Server Core Remoting with Credssp

This topic contains 3 replies, has 3 voices, and was last updated by  Jon Mattivi 3 weeks, 4 days ago.

  • Author
    Posts
  • #97358

    Jon Mattivi
    Participant

    Hello,

    Is there any known issue with using credssp auth from a 2016 Core as the client remoting to a 2008 R2 as the server? the 2008 box is delegated from the Core client.

    I am getting the following error....

    Connecting to remote server SERVER2008 failed with the following error
    message : The request is not supported. For more information, see the about_Remote_Troubleshooting Help topic.
        + CategoryInfo          : OpenError: (SERVER2008:String) [], PSRemotingTransportException
        + FullyQualifiedErrorId : 50,PSSessionStateBroken
    

    I am able to remote with credssp from the 2016 Core to another 2016 Core.

    I am able to remote with kerberos auth from the same 2016 Core server to the 2008 R2 server.

    I am able to remote with credssp from a Win10 client to the same 2008 R2 server.

    Thanks!
    Jon

  • #97359

    Don Jones
    Keymaster

    Nothing I've heard of. You did the sensible thing in that last check, because otherwise I'd say "make sure CredSSP is enabled." We'll see if anyone else jumps in.

    FWIW, CredSSP has been a bit of a hassle for several older versions of Windows, largely around RDP, which also uses it. The general recommendation these days is to set up Kerberos delegation instead.

  • #97364

    Alex Aymonier
    Participant

    Check out this article from Ashley McGlone
    PowerShell Remoting Kerberos Double Hop Solved Securely

  • #97551

    Jon Mattivi
    Participant

    Thank you for the suggestions. Not sure if the root cause may be some hardening setting as I tried a different 2008R2 system with the same results.

    Unfortunately, Kerberos constrained delegation is out as we, , don't have the infrastructure to support it yet.

    I'll be going the $using:creds route since this is a one-off use case.

    Life will be so much easier once 2008 hits end of support....Thanks again!

You must be logged in to reply to this topic.