentUser\My\D77AC0C0E6AC433ADB822C7E82663638B730552C).HasPrivateKey
    

    If all is set up properly, you should get a result of $false on the server and $true on the client computer. (Neither command should produce an error.)

    Also, when you created the mapping, you did enter the credentials of a local account on server.fqdn which has Administrator rights, correct? You can't use a domain account with certificate authentication.

  • #18976
    Profile photo of Christopher Brumm
    Christopher Brumm
    Participant

    Hi Dave,

    thanks for your response.

    I checked the private keys and got false on the server and a true on the client.
    For the mapping I tested two local admin accounts (a fresh one and the buildin).

  • #18978
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    I'm not sure what's going wrong, then. Since it's an Access Denied error, I would start by checking the Security event log. The PowerShell event logs may also have something useful.

    What operating systems and PowerShell versions are you using for the client and server? If I have some time, I'll try spinning up a new test environment to see if I can reproduce the problem.

  • #18979
    Profile photo of Christopher Brumm
    Christopher Brumm
    Participant

    Hi Dave,

    I think my problem is solved ... I have no idea why but now it works ...
    For a deeper look I just enabled more logging (described here: http://windowsitpro.com/blog/tools-troubleshooting-powershell-remoting-and-winrm-part-2) started a trace and it works ....

    Are there any caches involved? Maybe the Thumbprint check of the issuing CA?

    I will go on rolling out that config on the other machines and see if it happens again.

    Thanks for your help!

  • #19015
    Profile photo of Christopher Brumm
    Christopher Brumm
    Participant

    This is a very strange behaviour .... we reproduced it on two additional machines and it takes a couple of hours to work.
    We can handle this but we are really interrested in the reason ... any ideas?

  • #19018
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    Are you generating new certificates at the time you reproduce the problem? Maybe you've got something quirky happening like the certificate's NotBefore value is set for 2-3 hours in the future (perhaps due to confusion over time zones in the cert request, or something along those lines.) Or, does the account that the certificate maps to have any logon time restrictions?

    I'm kind of grasping at straws here. Off the top of my head, I can't think of any other reason a certificate auth might give you "Access Denied", then suddenly start working with no change on your part.

  • #19061
    Profile photo of Christopher Brumm
    Christopher Brumm
    Participant

    Hi Dave,

    fortunately we have some more server to configure ... so we could test a lot in the last days.

    Our Problem was the following:

    – We are using a two-tiered PKI and the usercert for authentication is issued by the issuing CA.
    At the initial configuration we had only imported the cert of the issuing CA in cert:\localmachine\CA but it seems to be necessary that the root cert is imported too.
    – If the root cert is not present the server sends an access denied and caches it – so the root cert has to be imported before the first connection attempt.

    I've attached the script we are now using to connect our standalone systems to the central scripting host. (some more comments would be great i know ....)
    Maybe this is helpful for anybody.

    Thanks for your help
    Chris

You must be logged in to reply to this topic.