Remoting with CredSSP to non-trust domain

This topic contains 4 replies, has 3 voices, and was last updated by Profile photo of Michael Craig Michael Craig 1 year, 9 months ago.

  • Author
    Posts
  • #22661
    Profile photo of Michael Craig
    Michael Craig
    Participant

    Hello,

    I have been successful at getting PS Remoting to work between untrusted domains, Yaay!! However, I can't figure out how to enable CredSSP.
    CredSSP is working great for me within the same domain.
    I've created an SSL endpoint on the target server, but still cannot connect, as per below:
    I have every WinRM trust setting imaginable set to WSMAN/*.lab.testing.com, on the client machine.

    [b]Works:[/b]
    $sessOption = New-PSSessionOption -SkipRevocationCheck
    New-PSSession -Authentication Default -Credential $credentials -SessionOption $sessOption -ComputerName srv004.lab.testing.com

    [b]Fails:[/b]
    $sessOption = New-PSSessionOption -SkipRevocationCheck
    New-PSSession -Authentication credssp -Credential $credentials -SessionOption $sessOption -ComputerName srv004.lab.testing.com

    [b]Error:[/b]
    New-PSSession : [srv004.lab.testing.com] Connecting to remote server srv004.lab.testing.com failed with the following error message : The WinRM client cannot process the request. A
    computer policy does not allow the delegation of the user credentials to the target computer because the computer is not trusted. The identity of the target computer can be verified if you configure
    the WSMAN service to use a valid certificate using the following command: winrm set winrm/config/service '@{CertificateThumbprint=""}' Or you can check the Event Viewer for an event
    that specifies that the following SPN could not be created: WSMAN/. If you find this event, you can manually create the SPN using setspn.exe . If the SPN exists, but CredSSP cannot
    use Kerberos to validate the identity of the target computer and you still want to allow the delegation of the user credentials to the target computer, use gpedit.msc and look at the following
    policy:[b] Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication[/b]. Verify that it is enabled and
    configured with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or
    WSMAN/*.domain.com. Try the request again after these changes. For more information, see the about_Remote_Troubleshooting Help topic.

    [b]Fails:[/b]
    New-PSSession -Authentication credssp -Credential $credentials -ComputerName chelwebvci004.cctlab.expecn.com -UseSSL

    [b]Error:[/b]
    The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.

    [b]Fails:[/b]
    $sessOption = New-PSSessionOption -SkipRevocationCheck
    New-PSSession -Authentication credssp -Credential $credentials -ComputerName chelwebvci004.cctlab.expecn.com -UseSSL -SessionOption $sessOption

    Any help is appreciated, thanks!

  • #22662
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Well, the error message seems pretty clear. I know I'm going to sound like a jerk. But, what it wants is a trusted certificate on the server that you were trying to connect to. Because it doesn't have Kerberos to verify the identity. or am I not getting your question in my head? If not, sorry – try again, it's been a day!

  • #22663
    Profile photo of Michael Craig
    Michael Craig
    Participant

    Doh!

    I had tried that command before, but this was my usage:
    winrm set winrm/config/service @{CertificateThumbprint=""}

    Looks like after re-reading the error message I was missing the single quotest around the @
    winrm set winrm/config/service '@{CertificateThumbprint=""}'

    Now I have set this on the target server and my client

    When connection I got:

    New-PSSession : [] Connecting to remote server srv004.lab.testing.com failed with the following error message : The WinRM client received an HTTP server error
    status (500), but the remote service did not include any other information about the cause of the failure. For more information, see the about_Remote_Troubleshooting Help topic.

    I just gave Everyone read access to the cert, and here is the winrm configuration.

    Service
    RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
    MaxConcurrentOperations = 4294967295
    MaxConcurrentOperationsPerUser = 1500
    EnumerationTimeoutms = 240000
    MaxConnections = 300
    MaxPacketRetrievalTimeSeconds = 120
    AllowUnencrypted = false
    Auth
    Basic = false
    Kerberos = true
    Negotiate = true
    Certificate = false
    CredSSP = true
    CbtHardeningLevel = Relaxed
    DefaultPorts
    HTTP = 5985
    HTTPS = 5986
    IPv4Filter = * [Source="GPO"]
    IPv6Filter = * [Source="GPO"]
    EnableCompatibilityHttpListener = true [Source="GPO"]
    EnableCompatibilityHttpsListener = false
    CertificateThumbprint = 9267198CA389DCC3C96582742D406A96792E8CEA
    AllowRemoteAccess = true [Source="GPO"]

    [b]However, now I'm back to:[/b]
    New-PSSession : [srv004.lab.testing.com] Connecting to remote server srv004.lab.testing.com failed with the following error message : The WinRM client cannot process the request. A
    computer policy does not allow the delegation of the user credentials to the target computer because the computer is not trusted. The identity of the target computer can be verified if you configure
    the WSMAN service to use a valid certificate using the following command: winrm set winrm/config/service '@{CertificateThumbprint=""}' Or you can check the Event Viewer for an event
    that specifies that the following SPN could not be created: WSMAN/. If you find this event, you can manually create the SPN using setspn.exe . If the SPN exists, but CredSSP cannot
    use Kerberos to validate the identity of the target computer and you still want to allow the delegation of the user credentials to the target computer, use gpedit.msc and look at the following
    policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication. Verify that it is enabled and
    configured with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or
    WSMAN/*.domain.com. Try the request again after these changes. For more information, see the about_Remote_Troubleshooting Help topic.
    At line:1 char:13

  • #22671
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    Have you checked that Group Policy setting that you bolded in the original post? (I assume so; just checking.)

  • #22678
    Profile photo of Michael Craig
    Michael Craig
    Participant

    Thanks Dave:

    oh. frustrating. I had it set with:
    WSMAN/*.lab.testing.com

    and it wasn't working,

    I set it to:
    WSMAN/*

    and now it works.

    WTH! Why doesn't the wildcard work? For the -computername argument, I'm always using the FQDN.

You must be logged in to reply to this topic.